General

  • Target

    fd5408de1c1597eba487b973b0f9f38b819d6f0bf05df0ba72f39dc5b4787fdb

  • Size

    2.8MB

  • Sample

    250604-tealdseq9x

  • MD5

    779e9692c8d690cfdaf169b7c63f0ff0

  • SHA1

    4e1674b01f8eb5ae51aa2f16a16933d31b9d48a6

  • SHA256

    fd5408de1c1597eba487b973b0f9f38b819d6f0bf05df0ba72f39dc5b4787fdb

  • SHA512

    39de754338a034571deb8081bae72d668c01a1f82ac5ea404a4896de876c8bce9cf21115e73a3aa028017a7441c412039351dd3c464f6d2f325619317a29efd1

  • SSDEEP

    49152:6i3TQuySl0+8yyDOWMxHkN/TDiVYrHOxOxmbg6iC/L9AfO7SnMjZPOlNU:6i3TQuyy8yyXMJk9niVYjOAxnm+ng1oS

Malware Config

Extracted

Family

hijackloader

Attributes
  • directory

    %APPDATA%\JBFArchive_alpha1

  • inject_dll

    %windir%\SysWOW64\pla.dll

xor.hex

Extracted

Family

xenorat

C2

94.130.65.160

Mutex

Blake2

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    4444

  • startup_name

    nothingset

Targets

    • Target

      Package/BugSplat64.dll

    • Size

      377KB

    • MD5

      77332b787c5a521cf69434278cf61c51

    • SHA1

      a9b6c1ec377188a0c4a3c17eee29421d49d3199f

    • SHA256

      044faa9060d345fb43d44a8bd8e85fe7aac597ff5444ebe5b35489eceb312783

    • SHA512

      0df5dffbc59bad8f5fe4c9ac6710079f82be0765a43f33d7ef723ce092bfa8f8083432d8c3ca2b7a61688c6bac9bbe672682b89ec56dad7cc042d5557e17f75d

    • SSDEEP

      6144:8pPawwQxTcl7BytWPZVEsTRGRXvRyZK4rtx9TYo6JqXJrhCsRiw:8aQw7VPZ9zr5YnFw

    Score
    1/10
    • Target

      Package/Device_Synth.exe

    • Size

      270KB

    • MD5

      6a06b58d738d47e93f08ff39112fba2c

    • SHA1

      3d4cbc2bf0362c3a7af191b69e310589d86bc1fb

    • SHA256

      fdbe7dbe0228baad747bf7e8d830cbfbed7d2bd3013b8080dc50e726b21ddac6

    • SHA512

      e021f725e01cb5018ec05c06f54d95b24758d137b80cbde52217bb85e2d809204f5afb90e9d57117b48135003cb7d7ba3773eb6b23dcde2bae246bd208e4f7ea

    • SSDEEP

      6144:VIaCAK/UGjgTPD/CRe4GvTS8w9hzc9ap+zGd:qz7KmH9tpT

    • Detect XenoRat Payload

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Hijackloader family

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks