hijackloader

General

Target

Predictor7.6.3.rar
Size

6.9MB
Sample

250209-dz113stncx
MD5

7ec2cc85a11571242df2cfa7bf1356cc
SHA1

2ed744b4f8db3b39c9731585bd326e6e7651c8d2
SHA256

582fdb7c59c3d2f029b94ccb3fb8c8be2d905d6ba3bd70715fe7954c9d7530c5
SHA512

1850c3ecf79e2d81b3f16cd290c1f207071dde8af203f82037be0e32b71cf7744a2a0e8ffdc03db12c8c2a82746cacdfe819fe99493d50239ada318f0ad0faf2
SSDEEP

196608:N/BfEBFj7rREFEXdsfJfaeddIRNYAFv0t:rEBFX9EOktZ+f2t

Score

10^/10

hijackloader remcos v2 adware discovery loader persistence privilege_escalation rat stealer

Malware Config

Extracted

Family

remcos

Botnet

v2

C2

185.157.162.126:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
qsdazeazd-EL00KX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Predictor7.6.3.rar
- Size
  
  6.9MB
- MD5
  
  7ec2cc85a11571242df2cfa7bf1356cc
- SHA1
  
  2ed744b4f8db3b39c9731585bd326e6e7651c8d2
- SHA256
  
  582fdb7c59c3d2f029b94ccb3fb8c8be2d905d6ba3bd70715fe7954c9d7530c5
- SHA512
  
  1850c3ecf79e2d81b3f16cd290c1f207071dde8af203f82037be0e32b71cf7744a2a0e8ffdc03db12c8c2a82746cacdfe819fe99493d50239ada318f0ad0faf2
- SSDEEP
  
  196608:N/BfEBFj7rREFEXdsfJfaeddIRNYAFv0t:rEBFX9EOktZ+f2t
Score

3^/10

discovery
behavioral1
- Target
  
  Predictor7.6.3/Check this Before Open!.png
- Size
  
  106KB
- MD5
  
  2aaf9dcbef5f0fb02725b516163d71fa
- SHA1
  
  77a4f69078a4fb5e258c3196b42ec319589f60da
- SHA256
  
  83471a3c48abf4f11c7a920ab907efcd183e058801f8711e467e9c2efa8b1ad8
- SHA512
  
  ddc353c3fbc469dee34ee69d33be80997170194aaf8d580df0f044125698cdec6239f736e11e1dd01e2abd7c3a7e09f5d370f1a9d2f7bb43f6fdafa2ea0d5396
- SSDEEP
  
  3072:K5GDgY9gZCAnoiicqJUcs6WOw91co1FpSOqycoiCq:OGtKZ7ozcAWOwPpHiB
Score

8^/10

adware discovery persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral2
- Target
  
  Predictor7.6.3/Predictor7.6.3.msi
- Size
  
  2.9MB
- MD5
  
  ae5b94abf028388af1454ed76806cc6f
- SHA1
  
  ef013c7eec6fc6c14ccd414b5eb87abf1476566a
- SHA256
  
  f286d2b89eaebb2e1e6e23a44bc92dae7c058348286810549f4c7514c9ea61ad
- SHA512
  
  b88c3c160b68b0bdc03780a6848001aef7baa5532b815071eb4f26ff1caa87f71b2401b0c507db5389d14517310bae758aaa17f6fe7aa508f2de38cdbcac1fe2
- SSDEEP
  
  49152:TL51ahTWxFOlm43he+4Xkt1i1XkIZ9fm5urK7olHgnIxQQ6brit:p8h8ME4xr461ckZPoxgnsSa
Score

10^/10

hijackloader remcos v2 discovery loader persistence privilege_escalation rat
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Hijackloader family
  hijackloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  Predictor7.6.3/Sounds/VisualStudioSetup.exe
- Size
  
  4.2MB
- MD5
  
  588266fd79a4a51b4fd501d11eabc372
- SHA1
  
  e980ac3a93c89e67d1f33d86fffa391c5ba7ff06
- SHA256
  
  2e4e7be2891916f6158f45dad8ff5300ee2f78fc7df0d00a031cd5f86693e7ac
- SHA512
  
  e5d49e85f911b0646e067f67523cb7e40e9b6e6c13c31dd82294c4afcc270ae9c91f4728c722bc5e5ad9bdbb5cdd21b81747693960d53bbd07554db6a85c6115
- SSDEEP
  
  98304:IEbiDMuEbMHwTFSEAlODcXQ874QDdqiJXM8ux:kB+MQTFSLlOsrRMiJXq
Score

8^/10

adware discovery persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral4