General

  • Target

    NSSAINYO.msi

  • Size

    22.2MB

  • Sample

    250605-gpddtaeq6s

  • MD5

    2b33e07102c50049a9cb625dd54850a8

  • SHA1

    62ccc03bd61c69ebe34bef82d1c7817d3ce61766

  • SHA256

    87a1f7f9fb9e22274855350d2faf2b1962eceed9740172c0f0951f6ca72715f9

  • SHA512

    1f5b8b1e91928630ff118458fb49ca494e99c22abaa230a33fc1980d3343a24e299c41c2f6a20f4a29b731aa965a83bb6ebe4974588d350eef7192ee68ba9793

  • SSDEEP

    393216:Tb2aK6ux+L0YJLSphc1qnDYG4hKbIaaljkuMZc1JvNjVrnU/1ez6LsS:OaK9kJLSHCqnDYGWaal4ZZ0VjVbasTS

Malware Config

Extracted

Family

hijackloader

Attributes
  • directory

    %APPDATA%\QuickPlugin_IK_v5

  • inject_dll

    %windir%\SysWOW64\pla.dll

xor.hex

Targets

    • Target

      NSSAINYO.msi

    • Size

      22.2MB

    • MD5

      2b33e07102c50049a9cb625dd54850a8

    • SHA1

      62ccc03bd61c69ebe34bef82d1c7817d3ce61766

    • SHA256

      87a1f7f9fb9e22274855350d2faf2b1962eceed9740172c0f0951f6ca72715f9

    • SHA512

      1f5b8b1e91928630ff118458fb49ca494e99c22abaa230a33fc1980d3343a24e299c41c2f6a20f4a29b731aa965a83bb6ebe4974588d350eef7192ee68ba9793

    • SSDEEP

      393216:Tb2aK6ux+L0YJLSphc1qnDYG4hKbIaaljkuMZc1JvNjVrnU/1ez6LsS:OaK9kJLSHCqnDYGWaal4ZZ0VjVbasTS

    • Aurotun

      Aurotun is a stealer written in C++.

    • Aurotun family

    • Detects Aurotun stealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Hijackloader family

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks