Malware Analysis Report

2025-08-05 23:32

Sample ID 250119-x794hasqcj
Target 2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk
SHA256 892ee52f7e8e44fdf0776193cadf5919eec3c23b8f649109d8f53351a7657b9b
Tags
spyware stealer
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

892ee52f7e8e44fdf0776193cadf5919eec3c23b8f649109d8f53351a7657b9b

Threat Level: Likely benign

The file 2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk was found to be: Likely benign.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 19:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 19:30

Reported

2025-01-19 19:33

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.21 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6bba51638,0x7ff6bba51644,0x7ff6bba51650

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp

Files

N/A