General

  • Target

    MMNFYWCW.zip

  • Size

    16.6MB

  • Sample

    250604-l5zdfafp9v

  • MD5

    8378ab9f13688e02d6ec263da0136934

  • SHA1

    3a50252726a2993bb690801b8973d514bc502f21

  • SHA256

    1780aacde90573187d5a69327727d02ff758a01b455947a6187689a85603d7f5

  • SHA512

    cd89c77bb78c138e4ed44fef5480d4819bc101e2cf5ddeb3faccd13380eafa0cd4497bf017fa6fe81818ac16f5053a154dc5e5c89aba89d761fc573075708d4c

  • SSDEEP

    393216:H3EsYx1MlwJHDA4OkDpDnUYw6K3dbLgweX7dzLDgBZT77VRT9s1EqL:XEsYx1MlgHEk9NK3d+Dgr7pvqL

Malware Config

Extracted

Family

hijackloader

Attributes
  • directory

    %APPDATA%\Beaconquick_beta

  • inject_dll

    %windir%\SysWOW64\pla.dll

xor.hex

Targets

    • Target

      Package/Consol_Cy.exe

    • Size

      93KB

    • MD5

      b12acc9521a8446ef2eb7f9cc6bbc4be

    • SHA1

      e10d9ed838949d37d156e3ead2ad535aef19aa9a

    • SHA256

      0b6b4e9a97e75c44ae807fccc94629183fa9de5957ea3984e8870450f314e5e9

    • SHA512

      23979ff2ce599c44d7d1d5520616df9984468ba396f5526b87555ef802ee3bea57b0f9d7bcd7921fff4181a190a21f1dc91c6b3c8a99d1d6c88b19d20fa7c904

    • SSDEEP

      1536:cJnkRJLmfTKdYyIeFsV/YBfWBJl90JlzRgKzdbcHoVM8ksSwxLG:cCRJLmfTbCsVwBeXT2lzRJbcYDkspG

    • Aurotun

      Aurotun is a stealer written in C++.

    • Aurotun family

    • Detects Aurotun stealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Hijackloader family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      Package/VCRUNTIME140.dll

    • Size

      81KB

    • MD5

      2ebf45da71bd8ef910a7ece7e4647173

    • SHA1

      4ecc9c2d4abe2180d345f72c65758ef4791d6f06

    • SHA256

      cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b

    • SHA512

      a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

    • SSDEEP

      1536:JlQxqDRpVhURw767ckhI6SysppzDuLCVbd2pecbiyaSEN:JlzDRjhU676gWoJpx2pecbiya

    Score
    3/10
    • Target

      Package/python38.dll

    • Size

      3.9MB

    • MD5

      4bddcdbe1dc96d4073cf8531358d8e30

    • SHA1

      bc613f430d3498dbac2ddf230da30c2fca3150ac

    • SHA256

      b2df6069a472d4489c50ce95dde662fd2589103ffe9a62006789da811b12f67a

    • SHA512

      3e54d2510915bb7adc02e1830e8645327f4619a8b7ff3078c391993de73613b836d5dd2200e9b02d9cdac87daa39fd17030350c61ce090223284f6d21dae8fa7

    • SSDEEP

      49152:RgX8NCM9Nwv/YXxp0DDBdEcnW2vubxI8C5HBKMZnCPdJ9TB7itLV74AFheMY:aMroA2Ecnnj8GHYMZEJqlVtFheMY

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks