hijackloader | cced68e78da1e155cdc09eec9df2bd6e41d8597fbc0084b10e741ebebe7f46b7 | Triage

Submit
Reports

Overview

overview

Static

static

7

Spectra Setup.exe

windows10-2004-x64

Spectra Setup.exe

windows11-21h2-x64

Resubmissions

Sharing

General

Target

Spectra Setup.exe
Size

47.6MB
Sample

240603-tvy9pacb9z
MD5

9865ea7b0c864c9cb7b402d719cc866e
SHA1

dc9e1f78e8b7211ed2390a513cfb1f42d1468c6e
SHA256

cced68e78da1e155cdc09eec9df2bd6e41d8597fbc0084b10e741ebebe7f46b7
SHA512

0ad597ce5bb9f526143574bfaf29076b1ce8dac69b5750b83406914e2005a9f21039f438b05fb03f1c808c93b0f57811c1e4f1c46dd44e10ccf71efca880e4f2
SSDEEP

786432:rjNnc3RM8Wugj/yqiJgNlGxnvG6yRDiWH/9e03f2kzszUyIoBMPj+mRPF:rjNncBG/7i2unvRyx/Z+HIoBa7

Score

10^/10

hijackloader rhadamanthys stealc doralands1 discovery execution loader spyware stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Spectra Setup.exe

Resource

win10v2004-20240426-en

hijackloader rhadamanthys stealc doralands1 discovery execution loader spyware stealer

windows10-2004-x64

22 signatures

1800 seconds

Behavioral task

behavioral2

Sample

Spectra Setup.exe

Resource

win11-20240426-en

hijackloader rhadamanthys stealc doralands1 discovery execution loader spyware stealer

windows11-21h2-x64

22 signatures

1800 seconds

Malware Config

Extracted

Family

stealc

Botnet

doralands1

C2

http://45.88.79.153

Attributes

url_path
/e36377ea7ac96c9f.php

Targets

- Target
  
  Spectra Setup.exe
- Size
  
  47.6MB
- MD5
  
  9865ea7b0c864c9cb7b402d719cc866e
- SHA1
  
  dc9e1f78e8b7211ed2390a513cfb1f42d1468c6e
- SHA256
  
  cced68e78da1e155cdc09eec9df2bd6e41d8597fbc0084b10e741ebebe7f46b7
- SHA512
  
  0ad597ce5bb9f526143574bfaf29076b1ce8dac69b5750b83406914e2005a9f21039f438b05fb03f1c808c93b0f57811c1e4f1c46dd44e10ccf71efca880e4f2
- SSDEEP
  
  786432:rjNnc3RM8Wugj/yqiJgNlGxnvG6yRDiWH/9e03f2kzszUyIoBMPj+mRPF:rjNncBG/7i2unvRyx/Z+HIoBa7
Score

10^/10

hijackloader rhadamanthys stealc doralands1 discovery execution loader spyware stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

hijackloaderrhadamanthysstealcdoralands1discoveryexecutionloaderspywarestealer

behavioral2

hijackloaderrhadamanthysstealcdoralands1discoveryexecutionloaderspywarestealer

© 2018-2024

Terms | Privacy