hijackloader | 696ed13d119273602770a67ac8015544cabba93a8316816e4fbdda5794b35399 | Triage

Sharing

General

Target

d.msi
Size

2.9MB
Sample

250220-rhnlbayjz4
MD5

5297df4268c31105df6d2fc39437d294
SHA1

df8d187c76abf86b8c7f3061723232424c6a7f2c
SHA256

696ed13d119273602770a67ac8015544cabba93a8316816e4fbdda5794b35399
SHA512

5fdd3cc4dfa1962a769138fece7a1ca9262d6503fe3a10838b6356d8fbe7081f841beb30bffbf0cc4966f863e63d420c05f9f903c7621da6130fea2e7ed85ad5
SSDEEP

49152:wL51ahTWxFOlm43he+4Xkt1i1XkIZ9fm5urK7olHgnIxQQ6brit:A8h8ME4xr461ckZPoxgnsSa

Score

10^/10

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

v2

C2

185.157.162.126:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
qsdazeazd-EL00KX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  d.msi
- Size
  
  2.9MB
- MD5
  
  5297df4268c31105df6d2fc39437d294
- SHA1
  
  df8d187c76abf86b8c7f3061723232424c6a7f2c
- SHA256
  
  696ed13d119273602770a67ac8015544cabba93a8316816e4fbdda5794b35399
- SHA512
  
  5fdd3cc4dfa1962a769138fece7a1ca9262d6503fe3a10838b6356d8fbe7081f841beb30bffbf0cc4966f863e63d420c05f9f903c7621da6130fea2e7ed85ad5
- SSDEEP
  
  49152:wL51ahTWxFOlm43he+4Xkt1i1XkIZ9fm5urK7olHgnIxQQ6brit:A8h8ME4xr461ckZPoxgnsSa
Score

10^/10

persistence privilege_escalation hijackloader remcos v2 discovery loader rat
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Hijackloader family
  hijackloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Installer Packages

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Installer Packages

Defense Evasion

Modify Registry

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

persistenceprivilege_escalation

behavioral2

hijackloaderremcosv2discoveryloaderpersistenceprivilege_escalationrat

behavioral3

hijackloaderremcosv2discoveryloaderpersistenceprivilege_escalationrat