hijackloader | 307abb12c62dd8421cedfe6a11475e742caaae82faf9cb14d9812772edefe8d7

General

Target

fast_copy.exe
Size

5.6MB
MD5

f659a0d8ebd02ee8ee6eb70cef397cd7
SHA1

78c4038cd147d6e14cb0255e7ff170d477e9eca4
SHA256

307abb12c62dd8421cedfe6a11475e742caaae82faf9cb14d9812772edefe8d7
SHA512

ae5275a56c782960d7d3efdd32d8458300b763114d040723b363f51dbd77ae6e371ef3d4081745feac202890284c77ddf8e796289a473eb43b998172b6eaddb9
SSDEEP

98304:AUd98EKniqMUs8RVe0jHs4+b4EmeICxgHxC6qz1loJoYFqQ5dn6uqhAoCVtxnz+C:F8sn+RVJM44YCxwxmzLOFfdrq+P/xnCC

Score

10^/10

hijackloader stealc benjiworld29 discovery loader stealer

Malware Config

Extracted

Family

stealc

Botnet

benjiworld29

C2

http://45.159.208.21

Attributes

url_path
/e24f48bbd86dab7e.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/760-0-0x0000000000400000-0x0000000000561000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

5000 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

fast_copy.exe

description pid process target process

PID 760 set thread context of 5000 760 fast_copy.exe cmd.exe

pid	process
5000	cmd.exe

description	pid	process	target process
PID 760 set thread context of 5000	760	fast_copy.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeexplorer.exefast_copy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fast_copy.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fast_copy.execmd.exe

pid process

760 fast_copy.exe
760 fast_copy.exe
5000 cmd.exe
5000 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

fast_copy.execmd.exe

pid process

760 fast_copy.exe
5000 cmd.exe

pid	process
760	fast_copy.exe
760	fast_copy.exe
5000	cmd.exe
5000	cmd.exe

pid	process
760	fast_copy.exe
5000	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fast_copy.execmd.exe

description	pid	process	target process
PID 760 wrote to memory of 5000	760	fast_copy.exe	cmd.exe
PID 760 wrote to memory of 5000	760	fast_copy.exe	cmd.exe
PID 760 wrote to memory of 5000	760	fast_copy.exe	cmd.exe
PID 760 wrote to memory of 5000	760	fast_copy.exe	cmd.exe
PID 5000 wrote to memory of 1576	5000	cmd.exe	explorer.exe
PID 5000 wrote to memory of 1576	5000	cmd.exe	explorer.exe
PID 5000 wrote to memory of 1576	5000	cmd.exe	explorer.exe
PID 5000 wrote to memory of 1576	5000	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\fast_copy.exe
"C:\Users\Admin\AppData\Local\Temp\fast_copy.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6bc05779

Filesize
1.0MB

MD5
1d00a7630de9187b979ed8725b879c0f

SHA1
867937f34290cd6f6f8140015ee9f5b5ee0394bb

SHA256
6f945db60d46d427cdce1ae673edecf64bcdd1897dcefd087944546cec5cd240

SHA512
21b6c6d6c65e263b46999b24b4c3226084c84611512f95b43ba52d0b5937887c3558381ed0e087f92a71f91478933d08d59bda306253312fb18a171a2445d181

Download Submit
memory/760-1-0x0000000074620000-0x000000007479B000-memory.dmp

Filesize
1.5MB

Download
memory/760-2-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

Filesize
2.0MB

Download
memory/760-3-0x0000000074633000-0x0000000074635000-memory.dmp

Filesize
8KB

Download
memory/760-4-0x0000000074620000-0x000000007479B000-memory.dmp

Filesize
1.5MB

Download
memory/760-5-0x0000000074620000-0x000000007479B000-memory.dmp

Filesize
1.5MB

Download
memory/760-0-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1576-14-0x0000000001200000-0x0000000001463000-memory.dmp

Filesize
2.4MB

Download
memory/1576-15-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

Filesize
2.0MB

Download
memory/1576-16-0x0000000001200000-0x0000000001463000-memory.dmp

Filesize
2.4MB

Download
memory/1576-20-0x0000000000B03000-0x0000000000B0B000-memory.dmp

Filesize
32KB

Download
memory/1576-21-0x0000000000A20000-0x0000000000E53000-memory.dmp

Filesize
4.2MB

Download
memory/1576-22-0x0000000001200000-0x0000000001463000-memory.dmp

Filesize
2.4MB

Download
memory/5000-9-0x00007FFCBCB70000-0x00007FFCBCD65000-memory.dmp

Filesize
2.0MB

Download
memory/5000-10-0x0000000074620000-0x000000007479B000-memory.dmp

Filesize
1.5MB

Download
memory/5000-11-0x0000000074620000-0x000000007479B000-memory.dmp

Filesize
1.5MB

Download
memory/5000-13-0x0000000074620000-0x000000007479B000-memory.dmp

Filesize
1.5MB

Download
memory/5000-7-0x0000000074620000-0x000000007479B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads