BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

HijackLoader

49
Global rank
13 infographic chevron month
Month rank
7 infographic chevron week
Week rank
42
IOCs

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Loader
Type
Unknown
Origin
1 July, 2023
First seen
18 June, 2024
Last seen

How to analyze HijackLoader with ANY.RUN

Type
Unknown
Origin
1 July, 2023
First seen
18 June, 2024
Last seen

IOCs

IP addresses
185.215.113.67
193.233.132.139
Hashes
bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26
0ae58be8d7058e40926fdb51b76043d109b96b91aa9fa2950dbb8a3626185e0f
a38da72082fc2dc1f60b3b245e1f2382d5f8c1d08ebc397dd0d81cc9f74ebbe6
8c12d821cae4d797fece228c0f433a007b8ad0643b778de8fa8a20b01504a522
aba5c1f30b8de1a07a4fcb401c55a07387f41994f9bb5495a604694b055b6f97
132e2aaf6ba22738d79a027f967b865154f427eb5aa9c623dd4a2e9c0656e279
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8
4ffb8d67aff441d7c75312221a715916941e29623e8c090dddd251a7e9a8d577
1495fe416d65a16ec29e30de2a8f410e2930278eacf43943c45804cc9f502b2f
4416d271999879f69acf3f414d06ef47852c5a9f174a543b8d30784b10b6ce73
9469de22339cb061f83ad060ea6f2110c5f0c3c4a08017db2a5cf457691a83ca
7686ffb96c606f5138af8818871f433f6ebe6c94597e496da1c9b07b3c2338d4
5eec94a4cd6f1e0fa8a361ef8e78464431092718c4bda40ad5c83d607ef9a31c
038d7b257b98421ad371189cf51d67f32ddad2de687c443a59ea74e4027bbf04
3c5ef21065ce78141738202ee7f678f8b1fe666d49b7639ff82f95eda73cdd2b
a93534a4e4b8d9ce1a4d0450c32e1d92260564d5de9124a7ad1c3dbe9b4fae14
80f05865e59ec4e12e504adbf5fae3d706b5d27e5ab2fc52fcd0feb19365c7b0
89c61b5b70d806f603c431365f11f5faaa06f4ce34fc8006fb7ed026a2efdde4
1a99ac759fcd881729b76c2904476b4201e794df2d0547c954ea37be7c153131
fb5d2309c3f060517c2906f48aeb202046113ae696984c5f6890d52cb1950848
Domains
discussiowardder.website
mail.zoomfilms-cz.com
wxt82.xyz
lovletterstolife.store
my-chemicals.online
249b871ab7d2.info
haglove.stream
pekhytrn.click
mecter.com
cracksmad.com
staplesprofessional.ca
admin.zscalertbeta.net
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 171
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 190
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 341
comments 0

What is HijackLoader malware?

HijackLoader is a loader malware that possesses strong evasion capabilities, allowing it to bypass mainstream security solutions. It has been observed to deliver numerous persistent malware families, such as DanaBot and the RedLine stealer.

Most of the known attacks involving HijackLoader began with phishing emails. As of the end of 2023, it continues to be an active threat. The modular design of the malware is one of the key factors behind its popularity. It enables HijackLoader to ensure a more flexible approach to deployment on the infected system and further execution of the final payloads.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Technical details of the HijackLoader malicious software

HijackLoader is notorious for its ability to evade detection. One way it does this is by utilizing a modified Windows C Runtime (CRT) function to gain a foothold on the device.

During the initial stage, HijackLoader also ascertains whether the final payload is embedded in the binary or has to be downloaded from external sources. It does this through the use of an array of DWORD values.

It can also check if the device is connected to the Internet by attempting to connect to legitimate websites. The network connectivity check is a clever strategy that allows HijackLoader to remain undetected while the network is unavailable. In a similar fashion, the malware can delay the execution of different parts of its code to once again avoid early detection.

To make it more difficult for reverse engineers to analyze its code, the malware uses dynamic API loading via a custom hashing method. This makes it harder to locate the specific API calls used during execution.

HijackLoader’s AVDATA module is designed specifically for the purpose of identifying security software installed on the system and adjusting its operation depending on the results of its scanning.

Execution process of HijackLoader

Let’s take a closer look at the execution flow of a HijackLoader sample by uploading it to the ANY.RUN sandbox.

HijackLoader is a typical loader, and its execution flow is also straightforward and simple. This simplicity allows malware to remain less active inside infected systems, making it more challenging to detect. However, it can still attract attention in certain cases.

In our example, the loader leveraged the CMD utility to stay under the radar. It, in turn, initiates the MSBuild process, which downloads and runs the Phonk which downloads the miner. HijackLoader demonstrates evasion capabilities that aid in staying undetected by certain security solutions.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

HijackLoader process tree shown in ANY.RUN HijackLoader's process tree demonstrated in ANY.RUN

Distribution methods of the HijackLoader malware

The preferred method of infiltration among the attackers behind HijackLoader is phishing attacks, where cybercriminals craft emails that appear to be from legitimate sources, hoping to trick recipients into opening malicious attachments or clicking on infected links.

In one notable instance, hotels were targeted with emails from fake clients claiming to be staying at the hotel and requesting staff to download a file containing information on their allergy. Once opened, the file kickstarted the infection chain resulting in the deployment of HijackLoader on the victim’s device.

Conclusion

Keeping your infrastructure safe from a HijackLoader infection requires a proactive cybersecurity approach. An indispensable part of it is a reliable malware analysis sandbox like ANY.RUN.

With ANY.RUN, you can example incoming emails to determine any malicious intent behind them with ease. The service’s interactive cloud environment enables you to effectively investigate even the most intricate phishing campaigns and uncover multi-stage attacks in no time. The service delivers comprehensive text reports encompassing detailed information about the submitted files and links, including fresh IOCs.

Adopt a proactive cybersecurity approach by leveraging ANY.RUN.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy