hijackloader | 294e7740b29b6752803a6cffb86677472b72fcb96e3011f02e25ae80af5a2695

General

Target

0x000b00000001e4ef-846.exe
Size

5.6MB
MD5

f659a0d8ebd02ee8ee6eb70cef397cd7
SHA1

78c4038cd147d6e14cb0255e7ff170d477e9eca4
SHA256

307abb12c62dd8421cedfe6a11475e742caaae82faf9cb14d9812772edefe8d7
SHA512

ae5275a56c782960d7d3efdd32d8458300b763114d040723b363f51dbd77ae6e371ef3d4081745feac202890284c77ddf8e796289a473eb43b998172b6eaddb9
SSDEEP

98304:AUd98EKniqMUs8RVe0jHs4+b4EmeICxgHxC6qz1loJoYFqQ5dn6uqhAoCVtxnz+C:F8sn+RVJM44YCxwxmzLOFfdrq+P/xnCC

Score

10^/10

hijackloader stealc benjiworld29 discovery loader stealer

Malware Config

Extracted

Family

stealc

Botnet

benjiworld29

C2

http://45.159.208.21

Attributes

url_path
/e24f48bbd86dab7e.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4724-0-0x0000000000400000-0x0000000000561000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2680 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

0x000b00000001e4ef-846.exe

description pid process target process

PID 4724 set thread context of 2680 4724 0x000b00000001e4ef-846.exe cmd.exe

pid	process
2680	cmd.exe

description	pid	process	target process
PID 4724 set thread context of 2680	4724	0x000b00000001e4ef-846.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0x000b00000001e4ef-846.execmd.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0x000b00000001e4ef-846.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0x000b00000001e4ef-846.execmd.exe

pid process

4724 0x000b00000001e4ef-846.exe
4724 0x000b00000001e4ef-846.exe
2680 cmd.exe
2680 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0x000b00000001e4ef-846.execmd.exe

pid process

4724 0x000b00000001e4ef-846.exe
2680 cmd.exe

pid	process
4724	0x000b00000001e4ef-846.exe
4724	0x000b00000001e4ef-846.exe
2680	cmd.exe
2680	cmd.exe

pid	process
4724	0x000b00000001e4ef-846.exe
2680	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0x000b00000001e4ef-846.execmd.exe

description	pid	process	target process
PID 4724 wrote to memory of 2680	4724	0x000b00000001e4ef-846.exe	cmd.exe
PID 4724 wrote to memory of 2680	4724	0x000b00000001e4ef-846.exe	cmd.exe
PID 4724 wrote to memory of 2680	4724	0x000b00000001e4ef-846.exe	cmd.exe
PID 4724 wrote to memory of 2680	4724	0x000b00000001e4ef-846.exe	cmd.exe
PID 2680 wrote to memory of 2504	2680	cmd.exe	explorer.exe
PID 2680 wrote to memory of 2504	2680	cmd.exe	explorer.exe
PID 2680 wrote to memory of 2504	2680	cmd.exe	explorer.exe
PID 2680 wrote to memory of 2504	2680	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\0x000b00000001e4ef-846.exe
"C:\Users\Admin\AppData\Local\Temp\0x000b00000001e4ef-846.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f2a4dc8

Filesize
1.0MB

MD5
5f8e22e91f4cf9aac34f28eff1359abd

SHA1
4087d0a4db781311c3f00c18ca8b5e25c29c3ec8

SHA256
dab4a678286708cae1b65bd7971caefbd6349965021a39349f2cbf1b81fe74c6

SHA512
36919cd18f8c4f4d9685bf4c9b42dc0c62c5163bf3017783072126d42b090c77c1b31fe26d3fc5c0d0b37887cbf958dcfa45864baad796f5b7b62a7919dca30c

Download Submit
memory/2504-24-0x0000000001000000-0x0000000001263000-memory.dmp

Filesize
2.4MB

Download
memory/2504-23-0x0000000000BC0000-0x0000000000FF3000-memory.dmp

Filesize
4.2MB

Download
memory/2504-22-0x0000000000CA3000-0x0000000000CAB000-memory.dmp

Filesize
32KB

Download
memory/2504-18-0x0000000001000000-0x0000000001263000-memory.dmp

Filesize
2.4MB

Download
memory/2504-17-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/2504-16-0x0000000001000000-0x0000000001263000-memory.dmp

Filesize
2.4MB

Download
memory/2680-11-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/2680-9-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/2680-12-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/2680-13-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/2680-15-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/4724-7-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/4724-0-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/4724-6-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/4724-5-0x00000000743A3000-0x00000000743A5000-memory.dmp

Filesize
8KB

Download
memory/4724-4-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download
memory/4724-3-0x00000000743A3000-0x00000000743A5000-memory.dmp

Filesize
8KB

Download
memory/4724-2-0x00007FFF44C90000-0x00007FFF44E85000-memory.dmp

Filesize
2.0MB

Download
memory/4724-1-0x0000000074390000-0x000000007450B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads