MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 31 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a
SHA3-384 hash: b39d995f751b4b5ddb2514637fd9e274252d77f6d00b6232943c41dbec7f947b9bf9b933b911c3dfef20409ed382d5af
SHA1 hash: 750f3cbe0b41a3f2230d9c15373461a6e7aba8ed
MD5 hash: 3dd6864377ab6af38f7ab2c5cdbdc5b5
humanhash: bravo-mars-music-oscar
File name:0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a.zip
Download: download sample
Signature HijackLoader
Create hunting rule
File size:14'502'442 bytes
First seen:2025-12-23 11:24:41 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 393216:elJWK1FiTk527T79GIG4Psi9YuhX+KbGZqi:eWKaTm27T7Ys9H3q3
TLSH T12DE633DE405AFEC9CAF35D784444B821C90FCA574CA14E27AC2F89581095EDF9E6C8AF
Magika zip
Reporter JAMESWT_WT
Tags:enviojj12-duckdns-org HIjackLoader zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
IT IT
File Archive Information

This file archive contains 19 file(s), sorted by their relevance:

File name:WimMgr.dll
File size:175'088 bytes
SHA256 hash: 8bde8412672313f62ab6d74a972eb1f9c82624596381f02dbbf5b4f35d7c91be
MD5 hash: a83e686aa40f9393f3db6e7f50381b6b
MIME type:application/x-dosexec
Signature HijackLoader
File name:MSVCP140.dll
File size:566'704 bytes
SHA256 hash: 9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da
MD5 hash: 6da7f4530edb350cf9d967d969ccecf8
MIME type:application/x-dosexec
Signature HijackLoader
File name:vcruntime140_1.dll
File size:49'792 bytes
SHA256 hash: e30b3f4979b63b50438d061858c9cde962f4494e585c627a11c98b6c5b7b2592
MD5 hash: 851760a3cc87354e057985e42e69f425
MIME type:application/x-dosexec
Signature HijackLoader
File name:01 DEMANDA JUDICIAL.exe
File size:19'622'128 bytes
SHA256 hash: d38997f32a5ad1ecc8894bcfee7e82b36d274dba6e4afdb7527de6b8f824ba44
MD5 hash: 4704e67b8a96c14416ef4d94d82881b3
MIME type:application/x-dosexec
Signature HijackLoader
File name:Encrypt.dll
File size:49'136 bytes
SHA256 hash: 31ebfa6023f09f56d4760b6bd2363f951af3919af527d2942143e65d30091fbd
MD5 hash: 4dd1f74e2f562b900de0e17199289ff2
MIME type:application/x-dosexec
Signature HijackLoader
File name:libcrypto-1_1.dll
File size:1'738'752 bytes
SHA256 hash: 22620e9f4e64078bb62f991bb6a9ea9f64d3028c8836d082c4b2befc686fab1c
MD5 hash: 381c35502b4e976c0787be6f5599e435
MIME type:application/x-dosexec
Signature HijackLoader
File name:Claiwershu.wk
File size:11'037 bytes
SHA256 hash: 0a6c37fcd083086f091992f3a4a4e1febc9e1039f6ec80adcda0511194040ab7
MD5 hash: 4c67d75f5af147062a646499601ee116
MIME type:application/octet-stream
Signature HijackLoader
File name:cfg.ini
File size:47 bytes
SHA256 hash: d76526d70803c2c281641e72f8b7cce70cae3d074d5c3d8e82a7fca73b03366c
MD5 hash: b9658af7212759eccfeff731f50c38dc
MIME type:application/x-setupscript
Signature HijackLoader
File name:VCRUNTIME140.dll
File size:98'224 bytes
SHA256 hash: 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
MD5 hash: f34eb034aa4a9735218686590cba2e8b
MIME type:application/x-dosexec
Signature HijackLoader
File name:ScanPartition.dll
File size:1'091'568 bytes
SHA256 hash: 0f2777e5816f2adf451f07b983abbe6f6284c12c426a6de2de0d8e219b4ceefd
MD5 hash: 1c8ca7e807a94ba13588cf147836c78c
MIME type:application/x-dosexec
Signature HijackLoader
File name:MSVCR80.dll
File size:796'672 bytes
SHA256 hash: 51b74ca155761ff868d0f57b1d23490b4ce46719c0d6a72dd0c1f8efcabd1ec6
MD5 hash: 9fe7a15c759917120f5504a06564aadd
MIME type:application/x-dosexec
Signature HijackLoader
File name:AmAnacfg.ini
File size:191 bytes
SHA256 hash: 4d4b853aef8f6720f5883267460d6c082631fdf4e4f563b91fdeb856a8f2f563
MD5 hash: bb34c56f2a25cc3765361867444bbbdd
MIME type:text/plain
Signature HijackLoader
File name:WIMGAPI.DLL
File size:509'312 bytes
SHA256 hash: e2faaaab8c7254bc281757a19c6c0fed1da171a9f6c8f408cf1687e662a723c6
MD5 hash: 6bb403f6c388f87ace8a7450393a2c51
MIME type:application/x-dosexec
Signature HijackLoader
File name:Leal.cewa
File size:1'393'778 bytes
SHA256 hash: 82806c26d18a3decaafa532c83f456623b7cd7d8931be2fa8264d3abdb7f8837
MD5 hash: a410c3dc8f6d0e3aa09d091e608656fc
MIME type:application/octet-stream
Signature HijackLoader
File name:2
File size:381 bytes
SHA256 hash: 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
MD5 hash: 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
MIME type:text/xml
Signature HijackLoader
File name:WebView2Loader.dll
File size:160'216 bytes
SHA256 hash: dcf3c4f6024313eeb6f775ed343265d73be1ce1d5dde2f92195dbc32310c7fc9
MD5 hash: 1ba96800bad54c6019fdb6fe41fca592
MIME type:application/x-dosexec
Signature HijackLoader
File name:Up.dll
File size:687'856 bytes
SHA256 hash: 49641659fb8eabf25f534c6b889d4b01801f91f904aec655e0ac8607c9be3276
MD5 hash: 2671160a1cbc44c1ed225af756d380d5
MIME type:application/x-dosexec
Signature HijackLoader
File name:mfc140u.dll
File size:5'653'424 bytes
SHA256 hash: 85641c8fb94e8e4c5202152dcbb2bb26646529290d984988ecb72e18d63c9bc5
MD5 hash: 0ea1ecf1f75e4423b86c00842dfdf39d
MIME type:application/x-dosexec
Signature HijackLoader
File name:win11.ini
File size:27 bytes
SHA256 hash: bc0c96c6897adb77153e2bcf3b074d77dfdb83f56ada7469a4614c64e45ec626
MD5 hash: c3b3902b3fb6588b01e10ad15a7154ad
MIME type:text/plain
Signature HijackLoader
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/4bfcf70d-f64d-46e2-9c3a-9354ac3edb90/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694a7c48038f10550b54f7ba
Tags:
infosteal vmdetect
Verdict:
Suspicious
Labled as:
Generic trojan.lz
Link:
https://www.hybrid-analysis.com/sample/0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a
Verdict:
Malicious
File Type:
zip
First seen:
2025-10-29T21:00:00Z UTC
Last seen:
2025-12-23T10:05:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a/results?tab=lookup
Score:
26%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout SVG Zip Archive
Link:
https://app.malva.re/file/3dd6864377ab6af38f7ab2c5cdbdc5b5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a/
Threat name:
Win64.Trojan.Hijackloader
Create hunting rule
Status:
Suspicious
First seen:
2025-08-12 23:21:40 UTC
File Type:
Binary (Archive)
Extracted files:
3363
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aej5t46zgbu2ffcywo2mgnqqvlqdsyibjx3avhuft4yqicdnrbva._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader bootkit discovery persistence
Link:
https://tria.ge/reports/251223-npkw8avres/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Loads dropped DLL
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/0113d9f3d93069a29458b3b4c33610aae03961014df60a9e859f3104086d886a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_TOOL_EXP_SeriousSAM02
Create hunting rule
Author:ditekSHen
Description:Detect tool variants potentially exploiting SeriousSAM / HiveNightmare CVE-2021-36934
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments