General
-
Target
GIGQODII.zip
-
Size
39.9MB
-
Sample
250604-l5xvlsvzax
-
MD5
4c58af8f1b20b2a68a76978f902ed02e
-
SHA1
fad64f028fe1930467e424403bf15bd260df074f
-
SHA256
03d75f5c0e6908159e7227ba04e1635317eb12f2083ceb1eec58356183f65926
-
SHA512
8b8ae183c901e27df2ef33cf07177754e6d37176e1f1b2d552cbb72b1f0e23c1cd1158608f53cdcfa8aa1f404b8b2c55ee545551b0eb88939a7c47138e472477
-
SSDEEP
786432:NStbYuj059nS72RHVw+q5VhR+OBQURUra1D93yot8ehSSyH2g4ypvtR:WXi9E2xq+q5rR66UrYD9izehSvWg4YvL
Static task
static1
Behavioral task
behavioral1
Sample
Package/Consol_Cy.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
Package/Consol_Cy.exe
Resource
win11-20250502-en
Behavioral task
behavioral3
Sample
Package/VCRUNTIME140.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral4
Sample
Package/VCRUNTIME140.dll
Resource
win11-20250502-en
Behavioral task
behavioral5
Sample
Package/python38.dll
Resource
win10v2004-20250502-en
Behavioral task
behavioral6
Sample
Package/python38.dll
Resource
win11-20250502-en
Malware Config
Extracted
hijackloader
-
directory
%APPDATA%\ClientConfig_v1_x64
-
inject_dll
%windir%\SysWOW64\pla.dll
Targets
-
-
Target
Package/Consol_Cy.exe
-
Size
93KB
-
MD5
b12acc9521a8446ef2eb7f9cc6bbc4be
-
SHA1
e10d9ed838949d37d156e3ead2ad535aef19aa9a
-
SHA256
0b6b4e9a97e75c44ae807fccc94629183fa9de5957ea3984e8870450f314e5e9
-
SHA512
23979ff2ce599c44d7d1d5520616df9984468ba396f5526b87555ef802ee3bea57b0f9d7bcd7921fff4181a190a21f1dc91c6b3c8a99d1d6c88b19d20fa7c904
-
SSDEEP
1536:cJnkRJLmfTKdYyIeFsV/YBfWBJl90JlzRgKzdbcHoVM8ksSwxLG:cCRJLmfTbCsVwBeXT2lzRJbcYDkspG
Score10/10-
Aurotun family
-
Detects Aurotun stealer
-
Detects HijackLoader (aka IDAT Loader)
-
Hijackloader family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Package/VCRUNTIME140.dll
-
Size
81KB
-
MD5
2ebf45da71bd8ef910a7ece7e4647173
-
SHA1
4ecc9c2d4abe2180d345f72c65758ef4791d6f06
-
SHA256
cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
-
SHA512
a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457
-
SSDEEP
1536:JlQxqDRpVhURw767ckhI6SysppzDuLCVbd2pecbiyaSEN:JlzDRjhU676gWoJpx2pecbiya
Score3/10 -
-
-
Target
Package/python38.dll
-
Size
3.9MB
-
MD5
4bddcdbe1dc96d4073cf8531358d8e30
-
SHA1
bc613f430d3498dbac2ddf230da30c2fca3150ac
-
SHA256
b2df6069a472d4489c50ce95dde662fd2589103ffe9a62006789da811b12f67a
-
SHA512
3e54d2510915bb7adc02e1830e8645327f4619a8b7ff3078c391993de73613b836d5dd2200e9b02d9cdac87daa39fd17030350c61ce090223284f6d21dae8fa7
-
SSDEEP
49152:RgX8NCM9Nwv/YXxp0DDBdEcnW2vubxI8C5HBKMZnCPdJ9TB7itLV74AFheMY:aMroA2Ecnnj8GHYMZEJqlVtFheMY
Score3/10 -