File name:	general.ps1
Full analysis:	https://app.any.run/tasks/8571e661-1024-41c0-b826-e4fdc100b560
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 18:40:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion stealer loader arch-doc api-base64 rhadamanthys delphi hijackloader shellcode
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	1DD7502423D714508F97C7463EBAB970
SHA1:	289520278ED12B82B6D44EB91C0A28EA658BC12F
SHA256:	B154ECDCAB89B750554E6CB2C8FE7297E9E974E0A4171866B5A632014F110B81
SSDEEP:	768:d+2JRLUibZWtZnWl2Q2OdJoPXWiv9hQZH:d+2JHbMt9WlVojVCH


(PID) Process:	(5780) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(5780) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(5780) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(1180) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithProgids
Operation:	write	Name:	MSCFile
Value:
(PID) Process:	(4376) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4376) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4376) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4376) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:	write	Name:	Version
Value: WS not running
(PID) Process:	(4376) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	DisableFirstRunCustomize
Value: 1
(PID) Process:	(7880) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:	write	Name:	sn3
Value: 847F7CE51462C9D28180D6724CEFBEFF7C06CDFCB1F48B5AEFE8DBE5C728D67E376BAA4547E47E9FF6B5D0B7415C63D1574A364894F894CA4049A177423884BC

PID	Process	Filename		Type
6988	program.exe	C:\Users\admin\AppData\Local\Temp\Fickle Stealer\Browser Data\cookies_netscape_Firefox.txt		—
		MD5:—	SHA256:—
6988	program.exe	C:\Users\admin\AppData\Local\Temp\Fickle Stealer\Browser Data\cookies_netscape_Chrome.txt		—
		MD5:—	SHA256:—
6988	program.exe	C:\Users\admin\AppData\Local\Temp\Fickle Stealer\Browser Data\autofill.txt		—
		MD5:—	SHA256:—
1180	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_w4ivwmvi.xin.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5936	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:33DE27C8DCC88FC3DB33B429DB60C7D5	SHA256:708AE655B44F33D7DCD06BC681E15BD4D8E9C37226D62D38FF8F51FF0EB714E3
5936	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10b8f1.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5780	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF11de38.TMP		—
		MD5:—	SHA256:—
5780	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
5936	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\67U96XB9A4EH1DW4YCN4.temp		binary
		MD5:2E1F33FF8F0C663485288D8B49FEAA17	SHA256:80BC173CA70571A129E0BC02B9A070492616AAF8644C0996D5FBEC09C6087F99
5936	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0ew04y4x.0fb.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5936	powershell.exe	GET	200	34.117.59.81:80	http://ipinfo.io//json	unknown	—	—	unknown
5936	powershell.exe	GET	200	34.117.59.81:80	http://ipinfo.io//json	unknown	—	—	unknown
5936	powershell.exe	GET	200	34.117.59.81:80	http://ipinfo.io//json	unknown	—	—	unknown
5936	powershell.exe	GET	200	34.117.59.81:80	http://ipinfo.io//json	unknown	—	—	unknown
5936	powershell.exe	GET	200	34.117.59.81:80	http://ipinfo.io//json	unknown	—	—	unknown
5936	powershell.exe	GET	200	34.117.59.81:80	http://ipinfo.io//json	unknown	—	—	unknown
5936	powershell.exe	GET	200	34.117.59.81:80	http://ipinfo.io//json	unknown	—	—	unknown
5936	powershell.exe	GET	200	34.117.59.81:80	http://ipinfo.io//json	unknown	—	—	unknown
5936	powershell.exe	GET	200	34.117.59.81:80	http://ipinfo.io//json	unknown	—	—	unknown
—	—	GET	200	104.26.13.205:443	https://api.ipify.org/	unknown	text	12 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	unknown
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	unknown
2112	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5936	powershell.exe	82.115.223.231:8080	api.noexploit.net	Partner LLC	RU	unknown
5936	powershell.exe	172.67.74.152:443	api.ipify.org	CLOUDFLARENET	US	unknown
5936	powershell.exe	34.117.59.81:80	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	unknown
3216	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
6544	svchost.exe	40.126.32.140:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	unknown
google.com	216.58.206.78	unknown
api.noexploit.net	82.115.223.231	unknown
api.ipify.org	172.67.74.152 104.26.12.205 104.26.13.205	unknown
ipinfo.io	34.117.59.81	unknown
client.wns.windows.com	40.113.103.199 40.115.3.253 40.113.110.67	unknown
login.live.com	40.126.32.140 20.190.160.130 40.126.32.133 20.190.160.66 40.126.32.74 40.126.32.136 20.190.160.65 20.190.160.4 40.126.32.72 20.190.160.22 20.190.160.128 40.126.32.134 20.190.160.3 40.126.32.68 40.126.32.138 40.126.32.76 20.190.160.132 20.190.160.5 20.190.160.14	unknown
arc.msn.com	20.223.35.26	unknown
slscr.update.microsoft.com	172.202.163.200	unknown
crl.microsoft.com	2.16.168.124 2.16.168.114	unknown

PID	Process	Class	Message
5936	powershell.exe	Potential Corporate Privacy Violation	ET INFO Possible IP Check api.ipify.org
2196	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
5936	powershell.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
5936	powershell.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 8
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
—	—	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
5936	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
5936	powershell.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ipinfo.io
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)

General Info

general.ps1

1DD7502423D714508F97C7463EBAB970

289520278ED12B82B6D44EB91C0A28EA658BC12F

B154ECDCAB89B750554E6CB2C8FE7297E9E974E0A4171866B5A632014F110B81

768:d+2JRLUibZWtZnWl2Q2OdJoPXWiv9hQZH:d+2JHbMt9WlVojVCH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Run PowerShell with an invisible window

Changes powershell execution policy (Bypass)

Suspicious browser debugging (Possible cookie theft)

Changes Windows Defender settings

Adds path to the Windows Defender exclusion list

Executing a file with an untrusted certificate

RHADAMANTHYS mutex has been found

HIJACKLOADER has been detected (YARA)

RHADAMANTHYS has been detected (YARA)

SUSPICIOUS

Potential Corporate Privacy Violation

Checks for external IP

Uses base64 encoding (POWERSHELL)

The process executes Powershell scripts

Application launched itself

Starts POWERSHELL.EXE for commands execution

Multiple wallet extension IDs have been found

Executable content was dropped or overwritten

Creates new GUID (POWERSHELL)

Writes data into a file (POWERSHELL)

Loads DLL from Mozilla Firefox

Uses TASKKILL.EXE to kill Browsers

Gets file extension (POWERSHELL)

Uses sleep to delay execution (POWERSHELL)

Reads Microsoft Outlook installation path

Gets content of a file (POWERSHELL)

Script adds exclusion path to Windows Defender

Reads Internet Explorer settings

Manipulates environment variables

Possibly malicious use of IEX has been detected

Uses TASKKILL.EXE to kill process

Starts itself from another location

Starts CMD.EXE for commands execution

Identifying current user with WHOAMI command

The process checks if it is being run in the virtual environment

INFO

Script raised an exception (POWERSHELL)

Disables trace logs

Checks if a key exists in the options dictionary (POWERSHELL)

Checks proxy server information

Potential modification of remote process state (Base64 Encoded 'SetThreadContext')

Gets data length (POWERSHELL)

Reads Windows Product ID

Reads the software policy settings

Uses string replace method (POWERSHELL)

Gets or sets the time when the file was last written to (POWERSHELL)

Reads the computer name

Checks supported languages

Create files in a temporary directory

The executable file from the user directory is run by the Powershell process

Drops encrypted JS script (Microsoft Script Encoder)

Checks whether the specified file exists (POWERSHELL)

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Application launched itself

The sample compiled with english language support

Compiled with Borland Delphi (YARA)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information