hijackloader | 307abb12c62dd8421cedfe6a11475e742caaae82faf9cb14d9812772edefe8d7

General

Target

fast_copy.exe
Size

5.6MB
MD5

f659a0d8ebd02ee8ee6eb70cef397cd7
SHA1

78c4038cd147d6e14cb0255e7ff170d477e9eca4
SHA256

307abb12c62dd8421cedfe6a11475e742caaae82faf9cb14d9812772edefe8d7
SHA512

ae5275a56c782960d7d3efdd32d8458300b763114d040723b363f51dbd77ae6e371ef3d4081745feac202890284c77ddf8e796289a473eb43b998172b6eaddb9
SSDEEP

98304:AUd98EKniqMUs8RVe0jHs4+b4EmeICxgHxC6qz1loJoYFqQ5dn6uqhAoCVtxnz+C:F8sn+RVJM44YCxwxmzLOFfdrq+P/xnCC

Score

10^/10

hijackloader stealc benjiworld29 discovery loader stealer

Malware Config

Extracted

Family

stealc

Botnet

benjiworld29

C2

http://45.159.208.21

Attributes

url_path
/e24f48bbd86dab7e.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-0-0x0000000000400000-0x0000000000561000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2488 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

fast_copy.exe

description pid process target process

PID 2172 set thread context of 2488 2172 fast_copy.exe cmd.exe

pid	process
2488	cmd.exe

description	pid	process	target process
PID 2172 set thread context of 2488	2172	fast_copy.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fast_copy.execmd.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fast_copy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fast_copy.execmd.exe

pid process

2172 fast_copy.exe
2172 fast_copy.exe
2488 cmd.exe
2488 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

fast_copy.execmd.exe

pid process

2172 fast_copy.exe
2488 cmd.exe

pid	process
2172	fast_copy.exe
2172	fast_copy.exe
2488	cmd.exe
2488	cmd.exe

pid	process
2172	fast_copy.exe
2488	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

fast_copy.execmd.exe

description	pid	process	target process
PID 2172 wrote to memory of 2488	2172	fast_copy.exe	cmd.exe
PID 2172 wrote to memory of 2488	2172	fast_copy.exe	cmd.exe
PID 2172 wrote to memory of 2488	2172	fast_copy.exe	cmd.exe
PID 2172 wrote to memory of 2488	2172	fast_copy.exe	cmd.exe
PID 2172 wrote to memory of 2488	2172	fast_copy.exe	cmd.exe
PID 2488 wrote to memory of 1720	2488	cmd.exe	explorer.exe
PID 2488 wrote to memory of 1720	2488	cmd.exe	explorer.exe
PID 2488 wrote to memory of 1720	2488	cmd.exe	explorer.exe
PID 2488 wrote to memory of 1720	2488	cmd.exe	explorer.exe
PID 2488 wrote to memory of 1720	2488	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\fast_copy.exe
"C:\Users\Admin\AppData\Local\Temp\fast_copy.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\110ee546

Filesize
1.0MB

MD5
2a6f2580cc9f0c8f14e7d4f0bb480cf1

SHA1
f1380e60332e59717712ec14e96fa0ab52c009ba

SHA256
e88404e18425779a209b0441b5f1311caa6696fce0c827ed7beb70983b5783fd

SHA512
0b51858ff3bcb88146ea9ef5ecd002818827bc9360873d942c3d7ecd7c1be524891ac451637d081623b517eb790e50926cc46de67fd3b9597eeb4350a8cebcc9

Download Submit
memory/1720-22-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1720-20-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/1720-21-0x0000000000730000-0x00000000009B1000-memory.dmp

Filesize
2.5MB

Download
memory/1720-18-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1720-17-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/1720-16-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/2172-4-0x00000000743F0000-0x0000000074564000-memory.dmp

Filesize
1.5MB

Download
memory/2172-8-0x00000000743F0000-0x0000000074564000-memory.dmp

Filesize
1.5MB

Download
memory/2172-5-0x0000000074403000-0x0000000074405000-memory.dmp

Filesize
8KB

Download
memory/2172-0-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2172-3-0x0000000074403000-0x0000000074405000-memory.dmp

Filesize
8KB

Download
memory/2172-2-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/2172-1-0x00000000743F0000-0x0000000074564000-memory.dmp

Filesize
1.5MB

Download
memory/2488-11-0x0000000077080000-0x0000000077229000-memory.dmp

Filesize
1.7MB

Download
memory/2488-12-0x00000000743F0000-0x0000000074564000-memory.dmp

Filesize
1.5MB

Download
memory/2488-13-0x00000000743F0000-0x0000000074564000-memory.dmp

Filesize
1.5MB

Download
memory/2488-15-0x00000000743F0000-0x0000000074564000-memory.dmp

Filesize
1.5MB

Download
memory/2488-9-0x00000000743F0000-0x0000000074564000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads