| File name: | Sample_infostealer.zip |
| Full analysis: | https://app.any.run/tasks/504f2667-27f2-4b3b-baf7-e58b4b466f12 |
| Verdict: | Malicious activity |
| Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
| Analysis date: | December 20, 2023, 12:21:42 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | A0E0CA0CC05C154A6DBCAA05D56BF763 |
| SHA1: | 3A759F7CD60964B64DB7ACCA34433D61D78B4F7F |
| SHA256: | 2209F0BF5F827E134D7387076DCAC013493AAB798F8B18F61B26C90F70F1F954 |
| SSDEEP: | 98304:kV3uPQxiEP4CKgEySs7R4t+Ve6R/MftY1hcr6OhpwLfzplJuPvG9WsUXFQead/mU:Ma2C3cx |
MALICIOUS
HIJACKLOADER has been detected (YARA)
- AppSetup.exe (PID: 864)
- AppSetup.exe (PID: 2572)
SUSPICIOUS
Process drops legitimate windows executable
- WinRAR.exe (PID: 2036)
INFO
Checks supported languages
- AppSetup.exe (PID: 864)
- AppSetup.exe (PID: 2572)
- AppSetup.exe (PID: 240)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2036)
Reads the computer name
- AppSetup.exe (PID: 864)
- AppSetup.exe (PID: 2572)
- AppSetup.exe (PID: 240)
Manual execution by a user
- AppSetup.exe (PID: 2572)
- explorer.exe (PID: 316)
- taskmgr.exe (PID: 1600)
- AppSetup.exe (PID: 240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:12:14 06:33:46 |
| ZipCRC: | 0xa89dbc98 |
| ZipCompressedSize: | 422779 |
| ZipUncompressedSize: | 960832 |
| ZipFileName: | AppSetup.exe |
Total processes
50
Monitored processes
6
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 240 | "C:\Users\admin\Desktop\AppSetup.exe" | C:\Users\admin\Desktop\AppSetup.exe | explorer.exe | ||||||||||||
User: admin Company: Cisco WebEx LLC Integrity Level: HIGH Description: ptInst Exit code: 3221225477 Version: 4007,0,2005,1900 Modules
| |||||||||||||||
| 316 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 864 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\AppSetup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\AppSetup.exe | WinRAR.exe | ||||||||||||
User: admin Company: Cisco WebEx LLC Integrity Level: MEDIUM Description: ptInst Exit code: 3221225477 Version: 4007,0,2005,1900 Modules
| |||||||||||||||
| 1600 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2036 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample_infostealer.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2572 | "C:\Users\admin\Desktop\AppSetup.exe" | C:\Users\admin\Desktop\AppSetup.exe | explorer.exe | ||||||||||||
User: admin Company: Cisco WebEx LLC Integrity Level: MEDIUM Description: ptInst Exit code: 3221225477 Version: 4007,0,2005,1900 Modules
| |||||||||||||||
Total events
1 237
Read events
1 211
Write events
26
Delete events
0
Modification events
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
28
Suspicious files
4
Text files
16
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\AppSetup.exe | executable | |
MD5:B15BAC961F62448C872E1DC6D3931016 | SHA256:BF1A0C67B433F52EBD304553F022BAA34BFBCA258C932D2B4B8B956B1467BFA5 | |||
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\Settings\Drop Icons.txt | text | |
MD5:F603CED25A3360C092855E507579AC7C | SHA256:795782CD1C06683E88B59DF9FEA91794E1F47DAE568AC84267B6C5699D8387E1 | |||
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\Settings\Libs\HandyControl.dll | executable | |
MD5:C1BBC02DF91DC77AE393DCCBC8529786 | SHA256:297DB4C73A0CF04952400FCD2E73FD6C1809376AF1B810732749BA0E1130CD75 | |||
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\Settings\FolderBrowserEx.txt | text | |
MD5:E69719C20DFAEDF395EE3DE052DD0EED | SHA256:231CF882B16477966B27D02E6B1BEC69744B75F92609EA4620DCB3459546FB40 | |||
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\msvcp140.dll | executable | |
MD5:71A0AA2D05E9174CEFD568347BD9C70F | SHA256:FDB3D86C512ADFF90967CB860D02A4682850AB96727F0376E4D4836504C50E47 | |||
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\Settings\HandyControls.txt | text | |
MD5:41C8910CAE4DC901922E58B618BF5968 | SHA256:BA52B3124ECA4E9E9ABCBE8E4F6BB9DA75B0647AC8D135292716AAEF5CF0C6A3 | |||
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\Settings\Libs\SharpVectors.Rendering.Gdi.dll | executable | |
MD5:CDFFA1D01A6742344086452F6A6E7E46 | SHA256:590B596A30D3313C28F41526A1CF26C0123DC0C55D494F113B1F0EAB16A1B286 | |||
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\Settings\Iconizer.txt | text | |
MD5:5A09A9D88608DF8CF94811C845680216 | SHA256:37B9D899541C25B26883BCFBC0F306E063F2B42A81ADB5BB33CAE066481C8F2B | |||
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\Settings\Libs\SharpVectors.Rendering.Wpf.dll | executable | |
MD5:D2D3DE3AA205B45CC77EA6E5CB8C8D07 | SHA256:4841856D55B9244D000B53AED72D8E1AD1EC5064C85AE628953012193E413411 | |||
| 2036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2036.40060\Settings\Libs\SharpVectors.Converters.Wpf.dll | executable | |
MD5:58C8888A75C72A8FBE6728B0D3385181 | SHA256:CC26FD5B60A066C236F23768E0612EEBC2E664DD2ABF81413C62027A75A07F94 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |