Overview

overview

10

Static

static

10

63079f34-b...s1.exe

windows7-x64

10

63079f34-b...s1.exe

windows10-2004-x64

10

63079f34-b...s2.exe

windows7-x64

10

63079f34-b...s2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    63079f34-b294-4790-bfd5-bbad82995295.zip

  • Size

    4.1MB

  • Sample

    240612-2fg1vstamb

  • MD5

    d812765381c5cf8d7f685a7b5a91b121

  • SHA1

    e11309f0c4d03c3f4f2d06ed822c1059c90eaa75

  • SHA256

    2018909ea853d972659d1dee439da81b963d8addb44c87ed533ca6320112cac1

  • SHA512

    add54e5fa7d651c35aace63dae6d3b638409a8c923401f625ee0f15a8fb80239fd373c4f34145bf776114d93daeaa6b3554e6f999d2ff87c296a06ae00439f97

  • SSDEEP

    98304:LGjCR6FF3OY9XegtO4wmoVt/jU778tvNSIuumgf2Ie29:L43OWXegyVx4Wv9rf2d29

Score
10/10
hijackloaderrhadamanthysstealcvor11loaderspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

vor11

C2

http://45.132.105.157

Attributes
  • url_path

    /eb155c7506e03ca9.php

Targets

    • Target

      63079f34-b294-4790-bfd5-bbad82995295/snss1.exe

    • Size

      2.5MB

    • MD5

      000e90eccf68a55c18d556b9255e0cf7

    • SHA1

      4ba436301ec8511e9e45647cd3f3298df47c0f07

    • SHA256

      fbce9f6897452177133b628f8dcd289564c3d28428cdcd2cbed519d9b8724b07

    • SHA512

      9c80be1473eade67ad2cdc034bfe3bd00fb949740c4933933dfe835c36c442a02a1aaa9c1e9a3fc2cc47e0ea02549a035e0e446685a1edc7c7049ec262f5d034

    • SSDEEP

      49152:Yk70vECi0ZwHlZK+cw//RM73jR3ETZFF//X9yJWgs/CgEY:Yv2FZKkRM73jJETZT9mof

    Score
    10/10
    hijackloaderstealcvor11loaderspywarestealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

      loaderhijackloader

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Deletes itself

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      63079f34-b294-4790-bfd5-bbad82995295/snss2.exe

    • Size

      5.3MB

    • MD5

      9e2eb8188c5a194014e46598cbc80c70

    • SHA1

      d83d68b451836928c830808a9e408c8f2cce2210

    • SHA256

      d265adb64a79f3b27e77e11e093342b2df14840266deedabf1189bc539cc58fb

    • SHA512

      3ff5fa8c0f1eb5bd7bf46a5a27392fb0865d61d8c09549f9d7f29306e30275a5b3436c520f82142dc7d3780c468aab2e7c79361457f7c5aa11a132c1ec49c009

    • SSDEEP

      98304:PlW75lC85H0kxwkL+Wd5Cz1ljuDDCNlSM:Pwhr+45CzvjBlh

    Score
    10/10
    hijackloaderloaderrhadamanthysstealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

      loaderhijackloader

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks