General

  • Target

    2221df8b5c6e7d89c926bac07a01212a2da6c7f06644507e6c7d1787c3871d22

  • Size

    13.8MB

  • Sample

    250604-thqf1s1px3

  • MD5

    2edf959b1e7f40116f36c5b9c6b939ab

  • SHA1

    f3948c7bbb855454655e160742b653ef42fc0213

  • SHA256

    2221df8b5c6e7d89c926bac07a01212a2da6c7f06644507e6c7d1787c3871d22

  • SHA512

    20b6995b61cdda2cbdbde24f9c1a8f5002dfdbfa2c24eca9d39b5eeaa75246f5f6241c8a310ada047f3a84b653fd46d3fa4f3aaa4d5f68a500c45ed25730456b

  • SSDEEP

    393216:zorfl3DsNvrKTHPIwphBwGZKjRJeYACIUB1KCBpDZeeUto8wzVRT9s1EeF:Qfl2EvTHyGZKjR8TWDKCBpDKO8wzpveF

Malware Config

Extracted

Family

hijackloader

Attributes
  • directory

    %APPDATA%\JqoTool_debug_v2

  • inject_dll

    %windir%\SysWOW64\pla.dll

xor.hex

Targets

    • Target

      Package/Consol_Cy.exe

    • Size

      93KB

    • MD5

      b12acc9521a8446ef2eb7f9cc6bbc4be

    • SHA1

      e10d9ed838949d37d156e3ead2ad535aef19aa9a

    • SHA256

      0b6b4e9a97e75c44ae807fccc94629183fa9de5957ea3984e8870450f314e5e9

    • SHA512

      23979ff2ce599c44d7d1d5520616df9984468ba396f5526b87555ef802ee3bea57b0f9d7bcd7921fff4181a190a21f1dc91c6b3c8a99d1d6c88b19d20fa7c904

    • SSDEEP

      1536:cJnkRJLmfTKdYyIeFsV/YBfWBJl90JlzRgKzdbcHoVM8ksSwxLG:cCRJLmfTbCsVwBeXT2lzRJbcYDkspG

    • Aurotun

      Aurotun is a stealer written in C++.

    • Aurotun family

    • Detects Aurotun stealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Hijackloader family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      Package/VCRUNTIME140.dll

    • Size

      81KB

    • MD5

      2ebf45da71bd8ef910a7ece7e4647173

    • SHA1

      4ecc9c2d4abe2180d345f72c65758ef4791d6f06

    • SHA256

      cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b

    • SHA512

      a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

    • SSDEEP

      1536:JlQxqDRpVhURw767ckhI6SysppzDuLCVbd2pecbiyaSEN:JlzDRjhU676gWoJpx2pecbiya

    Score
    3/10
    • Target

      Package/python38.dll

    • Size

      3.9MB

    • MD5

      4bddcdbe1dc96d4073cf8531358d8e30

    • SHA1

      bc613f430d3498dbac2ddf230da30c2fca3150ac

    • SHA256

      b2df6069a472d4489c50ce95dde662fd2589103ffe9a62006789da811b12f67a

    • SHA512

      3e54d2510915bb7adc02e1830e8645327f4619a8b7ff3078c391993de73613b836d5dd2200e9b02d9cdac87daa39fd17030350c61ce090223284f6d21dae8fa7

    • SSDEEP

      49152:RgX8NCM9Nwv/YXxp0DDBdEcnW2vubxI8C5HBKMZnCPdJ9TB7itLV74AFheMY:aMroA2Ecnnj8GHYMZEJqlVtFheMY

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks