hijackloader

General

Target

Dexis Setup.exe
Size

64.6MB
Sample

240611-s7cqsascmb
MD5

3dbdc09c8952d7994ed78402578824ba
SHA1

d2e4d6e2e6d2ef70585cdee62d543b81c15b29cf
SHA256

e9d1c22e3616399e4ce428ab0c4bbc7d0519f9e3cd19ad91d33bcef5ce539f5c
SHA512

d7c0876e4f9fd21e63d1a5428b7840f7bde717ea81e78482c59f2adafa3bb96a9b083aead5096bd9362b7590ed9ae5604801f68bab47764fa5b006837d3b62a1
SSDEEP

1572864:FQsJjyxAAJXIUEqFGX6xJU2i7d9I3jdz/q2A5znDfRxgJX2+JcUo4c:FQ+jyZLEqFC602OOz/7ApDfRxgJBcUoD

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

dex9

C2

http://45.132.105.157

Attributes

url_path
/eb155c7506e03ca9.php

Targets

- Target
  
  Dexis Setup.exe
- Size
  
  64.6MB
- MD5
  
  3dbdc09c8952d7994ed78402578824ba
- SHA1
  
  d2e4d6e2e6d2ef70585cdee62d543b81c15b29cf
- SHA256
  
  e9d1c22e3616399e4ce428ab0c4bbc7d0519f9e3cd19ad91d33bcef5ce539f5c
- SHA512
  
  d7c0876e4f9fd21e63d1a5428b7840f7bde717ea81e78482c59f2adafa3bb96a9b083aead5096bd9362b7590ed9ae5604801f68bab47764fa5b006837d3b62a1
- SSDEEP
  
  1572864:FQsJjyxAAJXIUEqFGX6xJU2i7d9I3jdz/q2A5znDfRxgJX2+JcUo4c:FQ+jyZLEqFC602OOz/7ApDfRxgJBcUoD
Score

10^/10

hijackloader rhadamanthys stealc dex9 execution loader spyware stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1