File name:	031cb1c69db095e0a56ba97e6d01924733d1eca053fe58bca57158fdb1a0ea78.bin
Full analysis:	https://app.any.run/tasks/c003d556-68dd-488e-a873-f226a1f33f27
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 15, 2025, 17:55:38
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	rhadamanthys stealer hijackloader loader websocket
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	1A560E6AC1E56D6F1AA00E99132902B8
SHA1:	2706E759A40EE5BA597AFDC050007A772D668D9B
SHA256:	031CB1C69DB095E0A56BA97E6D01924733D1ECA053FE58BCA57158FDB1A0EA78
SSDEEP:	196608:437n/0JG7CZeywA2T9Xl4+9c1b41IccxomSPD7ejErUoY3PAXbsU1JynWr2:O7/37C8MQ9W+9QbecHAKEC3PAXbJ+nWy

ZipRequiredVersion:	20
ZipBitFlag:	0x0008
ZipCompression:	Deflated
ZipModifyDate:	2025:03:17 14:13:00
ZipCRC:	0xc76049c9
ZipCompressedSize:	3061
ZipUncompressedSize:	8944
ZipFileName:	lnstaIer.py


(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\031cb1c69db095e0a56ba97e6d01924733d1eca053fe58bca57158fdb1a0ea78.bin.zip
(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3568) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\lnstaIer.py		text
		MD5:F82BFB01FA17B87134B14FC21DDACB74	SHA256:5A2D8E648E3F4CBDCD32CBD2BB0BA48D10DE32FE14042E201A8BB7088CEFAD79
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\._lnstaIer.py		binary
		MD5:F948B9B7D71E8499AB0BB16298950D26	SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\data\archive.rpa		binary
		MD5:3C8CB207B14F16245F8DA6893D334D18	SHA256:3D8EA7DB91841F5AC40F8DBEC5345A3E2E213F147BA1BFAEC29BBEEC0458FDFE
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\._data		binary
		MD5:F948B9B7D71E8499AB0BB16298950D26	SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._archive.rpa		binary
		MD5:F948B9B7D71E8499AB0BB16298950D26	SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\data\script_version.txt		binary
		MD5:5569A7FF423EA1F96B903A68457DC553	SHA256:C376AAC0470C00F63804E0ED35E1B812DCC11C80CCFDFBFCF4CE2EBE02ACA6D7
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\data\.key		text
		MD5:3EB2931CC49DB48E7C9D0AAE93DCDF91	SHA256:46781D1A6BA1854828605C5173DC638CC725382AD828DED373C4D8870EFAEC74
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._cache		binary
		MD5:F948B9B7D71E8499AB0BB16298950D26	SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._script_version.txt		binary
		MD5:F948B9B7D71E8499AB0BB16298950D26	SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159
3568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._.key		binary
		MD5:F948B9B7D71E8499AB0BB16298950D26	SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1496	smartscreen.exe	GET	200	23.50.131.200:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fb0d43fa2dbc9d51	unknown	—	—	whitelisted
1496	smartscreen.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3640	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1352	svchost.exe	GET	200	88.221.110.216:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?08d15ef3f08c448e	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?2efe063e74f19306	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?a373b5c2c52739f9	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6fcbef6e9a78fd97	unknown	—	—	whitelisted
5508	svchost.exe	GET	200	109.107.165.124:80	http://api.globalshimserv.top/76ece4d3ab5c60ead288414/9uaeqb17.m4tgq	unknown	—	—	—
2988	OfficeClickToRun.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1352	svchost.exe	88.221.110.147:80	—	Akamai International B.V.	DE	unknown
1496	smartscreen.exe	48.209.162.134:443	checkappexec.microsoft.com	—	US	whitelisted
1496	smartscreen.exe	23.50.131.200:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	whitelisted
1496	smartscreen.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1480	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3640	svchost.exe	40.126.32.140:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3640	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1352	svchost.exe	88.221.110.216:80	—	Akamai International B.V.	DE	unknown

Domain	IP	Reputation
google.com	172.217.16.206	whitelisted
checkappexec.microsoft.com	48.209.162.134	whitelisted
ctldl.windowsupdate.com	23.50.131.200 23.50.131.216 199.232.214.172 199.232.210.172	whitelisted
ocsp.digicert.com	2.17.190.73 2.23.77.188	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
login.live.com	40.126.32.140 20.190.160.22 20.190.160.14 40.126.32.74 40.126.32.138 20.190.160.17 40.126.32.76 20.190.160.3	whitelisted
fs.microsoft.com	104.102.63.189	whitelisted
dns.msftncsi.com	131.107.255.255	whitelisted
self.events.data.microsoft.com	40.79.167.8	whitelisted
cloudflare-dns.com	104.16.248.249 104.16.249.249	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET INFO Microsoft Connection Test
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
—	—	Misc activity	ET INFO Cloudflare DNS Over HTTPS Certificate Inbound
—	—	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request

Process	Message
chrome.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrA941.tmp directory exists )
msedge.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrBDC4.tmp directory exists )
msedge.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrDA94.tmp directory exists )

General Info

031cb1c69db095e0a56ba97e6d01924733d1eca053fe58bca57158fdb1a0ea78.bin

1A560E6AC1E56D6F1AA00E99132902B8

2706E759A40EE5BA597AFDC050007A772D668D9B

031CB1C69DB095E0A56BA97E6D01924733D1ECA053FE58BCA57158FDB1A0EA78

196608:437n/0JG7CZeywA2T9Xl4+9c1b41IccxomSPD7ejErUoY3PAXbsU1JynWr2:O7/37C8MQ9W+9QbecHAKEC3PAXbJ+nWy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

HIJACKLOADER has been detected (YARA)

RHADAMANTHYS mutex has been found

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Reads the Internet Settings

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

There is functionality for taking screenshot (YARA)

Executable content was dropped or overwritten

The process drops C-runtime libraries

The process checks if it is being run in the virtual environment

Reads settings of System Certificates

Reads Mozilla Firefox installation path

Loads DLL from Mozilla Firefox

Searches for installed software

Connects to unusual port

INFO

The sample compiled with english language support

Executable content was dropped or overwritten

Checks supported languages

Create files in a temporary directory

Reads the machine GUID from the registry

Checks operating system version

Checks proxy server information

Creates files or folders in the user directory

Uses string replace method (POWERSHELL)

The sample compiled with chinese language support

Reads the computer name

Creates files in the program directory

Manual execution by a user

Application launched itself

Reads Environment values

Process checks computer location settings

Process checks whether UAC notifications are on

Attempting to connect via WebSocket

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information