MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c
SHA3-384 hash: 8e93b3cfb1a3117e374fd4ee47ad15e9eef68d8658d19f1f73e7cf4a02ce0c29cc1c87118a0a47082e427d61da12f0ab
SHA1 hash: 13ac35ab448647262fdf5487034afa9303c2ba4f
MD5 hash: 59f38af1c8b089076b270c5bf48b5565
humanhash: ack-louisiana-texas-grey
File name:C__Users_user_AppData_Local_Temp_cszfr2y4.aax_SettlePay_-_Billing_Report.exe
Download: download sample
Signature HijackLoader
Create hunting rule
File size:5'886'968 bytes
First seen:2026-03-24 20:24:07 UTC
Last seen:2026-03-24 21:40:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 17 x HijackLoader, 5 x Adware.IObit)
ssdeep 98304:D/mjrOV+i5z2Ry/lJMEVLOfOnr6q7uDQIRzua9xVsDI2UseyqUgSB3u54E:D/yr++i5KOlJLOfOnrt7usS9xVs0RseB
Threatray 56 similar samples on MalwareBazaar
TLSH T136563302F7DB2431F8E56A3AA4A188846CD7F8DD19F5D8063C79CE0C497A9DA5D3BB10
TrID 72.8% (.EXE) Inno Setup installer (107240/4/30)
9.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win64 Executable (generic) (6522/11/2)
3.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'793 x Socks5Systemz, 67 x RedLineStealer)
Reporter SquiblydooBlog
Tags:exe Guangzhou-Duqing-Technology-Co-Ltd HIjackLoader signed

Code Signing Certificate

Organisation:广州杜倾科技有限公司
Issuer:Certum Extended Validation Code Signing 2021 CA
Algorithm:sha256WithRSAEncryption
Valid from:2026-01-29T08:37:07Z
Valid to:2027-01-29T08:37:06Z
Serial number: 1585c2edd17bb80bc7de15448cf4792d
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 9ff8533b268267f1eaa008c05a74f06cc92198e813f2ea9e0593bdc61e4af6e0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/7febdc61-ac80-4abf-93d7-2f2ddf37ab05/
Malware family:
n/a
ID:
1
File name:
C__Users_user_AppData_Local_Temp_cszfr2y4.aax_SettlePay_-_Billing_Report.exe
Verdict:
Malicious activity
Analysis date:
2026-03-24 20:25:19 UTC
Tags:
hijackloader loader stealer auto-startup amsi-bypass
Link:
https://app.any.run/tasks/b6ecec99-3e55-4d4b-bb8f-aaf7115c87ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Loader.2728.9184.1139.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c2f2f7aacb4c376b139f39
Tags:
injection dropper obfusc
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a file in the %AppData% subdirectories
DNS request
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm embarcadero_delphi expired-cert fingerprint inno installer installer installer-heuristic masquerade obfuscated packed signed
Link:
https://www.filescan.io/uploads/69c2f2f35229aae88c84149f/reports/fefbff8d-0cd7-42d9-a41d-0f3af59365f9/overview
Verdict:
Suspicious
Labled as:
Generik.HYARHHI trojan
Link:
https://www.hybrid-analysis.com/sample/02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.Penguish.guz Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Delf.sb
Link:
https://opentip.kaspersky.com/02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4f7ee6d6-624f-4dbc-a81d-1ea91260fc0d
Score:
28%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=alf4o7ks4evou2tmtwzwyb6s5tgrv6ottoelhablidfrbueiwmga._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9
HijackLoader
2905c9c894e3fd2717b3a6a38a32e71682dfa548ece3172903de4fd29a9dc87e
HijackLoader
4d95e661c6160b85f4320c21d44da333b97ba485f2969015c93cba9e81cdfc82
HijackLoader
5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77
HijackLoader
8ca17f8770bf57d63512f5689c3cfaa0ea286cb553365595cf4ede21411324bf
HijackLoader
a8a4d5359e832c8d0c8068f84e94d373ada45e8f3590ba02931000bcf37d3b11
HijackLoader
bf91cb86e3d06ae3ac4ac6cd2252a387046c10658701ea8a11ffa706397814c2
HijackLoader
df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
HijackLoader
error
HijackLoader
+ 46 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery installer loader
Link:
https://tria.ge/reports/260324-y6v4maat8n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Unpacked files
SH256 hash:
02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c
MD5 hash:
59f38af1c8b089076b270c5bf48b5565
SHA1 hash:
13ac35ab448647262fdf5487034afa9303c2ba4f
Link:
https://www.unpac.me/results/c4056497-9298-474f-af4c-0e9da82f9c31/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/c4056497-9298-474f-af4c-0e9da82f9c31/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/c4056497-9298-474f-af4c-0e9da82f9c31/
SH256 hash:
8f0beb5863d190b7b2cfe7f506f3b721ab6b9e892337a133364f2ba710931b25
MD5 hash:
be3cc5717f5951662adb399d613f20cc
SHA1 hash:
f776bc4344ad59fbd6950d24d3aa6dddb3df215a
Link:
https://www.unpac.me/results/c4056497-9298-474f-af4c-0e9da82f9c31/
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02cbc77d52e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/59080/

Comments