hijackloader | 17e5475fe29d1e9f486646f38adcb5749cfe73bc384ec7a926b6a5b08919ba41

General

Target

Chrome.exe
Size

9.4MB
MD5

e2d364cf06651d253e151be263c6f1c3
SHA1

9633116d44b2d8e7600e0f1313b24194e91a9ef3
SHA256

17e5475fe29d1e9f486646f38adcb5749cfe73bc384ec7a926b6a5b08919ba41
SHA512

c9261a9ca430949772a6d8959029851c2e600b9744f3d3a28020c443cf072ab92cb11025b01f9cd4bb492db5bd55f71340ff35ff6884d4babface3369c9d3523
SSDEEP

196608:tLX8vpjby5OkoeYXp0leGQ7WWbR6otLwGwP55ar9kCmlwe1Xf/Ohz2+lnBVyGt:tIvxy58eYXm7Q7WWbR5L+5Mr9k3d1Xfs

Score

10^/10

hijackloader rhadamanthys discovery loader stealer

Malware Config

Extracted

Family

rhadamanthys

C2

http://91.103.140.200:9078/3936a074a2f65761a5eb8/ipm2s60c.ut26e

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/648-0-0x0000000000900000-0x000000000127C000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2432 created 2640	2432	explorer.exe	44

Deletes itself 1 IoCs

pid	Process
2420	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 648 set thread context of 2420	648	Chrome.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
648	Chrome.exe
648	Chrome.exe
2420	cmd.exe
2420	cmd.exe
2432	explorer.exe
2432	explorer.exe
872	openwith.exe
872	openwith.exe
872	openwith.exe
872	openwith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
648	Chrome.exe
2420	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 2420	648	Chrome.exe	85
PID 648 wrote to memory of 2420	648	Chrome.exe	85
PID 648 wrote to memory of 2420	648	Chrome.exe	85
PID 648 wrote to memory of 2420	648	Chrome.exe	85
PID 2420 wrote to memory of 2432	2420	cmd.exe	100
PID 2420 wrote to memory of 2432	2420	cmd.exe	100
PID 2420 wrote to memory of 2432	2420	cmd.exe	100
PID 2420 wrote to memory of 2432	2420	cmd.exe	100
PID 2432 wrote to memory of 872	2432	explorer.exe	102
PID 2432 wrote to memory of 872	2432	explorer.exe	102
PID 2432 wrote to memory of 872	2432	explorer.exe	102
PID 2432 wrote to memory of 872	2432	explorer.exe	102
PID 2432 wrote to memory of 872	2432	explorer.exe	102

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:872

C:\Users\Admin\AppData\Local\Temp\Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35caafc6

Filesize
1.1MB

MD5
a1e1b55d3c365ea29259a3eff236e219

SHA1
592c36b0ae49a5a41dbe9a1e30f4714eaccc3020

SHA256
a3c52230f605d5f1ec0d49ecb7c6f468b6a6aa30f94caa20557e285515aa860f

SHA512
1bd32f02402d311d36f5eafa0e95aa9d5a2b5a5765e34d8f82bca4728d1e824d3094d9983658feb77de133456682d455d505df5b18e6272be9331f7c4f59fd4c

Download Submit
memory/648-0-0x0000000000900000-0x000000000127C000-memory.dmp

Filesize
9.5MB

Download
memory/648-1-0x0000000074E10000-0x0000000074F8B000-memory.dmp

Filesize
1.5MB

Download
memory/648-2-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/648-4-0x0000000074E10000-0x0000000074F8B000-memory.dmp

Filesize
1.5MB

Download
memory/648-3-0x0000000074E23000-0x0000000074E25000-memory.dmp

Filesize
8KB

Download
memory/648-5-0x0000000074E10000-0x0000000074F8B000-memory.dmp

Filesize
1.5MB

Download
memory/872-25-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/872-29-0x00000000023D0000-0x00000000027D0000-memory.dmp

Filesize
4.0MB

Download
memory/872-32-0x0000000077130000-0x0000000077345000-memory.dmp

Filesize
2.1MB

Download
memory/872-30-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-9-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/2420-10-0x0000000074E10000-0x0000000074F8B000-memory.dmp

Filesize
1.5MB

Download
memory/2420-11-0x0000000074E10000-0x0000000074F8B000-memory.dmp

Filesize
1.5MB

Download
memory/2420-13-0x0000000074E10000-0x0000000074F8B000-memory.dmp

Filesize
1.5MB

Download
memory/2420-7-0x0000000074E10000-0x0000000074F8B000-memory.dmp

Filesize
1.5MB

Download
memory/2432-19-0x00000000040F0000-0x00000000044F0000-memory.dmp

Filesize
4.0MB

Download
memory/2432-22-0x0000000000A30000-0x0000000000E63000-memory.dmp

Filesize
4.2MB

Download
memory/2432-18-0x0000000000B13000-0x0000000000B1B000-memory.dmp

Filesize
32KB

Download
memory/2432-24-0x0000000077130000-0x0000000077345000-memory.dmp

Filesize
2.1MB

Download
memory/2432-27-0x00000000006B0000-0x0000000000730000-memory.dmp

Filesize
512KB

Download
memory/2432-20-0x00000000040F0000-0x00000000044F0000-memory.dmp

Filesize
4.0MB

Download
memory/2432-16-0x00000000006B0000-0x0000000000730000-memory.dmp

Filesize
512KB

Download
memory/2432-15-0x00007FFC2C1F0000-0x00007FFC2C3E5000-memory.dmp

Filesize
2.0MB

Download
memory/2432-14-0x00000000006B0000-0x0000000000730000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing