File name:	2025-06-21_6a74326fe6c0fcb62da2aec319ea127b_cobalt-strike_hijackloader
Full analysis:	https://app.any.run/tasks/7f8dc972-82e9-467b-8296-f2759c61056e
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 14:58:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	golang arch-doc stealer loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 7 sections
MD5:	6A74326FE6C0FCB62DA2AEC319EA127B
SHA1:	48374483AADA7C15FCB1E86DCE42A9AA0BC6E387
SHA256:	5B6BF0029CC39514D7AE5CA6A57A219A4AAFAC1C7F635AE302BE1E7BCD7DCCE3
SSDEEP:	24576:pUhgfKusaKifemOiNDx5Qf7exyg3fydi2XpdUUT4T:yusaKif+iNDx5QDexygvyAEK

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	3
CodeSize:	515072
InitializedDataSize:	125952
UninitializedDataSize:	-
EntryPoint:	0x5b880
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	25.13.6.0
ProductVersionNumber:	25.13.6.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Secure, manage, and trade blockchain assets.
FileVersion:	25.13.6
InternalName:	Setup.exe
LegalCopyright:	Copyright B) 2025 Exodus Movement Inc
OriginalFileName:	Setup.exe
ProductName:	Secure, manage, and trade blockchain assets.
ProductVersion:	25.13.6
SquirrelAwareVersion:	1
CompanyName:	Exodus Movement Inc


(PID) Process:	(4320) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(4320) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(2532) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(2532) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(1128) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 1
(PID) Process:	(1204) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 1
(PID) Process:	(432) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 2
(PID) Process:	(432) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 3
(PID) Process:	(6344) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 2
(PID) Process:	(6344) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 3

PID	Process	Filename		Type
1068	2025-06-21_6a74326fe6c0fcb62da2aec319ea127b_cobalt-strike_hijackloader.exe	C:\Users\admin\Desktop\Soul.db		—
		MD5:—	SHA256:—
432	chrome.exe	C:\Users\admin\AppData\Local\Temp\Cookies		binary
		MD5:3EB66F8F3F058E157563F42DBF644355	SHA256:AD0A6073D226341F699F465BDD35F01E88F0E9D4BCCEC816D6DF06D34F848350
2188	chrome.exe	C:\Users\admin\AppData\Local\Temp\Web Data		binary
		MD5:983A5B37990067066CF80EDDF2426994	SHA256:E499265D1817B9CD52AC502B7BE6DEF5174478CAAAB7DADE263A7754E4E838D3
6532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:4DCDE7359EE11FBEFEE187B3484806B9	SHA256:9389112CECF24732043F06BDC68AC77DD8419242CBF20C32DA2ADF509F83CA4E
6532	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:C52A911C31781206F5D7EC205A7C47E4	SHA256:6819BE41BBDFD0CCA2785714B0DB275B3E695C352227166F857D9E18CE2E47C1
6532	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		ini
		MD5:35C0CBEA8B497A0439D347572B3BCEEF	SHA256:577A6039258E422A292B67ED292DDB7CBFD57025799851579CF5EDB7CBB15239
6532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CF863C0D-9BCA-4FBB-8C9F-5DC5D1452640		xml
		MD5:B8A89470FD2E3E347A9DD3B18D205228	SHA256:C820506A73EF9D1D746C4AF2A9349AFA5DAE255BE412E08658F12AFACB5D5F2E
6532	WINWORD.EXE	C:\Users\admin\Desktop\~$ouniversity.rtf		binary
		MD5:0325D3245BF4035561B4F1BAE88D67B9	SHA256:A2B4FB316EDE8F61FE7CA19C9967F0CEA89A1D2959CF1CD31A6419E357BE4BF5
6532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:96B238FCC314BBD899F4D1B76B5EA621	SHA256:BFBA165C0F8B297FA04158052E8E231143CBB4F11A1C1547591C54FC4166EB7E
6532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin		text
		MD5:1CA8F0E7BA74E9B5880596AE698C5990	SHA256:E6636C94E7096ED8EE9623535EE97C74FC0592B55DCDB45A3B3C16D7AA483BEC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	184.24.77.40:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4512	RUXIMICS.exe	GET	200	184.24.77.40:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.24.77.40:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4512	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	104.21.96.1:443	https://b1.cornmealjustly.lat/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	unknown	text	31.8 Kb	unknown
—	—	POST	200	104.21.96.1:443	https://b1.cornmealjustly.lat/Up	unknown	—	—	unknown
—	—	POST	200	104.21.16.1:443	https://b1.cornmealjustly.lat/Up/b	unknown	—	—	unknown
—	—	POST	200	104.21.80.1:443	https://b1.cornmealjustly.lat/Up/b	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4512	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	184.24.77.40:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4512	RUXIMICS.exe	184.24.77.40:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	184.24.77.40:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4512	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
google.com	142.250.186.78	whitelisted
crl.microsoft.com	184.24.77.40 184.24.77.27 184.24.77.37 184.24.77.23 184.24.77.22 184.24.77.15 184.24.77.28 184.24.77.16 184.24.77.30 184.24.77.43 184.24.77.5 184.24.77.18 184.24.77.39 184.24.77.7 184.24.77.9 184.24.77.13	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
omex.cdn.office.net	23.50.131.86 23.50.131.87	whitelisted
ecs.office.com	52.123.129.14 52.123.128.14	whitelisted
messaging.lifecycle.office.com	52.111.231.8	whitelisted
self.events.data.microsoft.com	52.168.112.66 20.189.173.10	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	A Network Trojan was detected	ET MALWARE ACR/Amatera Stealer CnC Checkin Attempt
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	Malware Command and Control Activity Detected	ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	Malware Command and Control Activity Detected	ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	Malware Command and Control Activity Detected	ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

2025-06-21_6a74326fe6c0fcb62da2aec319ea127b_cobalt-strike_hijackloader

6A74326FE6C0FCB62DA2AEC319EA127B

48374483AADA7C15FCB1E86DCE42A9AA0BC6E387

5B6BF0029CC39514D7AE5CA6A57A219A4AAFAC1C7F635AE302BE1E7BCD7DCCE3

24576:pUhgfKusaKifemOiNDx5Qf7exyg3fydi2XpdUUT4T:yusaKif+iNDx5QDexygvyAEK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

There is functionality for taking screenshot (YARA)

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

INFO

Application based on Golang

The sample compiled with english language support

Checks supported languages

Manual execution by a user

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings