File name:	transport.exe
Full analysis:	https://app.any.run/tasks/dec8e08f-2446-40b3-8095-112c31d981c6
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 06, 2025, 16:37:13
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	delphi rhadamanthys stealer hijackloader loader shellcode
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, InstallShield self-extracting archive, 9 sections
MD5:	72EC64D0BC0B31F8842C9B5D488C11E7
SHA1:	85D81EDEAC18C67D6C8B73AB628347586A5039AD
SHA256:	019E368CDFE9E71959DFC32917463653DFA4C35C129F1FEB1FE492187D46A22A
SSDEEP:	98304:ESdDQsSdmtZCzmut3GKjKhoIYreG+ahB64Sw9jt9XWUw2YjWmj00M4b+QbSpfjFH:E5GX44OOiQM7+VWujI

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2023:04:05 13:00:45+00:00
ImageFileCharacteristics:	Executable, Large address aware, Removable run from swap, Net run from swap
PEType:	PE32+
LinkerVersion:	14.34
CodeSize:	515584
InitializedDataSize:	267776
UninitializedDataSize:	-
EntryPoint:	0x53dd0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.7.3.0
ProductVersionNumber:	1.7.3.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
CompanyName:	Nymphet
FileDescription:	Aesthete
FileVersion:	1.7.3.0
InternalName:	burn
OriginalFileName:	spirograph.exe
ProductName:	Aesthete
ProductVersion:	1.7.3.0
LegalCopyright:	Copyright (c) Nymphet. All rights reserved.


(PID) Process:	(3988) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:	write	Name:	sn3
Value: DADCE69FB19E41BDF5049870453A2399EF02E97BD8F05EC34E2AA6179A303DF823D4BC46FE746F283519A9E25C8CD54BFCFC130821162644F239AB72E2A1E315

PID	Process	Filename		Type
4300	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_transport.exe_b00b3a48ce3504ca26e6167595bbb577618616_0bba22c0_860b6d8f-8676-4682-a4e4-d4a4596f0374\Report.wer		—
		MD5:—	SHA256:—
936	transport.exe	C:\Users\admin\AppData\Local\Temp\{AD957E84-36DF-4B10-ACC7-C5BAB043EB27}\.ba\profile.dll		executable
		MD5:A957F7E18D5493A99D151FF504214D09	SHA256:4E54F4D31BC41230F51A436613F00C893DFEBA11175667AF960E22E429849F3A
936	transport.exe	C:\Users\admin\AppData\Local\Temp\{AD957E84-36DF-4B10-ACC7-C5BAB043EB27}\.ba\Serum.dll		executable
		MD5:20AA36C2CE87D64CB58E7E32F0546FB1	SHA256:72A8176B2F34EA46B763AB64763F4434D660BC36E487E50E6137489403DA42F8
4328	cmd.exe	C:\Users\admin\AppData\Local\Temp\ijnqciqnf		—
		MD5:—	SHA256:—
936	transport.exe	C:\Users\admin\AppData\Local\Temp\{AD957E84-36DF-4B10-ACC7-C5BAB043EB27}\.ba\transform.asp		binary
		MD5:63AFA5CDF59535A6EE3A44C29972F740	SHA256:CB2DDAAB3E74CE3DDD633F401668B67331E9A7FB7BF506712C7557C3B1DDBC02
936	transport.exe	C:\Users\admin\AppData\Local\Temp\{AD957E84-36DF-4B10-ACC7-C5BAB043EB27}\.ba\libeay32.dll		executable
		MD5:73A8CDC0BB5B95C1BA6DEB39D71F0349	SHA256:639980C48DD692E9FF3144F3D932AA07E501F12197D587EC47EB5EC8F6B7696A
936	transport.exe	C:\Users\admin\AppData\Local\Temp\{AD957E84-36DF-4B10-ACC7-C5BAB043EB27}\.ba\BootstrapperApplicationData.xml		xml
		MD5:DFD882FC7A7427413097437512706355	SHA256:EEB5F50C2F1D5F4789812C2EFA4D734188F1D40652C21C67C1B983B445624CAD
3612	WinX_DVD_Ripper_Platinum.exe	C:\Users\admin\AppData\Roaming\Dn_explore_test\transform.asp		binary
		MD5:63AFA5CDF59535A6EE3A44C29972F740	SHA256:CB2DDAAB3E74CE3DDD633F401668B67331E9A7FB7BF506712C7557C3B1DDBC02
3612	WinX_DVD_Ripper_Platinum.exe	C:\Users\admin\AppData\Roaming\Dn_explore_test\libeay32.dll		executable
		MD5:73A8CDC0BB5B95C1BA6DEB39D71F0349	SHA256:639980C48DD692E9FF3144F3D932AA07E501F12197D587EC47EB5EC8F6B7696A
3612	WinX_DVD_Ripper_Platinum.exe	C:\Users\admin\AppData\Roaming\Dn_explore_test\profile.dll		executable
		MD5:A957F7E18D5493A99D151FF504214D09	SHA256:4E54F4D31BC41230F51A436613F00C893DFEBA11175667AF960E22E429849F3A

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4300	WerFault.exe	104.208.16.94:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1580	svchost.exe	91.108.241.156:6450	—	SIA Singularity Telecom	AU	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.186.142	whitelisted
watson.events.data.microsoft.com	104.208.16.94	whitelisted
self.events.data.microsoft.com	20.189.173.26	whitelisted

General Info

transport.exe

72EC64D0BC0B31F8842C9B5D488C11E7

85D81EDEAC18C67D6C8B73AB628347586A5039AD

019E368CDFE9E71959DFC32917463653DFA4C35C129F1FEB1FE492187D46A22A

98304:ESdDQsSdmtZCzmut3GKjKhoIYreG+ahB64Sw9jt9XWUw2YjWmj00M4b+QbSpfjFH:E5GX44OOiQM7+VWujI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RHADAMANTHYS mutex has been found

HIJACKLOADER has been detected (YARA)

RHADAMANTHYS has been detected (YARA)

SUSPICIOUS

Starts itself from another location

Executable content was dropped or overwritten

Process drops legitimate windows executable

Executes application which crashes

Starts CMD.EXE for commands execution

The process checks if it is being run in the virtual environment

Connects to unusual port

INFO

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Reads the computer name

Creates files or folders in the user directory

Reads the software policy settings

Compiled with Borland Delphi (YARA)

Manual execution by a user

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings