General

  • Target

    SVWSRPTS.zip

  • Size

    15.1MB

  • Sample

    250604-l5ezssfp7v

  • MD5

    edf09f6b5c287fd200c5b1ef0d949ac5

  • SHA1

    b17de04962899ee9d61500fe52963e99da528ff3

  • SHA256

    d233da2bd79f20aac04aad28f661436aaaa572452b29a85d65f0d61441d3b7ae

  • SHA512

    30f16c11d1682fe73f636b0030cdbe93f9feb9151dd2445dd4b8e8f4462621aadd92cebdd386f816e09707377faf045bf654c45449f4aabe0deae77c739bfc67

  • SSDEEP

    393216:lFSCF9/XAR+jQmj8SrZMbJoFzwHHz97KfZ4t:l9f8ZsTrZQoFQpKfZ4t

Malware Config

Extracted

Family

hijackloader

Attributes
  • directory

    %APPDATA%\browserManageQf_debug_v4

  • inject_dll

    %windir%\SysWOW64\pla.dll

xor.hex

Targets

    • Target

      NaviEch64.exe

    • Size

      5.1MB

    • MD5

      0477c2f9171599ca5bc3307fdfba8d89

    • SHA1

      24eb3d47987c5cc97589c6f1685af5cb28001e16

    • SHA256

      b4f2980e0ba4c1e1b303b443a2c45f4a9090c0d745809f84afb1879b70abf195

    • SHA512

      903aced62c9209c878d3fcb481ff10ca4f6fc2801dc45ac809fe123945c6ef6b1662d55c9939ba67736a4bcca1583d5c5e1f766c141699a86d33a5359e32651d

    • SSDEEP

      49152:9dTweV4wyDPCfMpbKccEVC3s9bha76kiYmdUBKGTEJwcsNUNcKthjF0OiQ1hlGCj:9dowyDUMNKcRbsmGTEJFhN1XKOih/

    • Aurotun

      Aurotun is a stealer written in C++.

    • Aurotun family

    • Detects Aurotun stealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Hijackloader family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      Tools.dll

    • Size

      1.2MB

    • MD5

      337992f8cc09205e978ff42cd00dddc8

    • SHA1

      59382e658b5e32918e6d52bf9f7726199887bfee

    • SHA256

      efaa3b08777289bbcda0885a067fa2487ae82566d5e971633c28af8837160999

    • SHA512

      1848bf614b45a1080d5ea3c0177a963a96ce3b1ed94a5adad6c17a7503a6e667c777925b17245f8d0eff9129f4c67b591dc5d01c94058bf6a32aa6494398a8af

    • SSDEEP

      24576:PboIDeeQytIs9JSan1hr41aSkHhRyPtujlCpqr1Lf8cK:PDaf2tQQ9EcK

    Score
    3/10
    • Target

      sqlite3.dll

    • Size

      325KB

    • MD5

      f9f07b9e08f555d3a54f7ed78f1726a6

    • SHA1

      6996b0ad878a0bc3f73ae5d6915cd648580800e9

    • SHA256

      427111ddc94b60794e5d9af1fbc52fbfdc90d054cbb88a70f7b689a50b508dec

    • SHA512

      2d5adb9c39e84b8b11324975ec1fe9ca49c148fb1ad0e952bc1ed994b98264574516610244c508632c737d3eb4f4b1649bdc16559735e44c352aa1c82a08e25a

    • SSDEEP

      6144:4VJHAE3BWzZEAVPrrWxyLqHeuI9I19qnSX7cH0sU/1dMWw3/o:+dAE3BOLPY5euIqqnC7cUVdW3/o

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks