MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6ae6e103f0371ecac8cbd9585ebcd3322e9d173cee805bfb8d16a4e5a157bd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6ae6e103f0371ecac8cbd9585ebcd3322e9d173cee805bfb8d16a4e5a157bd2
SHA3-384 hash: fac1bb4cf67eaabbc3b3d30ee5b0e08053dd9f621338c8d042adbd062fbaa600e91906eb2cb75a735a6fb9c1afadb9f5
SHA1 hash: a5a7bccae5dcfeaf89038d3efddbb6cbae3cad33
MD5 hash: f6f78b719ba722e06f38869dbfdeec21
humanhash: oregon-neptune-william-papa
File name:lkgkdsjd.com.bat
Download: download sample
Signature HijackLoader
Create hunting rule
File size:1'086 bytes
First seen:2026-04-22 13:53:50 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24:w7DbvAellueP8DlcnteBYy9JBA7flGYtnlfYtyj8S:WbAellueP8DlcnteBV9JBADEYtnhYtyr
Threatray 132 similar samples on MalwareBazaar
TLSH T16911D0AF35001D34F91D36D9D785258B65CAC2D339C4BACCF0E50691AB4735C0186FA7
Magika batch
Reporter JAMESWT_WT
Tags:bat booking HIjackLoader lkgkdsjd-com pulse-srvc-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
IT IT
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
BatchScript
varying reportable information from embedded commands and any observed URLs
Link:
https://research.acce.ciphertechsolutions.com/results/206c27a8-3f96-49d0-aff3-986242333ee1/
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
https://admin.booking.com-complete-captcha.info/?_r=07e19c6261434fb098b956f768d50718
Verdict:
Malicious activity
Analysis date:
2026-04-22 12:10:15 UTC
Tags:
auto netsupport rat loader stealer hijackloader openssl tool amsi-bypass
Link:
https://app.any.run/tasks/3dca8cf3-86ad-4429-a5b5-9812fd534d53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/63099/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.49696591.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e8d3064aed15d0792f1fb8
Tags:
shell sage smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug bitsadmin evasive lolbin masquerade
Link:
https://www.filescan.io/uploads/69e8d30b4cc9288c910a10f2/reports/74864588-289a-413d-8d03-712852237fb7/overview
Verdict:
Malicious
Labled as:
BZC.NTM.Leopard.1.236BFFCF;BZC.NTM.Leopard.1.20CC4FB3;BZC.NTM.Leopard.1
Link:
https://www.hybrid-analysis.com/sample/d6ae6e103f0371ecac8cbd9585ebcd3322e9d173cee805bfb8d16a4e5a157bd2
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-22T11:09:00Z UTC
Last seen:
2026-04-23T00:24:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb Trojan-Dropper.Win32.Dapato.sb Trojan-Downloader.Win32.Bitser.sb HEUR:Trojan-Downloader.BAT.Bitser.gen
Link:
https://opentip.kaspersky.com/d6ae6e103f0371ecac8cbd9585ebcd3322e9d173cee805bfb8d16a4e5a157bd2/results?tab=lookup
Score:
66%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/d6ae6e103f0371ecac8cbd9585ebcd3322e9d173cee805bfb8d16a4e5a157bd2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6ae6e103f0371ecac8cbd9585ebcd3322e9d173cee805bfb8d16a4e5a157bd2/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/d6ae6e103f0371ecac8cbd9585ebcd3322e9d173cee805bfb8d16a4e5a157bd2
Threat name:
Text.Malware.Leopard
Create hunting rule
Status:
Malicious
First seen:
2026-04-22 13:54:25 UTC
File Type:
Text (Batch)
AV detection:
3 of 24 (12.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=22xg4eb7any6zlemxwkyl26ngmrotultz3ualp5y2fve4wqvppja._file
Verdict:
malicious
Label(s):
tinyutility
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c
HijackLoader
0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462
HijackLoader
396619b3f50f9f0de1a6ddcf012729e02939927c2234a56c8509e659e3f92b7a
HijackLoader
401309e3550e7cb31385ea5c345a45cc075f0970698fdf85495ea8d13a4c58e3
HijackLoader
65a44df3f521f11fef1138c8fb32ad16749f12830025eeea925f9fb19f32edf1
HijackLoader
7ff5233b77dd61dbb39ae2ae22ed531d3c30863bba99f858d8d44a791cfcb4bc
HijackLoader
9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02
HijackLoader
ce3575f1d6e6202543cf5983b57c9d1f1d63b9b9d821ea102f85e9b57856e7dd
HijackLoader
da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6
HijackLoader
error
HijackLoader
+ 122 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader defense_evasion discovery dropper execution loader spyware stealer
Link:
https://tria.ge/reports/260422-q7pz1agv2q/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Download via BitsAdmin
Downloads MZ/PE file
Detects HijackLoader (aka IDAT Loader)
Family: HijackLoader, IDAT loader, Ghostulse,
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/d6ae6e103f0371ecac8cbd9585ebcd3322e9d173cee805bfb8d16a4e5a157bd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/63099/

Comments