General
-
Target
NSSAINYO.msi
-
Size
22.2MB
-
Sample
250605-gpddtaeq6s
-
MD5
2b33e07102c50049a9cb625dd54850a8
-
SHA1
62ccc03bd61c69ebe34bef82d1c7817d3ce61766
-
SHA256
87a1f7f9fb9e22274855350d2faf2b1962eceed9740172c0f0951f6ca72715f9
-
SHA512
1f5b8b1e91928630ff118458fb49ca494e99c22abaa230a33fc1980d3343a24e299c41c2f6a20f4a29b731aa965a83bb6ebe4974588d350eef7192ee68ba9793
-
SSDEEP
393216:Tb2aK6ux+L0YJLSphc1qnDYG4hKbIaaljkuMZc1JvNjVrnU/1ez6LsS:OaK9kJLSHCqnDYGWaal4ZZ0VjVbasTS
Behavioral task
behavioral1
Sample
NSSAINYO.msi
Resource
win10v2004-20250502-en
Malware Config
Extracted
hijackloader
-
directory
%APPDATA%\QuickPlugin_IK_v5
-
inject_dll
%windir%\SysWOW64\pla.dll
Targets
-
-
Target
NSSAINYO.msi
-
Size
22.2MB
-
MD5
2b33e07102c50049a9cb625dd54850a8
-
SHA1
62ccc03bd61c69ebe34bef82d1c7817d3ce61766
-
SHA256
87a1f7f9fb9e22274855350d2faf2b1962eceed9740172c0f0951f6ca72715f9
-
SHA512
1f5b8b1e91928630ff118458fb49ca494e99c22abaa230a33fc1980d3343a24e299c41c2f6a20f4a29b731aa965a83bb6ebe4974588d350eef7192ee68ba9793
-
SSDEEP
393216:Tb2aK6ux+L0YJLSphc1qnDYG4hKbIaaljkuMZc1JvNjVrnU/1ez6LsS:OaK9kJLSHCqnDYGWaal4ZZ0VjVbasTS
-
Aurotun family
-
Detects Aurotun stealer
-
Detects HijackLoader (aka IDAT Loader)
-
Hijackloader family
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-