General

  • Target

    PLPOTNFD.zip

  • Size

    35.4MB

  • Sample

    250604-l5yf5svzay

  • MD5

    d622ba59d72d6cbad4efc923a25e8a00

  • SHA1

    cfb2ee969fefe289003016783adc67cad72b70a7

  • SHA256

    02fdfc31c15f4a4aa3b4bee97c968c364c0d98fbe523ae9e62d4b3dd38263ce0

  • SHA512

    6fae9a96fd4d13671d185fa05e0407abcc80d3a37cd7ffd00611a56cf0124cdae62f31008062f8c272a6a2acb3e7e6ce87b4bbb8d75dd3eacc36e0b998ba54f3

  • SSDEEP

    786432:6a1e1W++20IJo9hL8R3gODkNpTEqmZCdMpdiPcgxeaRCJsa:6akZ+iJoagODcpQ7ZjiVxeEa

Malware Config

Extracted

Family

hijackloader

Attributes
  • directory

    %APPDATA%\PHupdate4

  • inject_dll

    %windir%\SysWOW64\pla.dll

xor.hex

Targets

    • Target

      Package/BugSplat.dll

    • Size

      296KB

    • MD5

      27d48c6c48d5259a4e2ad7be369ce906

    • SHA1

      66ea6266024a66826a9dd57a1420b8ce6fd13b0c

    • SHA256

      4b33ee0e8a4153c0c8ccd945adb18d8f91b5b824746a15986bf6781f081f9968

    • SHA512

      a037c86bb33b98d768c27d975bc27be348382e75f4bf96d736d2f3bbcc02b7da9dc922994502fad1eb8f80d4df791c2c0e826b55b68c20580a46b1a0fe2cb43f

    • SSDEEP

      6144:zKNX3re4rLmb8Gh8cGLdutlE7ZWeyFEq0DQtzYtRVljQ:zKN6emgGh6LdGwWJFE9ls

    Score
    3/10
    • Target

      Package/COMSupport.dll

    • Size

      59KB

    • MD5

      976ef4af05e92e4dbb612756e6798a37

    • SHA1

      b6eeeab344272c6e9965820d35ca596703a311d6

    • SHA256

      b1038928a6da2a1b5064a27187403563f3ab7e8d4ec034dfa8d5d3f6be231191

    • SHA512

      dde2923cf55dbd7a9eecd4a114d475008123d433a003ea71da0c50e9ec557fe6dc270e26d97c9076546ba225a9388e303330e601ecaa11dda4e812809a9665db

    • SSDEEP

      768:8qr8sIYRM5ZJi9nCJELr6p0KkR7Dp4iUcj3QcYUyQaQIbPYTdRcmt3uo:8qvMi9T6fGmbcbjqmI8TdC03

    Score
    3/10
    • Target

      Package/DBGHelp.dll

    • Size

      968KB

    • MD5

      3094481f0cb0531b407d2388ecb4b85f

    • SHA1

      b2ed7c1895e417e0620e1043a8d3fcc4598fc791

    • SHA256

      c1275ddf04a0942b416c1a0b2d32003a4eda732c6f97c74181c236e35d12420f

    • SHA512

      34b78729403e16d5ac1032cbb85c5c68f61f2f35b6e57d6d5ea2bc372981e93a1425b46a2c2dd55ed2b2e0b8681f517103e30a86241aec037b1e1788c411252b

    • SSDEEP

      24576:cJ0P97FW0NnWpUBBgXRKQ7O7DVUY1V/IMHfyUO:c0PhFVNnWpUBB4i2o7O

    Score
    3/10
    • Target

      Package/DVDSetting.dll

    • Size

      41KB

    • MD5

      05c88530d48f20ec24dbc4df3470e57d

    • SHA1

      44cd6ee8ca8c0ffaf9313a0c24bb781dbc4f3849

    • SHA256

      718cfb5195d0e43e795627c781fb3f427856f1cf29f33eedbbc6059b6f214549

    • SHA512

      e7654ee6a45ac5c150b9c1b98d530e2c9ca6e89a836408d1435826979b5e009bb6d630c9ab9b6ed124511449754c5ec67181d91c8f96c3e00c7f5179bf2a9675

    • SSDEEP

      768:/8qXvDbWzd3vbJEl6s1Tl4jxl01SGoMRuuwV:Eq6dfbJE1T2aSwRuuwV

    Score
    3/10
    • Target

      Package/ExceptionHandler.dll

    • Size

      128KB

    • MD5

      7c76e3100bd67c47f176a0edde3ef79a

    • SHA1

      bff22f39f3ba61cddd695b8a27b5139c5675afba

    • SHA256

      6036be1c9a8819998ad10879dff6c04edc787d34a142a3e0841c0fca36fb9c6e

    • SHA512

      a9508ef760f5bba22aec0f2784258a364b372ff163bebf4fc59cb4d48c7ac6e68a96b7fd64dddb522dfa4c34f7ad652d8779232dd0db7609fb4b60cc1f4c2bbf

    • SSDEEP

      1536:ReLbWzby5i5Zqyt4Q1H9JFXHSFUNNRcZZ36mCcTSkb0EYsKK93BFZ2nQ+iFD+b7:8v+iNPQ1H9JFCsIdjWK9RFZB+iFD+b7

    Score
    3/10
    • Target

      Package/Joomlon.wsf

    • Size

      56KB

    • MD5

      8e1fead144a9a35381458165a285de66

    • SHA1

      aa0e88cba98d24ec0da9f7d8691e98f92f05f9f1

    • SHA256

      d6ea3cd5da1d58ad155e2ab83af2c77b910886bd17c79e16b874bbdb31f3c801

    • SHA512

      2e815e730c28935b018fa74eac4cc251c3292bb5f7900c1e0a93419e68f9d4448c67d8f1eb4950bf8d660f5158a448f5f352fdb81168813fea75b6f6743bb1e0

    • SSDEEP

      1536:m2t2cndPVAPtXH9SGoXw7fB7tVbYXANjmI5vge:3jd9AFXwcfhSMSe

    Score
    1/10
    • Target

      Package/NLEResource.dll

    • Size

      167KB

    • MD5

      b5b2c99fbe00ce2d3be66890a55640ae

    • SHA1

      5110e90d3ee55f05aee9a56ff510fc286d70ba88

    • SHA256

      7cd5072111581133c5e28b56bef060b3d3b0d8acca3396ef23c6c384eb292d25

    • SHA512

      ea04c33f6d3a65b45ba88019d1121fb4d368a40b5cfc2afbd2fef4125edd29563ef0509fb70a398276f3c456e2d78115d7948261f93cd9709a5a353dfca7e6db

    • SSDEEP

      3072:EzCjWwbSlOnn1VASbBvdg573gF8z65t1X:Ea1V1ZqLVW

    Score
    3/10
    • Target

      Package/NLEService.dll

    • Size

      289KB

    • MD5

      77bffd6a7270bf001aaba999de8394f9

    • SHA1

      132a1823392596f9748667b67f4aaef709b335c1

    • SHA256

      15c4860f2e0530bc896f9b07f893b32b13cffe40c909293b6232bd5696a5f71a

    • SHA512

      358c82c57ccf73a20b3496ff8fe83959f49283536c8ca7a00f6211e8c67a36c3e6a7029f7a30fcd3de502e6007fd9eec654d922e29e9b15815af208e358d1aa4

    • SSDEEP

      6144:SN5kbdYKDBpH0gMEjN24gai3/svFlWAWKLrJ:nbqKDBHgaivsPNWMl

    Score
    3/10
    • Target

      Package/NLETransitionMgr.dll

    • Size

      124KB

    • MD5

      b27ec2286daa245ceb0688df5b7f574d

    • SHA1

      e2e301eb3dc569754d21d69be3f845de13a5345d

    • SHA256

      41050f6f6919a4516d481f7c9b5fe6074c447afc6e9cc28d180982eea50ae165

    • SHA512

      e99ee79e5561d6c4dbfad88fa901d37c55fefd513fa88a1d833d107244a2172ee921e54bd83fd68f1d748d8922bd4f9412ecc703caf351e33b72c3b894bf51cd

    • SSDEEP

      1536:AE0joHqSwFPpx0MIANXJ38q+u4taao+CxNpyKAFqKIqp8XbtnXYVX5fUH8:AEI+qSwFtJ3Obt7++YRXYh5fUH8

    Score
    3/10
    • Target

      Package/Sonic-Drive64.exe

    • Size

      2.4MB

    • MD5

      a4b240cce6e3da6e959f33bd82394034

    • SHA1

      ab5d51c7bc80882d9e8f20b11b41a25e775078d6

    • SHA256

      44f009ca786bc541cda11c61bab7b272e96ce9e3d656c10bdac2e126f3a9cc35

    • SHA512

      f8009e8e7e2735c200057626c4a3c8b4c9c469866b46f8d8e6f2ab8994d317bbbe6b32730b86cf775645851996a79ff2f8d5f12514f5e39bf874cc3851f60bec

    • SSDEEP

      24576:hNb6R19IsA8A95bWbiOSc29d8CX5bI7lCIoQIkbRFRHGvustXDF3VBCvxToyTGHS:D8AoW5p0J4DF3LcToyTGSN

    • Aurotun

      Aurotun is a stealer written in C++.

    • Aurotun family

    • Detects Aurotun stealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Hijackloader family

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    • Target

      Package/WSUtilities.dll

    • Size

      182KB

    • MD5

      54b87d3271a4fa9b1e1fea51c2ef9c14

    • SHA1

      fd79e145376a6268827ed9693f276c6bb8bca326

    • SHA256

      30b9b877aa1112105069be6b4de794b7a7147a1d968e71fa63f2edc7397e126f

    • SHA512

      88bad2b2137f85e5faef07893bd400fcc4206cbf64655b223e63af743800f13eeb36cae55b5fb3edb907c6e2f623f27075acb10538ecf8bbd597e126a8977ebe

    • SSDEEP

      3072:o1xNna70jpS3wOGvWhLdT24Nz0PPDKv6i2DZ6BTNbcGpDhaupU:KbtS3PGvBqR2l6BTN9JBp

    Score
    3/10
    • Target

      Package/WS_ImageProc.dll

    • Size

      222KB

    • MD5

      23b3a972dc6e25581b6fa9e01bafc375

    • SHA1

      39b54451f58d16cc76f875c137d72c2fe93bb3af

    • SHA256

      58ef42507d9fc1e8a7b240ef5cddc9f600c3d9a61ee6a42a4045278bb332b86a

    • SHA512

      d69e04a8f9ba25dc4bcb4ae9b53122243b8419b658314e92892624b1ee70b3cbb8662be3f0fa9181b1653ddd677c28677e1f8ea212bbb577f1d3ee641921106a

    • SSDEEP

      3072:f8Wacf55wj0XUcz4pEM4rsJLtOsAg0FuLBNEBNz6cQoopW+T7:f89cR5wjtcLbULtOsAO1io4o

    Score
    3/10
    • Target

      Package/WS_Log.dll

    • Size

      219KB

    • MD5

      b016e772c86bd8faabf3ce0d301c4b9c

    • SHA1

      12e39e7a0160bb9bd5080b1a168d2e3a8b7f11a0

    • SHA256

      af9067296587465c1c5a574750835f10801e8e12a08d3dbd91e66a5bed39c817

    • SHA512

      3552bc4c1339e81d71de227ffdf9f9b190073864cbc1982188f6e89e20b919358cccb466543fccc44c6457944a34c3fbe78f4b82d6e89f083afee37b99d12a10

    • SSDEEP

      3072:/FoYyQjQpTJV15fSb0pR/grZXEKKdeFazpvhqlMwsR+oTMa5nqps:Itp3ffSITSZUKKdeFchsnNIr

    Score
    3/10
    • Target

      Package/WsBurn.dll

    • Size

      2.4MB

    • MD5

      c6328e8342538b7e2502b752e5cb1e28

    • SHA1

      fdbb116ce30ea6a0a61fd0e36084dfb26e683b22

    • SHA256

      8fcae9719a3f831cb73ef50b587a6222ff73d6c1a6ae617636cb31c6e02d5e3a

    • SHA512

      3942aa6e7311bef329c049c109e6d9c27a439c3dafa87ec7020c43e878cfa87e741b22d65603bec8d3a0da978405eb64c3a744fd0ac0644680968f682d4aca3a

    • SSDEEP

      24576:abK9oW4egvcZwuRRWRjFj63KP0wCkjgLwG0osspaa:ab+YvcecRCj63KP0wCZaossEa

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks

static1

Score
3/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

aurotunhijackloaderdiscoveryloaderstealer
Score
10/10

behavioral20

aurotunhijackloaderdiscoveryloaderstealer
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10