Overview

overview

10

Static

static

1

b94ecfae3b...77.exe

windows7-x64

10

b94ecfae3b...77.exe

windows10-ltsc 2021-x64

10

b94ecfae3b...77.exe

windows11-21h2-x64

10

Resubmissions

13-02-2025 14:36

250213-ryptbazlcy 10

13-02-2025 12:03

250213-n75dksyjat 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe

  • Size

    10.9MB

  • Sample

    250213-ryptbazlcy

  • MD5

    c836c14219ca56536439cc008608740f

  • SHA1

    a4e237dbd668e757595084872a921746edbcd418

  • SHA256

    b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477

  • SHA512

    d03cf84096cf6b34be6fa15f18a0e8b721b2f9400d1dd95f7e584b27c938c6b4f3ec72dd424c4f81d9af5917c607d8ae3c00c2e321b571d2ace024110a6a66d6

  • SSDEEP

    196608:JrH67uot0SW/ZA9SL3oSzC1/OxwnIBSnCITfLb8MAFGrCaPiqXpAo83jVolDN/+K:Jvo2nZA9SMSzCl7YSnC8fLbUGr0UAH34

Score
10/10
hijackloaderadwaredefense_evasiondiscoveryloaderpersistenceprivilege_escalationstealer

Malware Config

Targets

    • Target

      b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477.exe

    • Size

      10.9MB

    • MD5

      c836c14219ca56536439cc008608740f

    • SHA1

      a4e237dbd668e757595084872a921746edbcd418

    • SHA256

      b94ecfae3b5514ba1dc5c10faf595527159a535b5c326b39cb42185e6ef6d477

    • SHA512

      d03cf84096cf6b34be6fa15f18a0e8b721b2f9400d1dd95f7e584b27c938c6b4f3ec72dd424c4f81d9af5917c607d8ae3c00c2e321b571d2ace024110a6a66d6

    • SSDEEP

      196608:JrH67uot0SW/ZA9SL3oSzC1/OxwnIBSnCITfLb8MAFGrCaPiqXpAo83jVolDN/+K:Jvo2nZA9SMSzCl7YSnC8fLbUGr0UAH34

    Score
    10/10
    hijackloaderdefense_evasiondiscoveryloaderpersistenceprivilege_escalationadwarestealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

      loaderhijackloader

    • Hijackloader family

      hijackloader

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks