General

  • Target

    811B36654147B9E875884AD822100F2B.exe

  • Size

    17.3MB

  • Sample

    250605-rhe9yax1gs

  • MD5

    811b36654147b9e875884ad822100f2b

  • SHA1

    a4b3c3475bf35a1adc0ba4ee303544e5c8c76826

  • SHA256

    e68aaae515c5a9209fad7b4217f534de39b36ec66aff13c900c6c729e14dd31f

  • SHA512

    72baa92306352eed514bd49f740475cbd6a4c13fa647a67739f59b9c690f9d244ad37aafd57c3621aaa8b9093bbdb7fb68579ddb4c41b5294adcbcbe486683fa

  • SSDEEP

    393216:MGUcREA7ZcJkX5B7Rr0lLiL49cXLMVEmpV+gDc211a:MzzAe6X5tReiE9cX4O8ESc1

Malware Config

Extracted

Family

hijackloader

Attributes
  • directory

    %APPDATA%\serviceCli_1

  • inject_dll

    %windir%\SysWOW64\pla.dll

xor.hex

Targets

    • Target

      811B36654147B9E875884AD822100F2B.exe

    • Size

      17.3MB

    • MD5

      811b36654147b9e875884ad822100f2b

    • SHA1

      a4b3c3475bf35a1adc0ba4ee303544e5c8c76826

    • SHA256

      e68aaae515c5a9209fad7b4217f534de39b36ec66aff13c900c6c729e14dd31f

    • SHA512

      72baa92306352eed514bd49f740475cbd6a4c13fa647a67739f59b9c690f9d244ad37aafd57c3621aaa8b9093bbdb7fb68579ddb4c41b5294adcbcbe486683fa

    • SSDEEP

      393216:MGUcREA7ZcJkX5B7Rr0lLiL49cXLMVEmpV+gDc211a:MzzAe6X5tReiE9cX4O8ESc1

    • Aurotun

      Aurotun is a stealer written in C++.

    • Aurotun family

    • Detects Aurotun stealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Hijackloader family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks