File name:	2025-06-21_6a74326fe6c0fcb62da2aec319ea127b_cobalt-strike_hijackloader
Full analysis:	https://app.any.run/tasks/7f8dc972-82e9-467b-8296-f2759c61056e
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 14:58:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	golang arch-doc stealer loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 7 sections
MD5:	6A74326FE6C0FCB62DA2AEC319EA127B
SHA1:	48374483AADA7C15FCB1E86DCE42A9AA0BC6E387
SHA256:	5B6BF0029CC39514D7AE5CA6A57A219A4AAFAC1C7F635AE302BE1E7BCD7DCCE3
SSDEEP:	24576:pUhgfKusaKifemOiNDx5Qf7exyg3fydi2XpdUUT4T:yusaKif+iNDx5QDexygvyAEK

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	3
CodeSize:	515072
InitializedDataSize:	125952
UninitializedDataSize:	-
EntryPoint:	0x5b880
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	25.13.6.0
ProductVersionNumber:	25.13.6.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Secure, manage, and trade blockchain assets.
FileVersion:	25.13.6
InternalName:	Setup.exe
LegalCopyright:	Copyright B) 2025 Exodus Movement Inc
OriginalFileName:	Setup.exe
ProductName:	Secure, manage, and trade blockchain assets.
ProductVersion:	25.13.6
SquirrelAwareVersion:	1
CompanyName:	Exodus Movement Inc


(PID) Process:	(4320) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(4320) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(2532) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(2532) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(1128) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 1
(PID) Process:	(1204) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 1
(PID) Process:	(432) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 2
(PID) Process:	(432) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 3
(PID) Process:	(6344) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 2
(PID) Process:	(6344) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 3

PID	Process	Filename		Type
1068	2025-06-21_6a74326fe6c0fcb62da2aec319ea127b_cobalt-strike_hijackloader.exe	C:\Users\admin\Desktop\Soul.db		—
		MD5:—	SHA256:—
2188	chrome.exe	C:\Users\admin\AppData\Local\Temp\Web Data		binary
		MD5:983A5B37990067066CF80EDDF2426994	SHA256:E499265D1817B9CD52AC502B7BE6DEF5174478CAAAB7DADE263A7754E4E838D3
432	chrome.exe	C:\Users\admin\AppData\Local\Temp\Cookies		binary
		MD5:3EB66F8F3F058E157563F42DBF644355	SHA256:AD0A6073D226341F699F465BDD35F01E88F0E9D4BCCEC816D6DF06D34F848350
1700	explorer.exe	C:\Users\admin\hjksfoq.exe		executable
		MD5:9FE91D8225D6018E438AFC7BB393BB65	SHA256:21D0BD2F5870C46CAFA2A3AC4771CE0D907E1E03B926AE8820298F639E3B4FB6
1128	chrome.exe	C:\Users\admin\AppData\Local\Temp\Login Data		binary
		MD5:A45465CDCDC6CB30C8906F3DA4EC114C	SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:4DCDE7359EE11FBEFEE187B3484806B9	SHA256:9389112CECF24732043F06BDC68AC77DD8419242CBF20C32DA2ADF509F83CA4E
6532	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CF863C0D-9BCA-4FBB-8C9F-5DC5D1452640		xml
		MD5:B8A89470FD2E3E347A9DD3B18D205228	SHA256:C820506A73EF9D1D746C4AF2A9349AFA5DAE255BE412E08658F12AFACB5D5F2E
6532	WINWORD.EXE	C:\Users\admin\Desktop\~$imalsmichael.rtf		pgc
		MD5:E8E9F6271AB1BA20A9967A387CBFCEDC	SHA256:23F2505E42FCCCD0EEEE4E0D840BC49F0890907965F1CD3F245B52A61C03B5AE
6532	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		ini
		MD5:35C0CBEA8B497A0439D347572B3BCEEF	SHA256:577A6039258E422A292B67ED292DDB7CBFD57025799851579CF5EDB7CBB15239
6532	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\animalsmichael.rtf.LNK		binary
		MD5:B280A70EDBD2F669E6B639C4041CF6D6	SHA256:5D4C3E5AC3CD61E720F5BF1BD243ABA6CD042A1CFB69E0EA112F97549095AD6F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	184.24.77.40:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	104.21.112.1:443	https://b1.cornmealjustly.lat/Up/b	unknown	—	—	—
4512	RUXIMICS.exe	GET	200	184.24.77.40:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	184.24.77.40:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4512	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	104.21.96.1:443	https://b1.cornmealjustly.lat/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371	unknown	text	31.8 Kb	—
—	—	POST	200	104.21.96.1:443	https://b1.cornmealjustly.lat/Up	unknown	—	—	—
—	—	POST	200	104.21.80.1:443	https://b1.cornmealjustly.lat/Up/b	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4512	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	184.24.77.40:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4512	RUXIMICS.exe	184.24.77.40:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	184.24.77.40:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4512	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
google.com	142.250.186.78	whitelisted
crl.microsoft.com	184.24.77.40 184.24.77.27 184.24.77.37 184.24.77.23 184.24.77.22 184.24.77.15 184.24.77.28 184.24.77.16 184.24.77.30 184.24.77.43 184.24.77.5 184.24.77.18 184.24.77.39 184.24.77.7 184.24.77.9 184.24.77.13	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
omex.cdn.office.net	23.50.131.86 23.50.131.87	whitelisted
ecs.office.com	52.123.129.14 52.123.128.14	whitelisted
messaging.lifecycle.office.com	52.111.231.8	whitelisted
self.events.data.microsoft.com	52.168.112.66 20.189.173.10	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	A Network Trojan was detected	ET MALWARE ACR/Amatera Stealer CnC Checkin Attempt
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	Malware Command and Control Activity Detected	ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	Malware Command and Control Activity Detected	ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	Malware Command and Control Activity Detected	ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP
—	—	Misc activity	ET HUNTING ZIP file exfiltration over raw TCP

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

2025-06-21_6a74326fe6c0fcb62da2aec319ea127b_cobalt-strike_hijackloader

6A74326FE6C0FCB62DA2AEC319EA127B

48374483AADA7C15FCB1E86DCE42A9AA0BC6E387

5B6BF0029CC39514D7AE5CA6A57A219A4AAFAC1C7F635AE302BE1E7BCD7DCCE3

24576:pUhgfKusaKifemOiNDx5Qf7exyg3fydi2XpdUUT4T:yusaKif+iNDx5QDexygvyAEK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

There is functionality for taking screenshot (YARA)

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

INFO

Checks supported languages

Application based on Golang

The sample compiled with english language support

Manual execution by a user

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings