MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vidar


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6
SHA3-384 hash: 928311e5e4015766511bd381d19690557025cde002fddfaa3ed1fbff5c1d97024ea7c9e9c24caebce904e8e1dbe90be1
SHA1 hash: bc8478c540528d84be8dbaf0ac46bbeb7919b4b6
MD5 hash: 26585d954a1eed818fc4965be207ccb6
humanhash: music-cola-hydrogen-mirror
File name:oi.ps1
Download: download sample
Signature Vidar
Create hunting rule
File size:1'391 bytes
First seen:2026-01-29 14:40:17 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24:rIqvpCEljHnXHu6eUAzftlODtOjd1Wz9OHzLwjNAMwaqHimHK2CcHK2Z:rbHFHXuMAzf/mtOPWzawjNAMwaIisKdU
TLSH T1452194215D5A7508921E8777F34D9FE89A3618B8A58A2CE4439CEAD408E93C4A80949A
Magika powershell
Reporter aachum
Tags:ClickFix FakeCaptcha HIjackLoader ps1 vidar


Avatar
iamaachum
http://178.17.59.26/oi.txt

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697b716c6fa3eed165303c35
Tags:
ransomware
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated
Link:
https://www.filescan.io/uploads/697b7164930564ff3c7c5168/reports/5feb6a74-98dc-428c-aff0-993f551632c4/overview
Verdict:
Suspicious
Labled as:
Trojan_Script_Wacatac_C_ml
Link:
https://www.hybrid-analysis.com/sample/0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6
Verdict:
Malicious
File Type:
ps1
First seen:
2026-01-28T09:53:00Z UTC
Last seen:
2026-01-29T12:12:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.PowerShell.Strion.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6/results?tab=lookup
Result
Threat name:
HijackLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1859809
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected HijackLoader
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1859809 Sample: oi.ps1 Startdate: 29/01/2026 Architecture: WINDOWS Score: 100 70 bek.beznervov.com 2->70 72 telegram.me 2->72 74 pub-50a54badab6f4f408cd8e6c0a3dbfa4f.r2.dev 2->74 96 Suricata IDS alerts for network traffic 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 10 other signatures 2->102 11 msiexec.exe 90 51 2->11         started        14 powershell.exe 15 22 2->14         started        18 svchost.exe 1 1 2->18         started        signatures3 process4 dnsIp5 54 C:\Users\user\AppData\Roaming\...\quazip.dll, PE32 11->54 dropped 56 C:\Users\user\AppData\...\openvr_api.dll, PE32 11->56 dropped 58 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32 11->58 dropped 60 11 other malicious files 11->60 dropped 20 Pix_C.exe 17 11->20         started        84 pub-50a54badab6f4f408cd8e6c0a3dbfa4f.r2.dev 104.18.54.45, 443, 49681 CLOUDFLARENETUS United States 14->84 116 Found suspicious powershell code related to unpacking or dynamic code loading 14->116 24 conhost.exe 14->24         started        26 msiexec.exe 14->26         started        86 127.0.0.1 unknown unknown 18->86 file6 signatures7 process8 file9 46 C:\ProgramData\dev_wizard\quazip.dll, PE32 20->46 dropped 48 C:\ProgramData\dev_wizard\openvr_api.dll, PE32 20->48 dropped 50 C:\ProgramData\dev_wizard\VCRUNTIME140.dll, PE32 20->50 dropped 52 11 other files (7 malicious) 20->52 dropped 104 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->104 106 Switches to a custom stack to bypass stack traces 20->106 108 Found direct / indirect Syscall (likely to bypass EDR) 20->108 28 Pix_C.exe 4 20->28         started        signatures10 process11 file12 62 C:\Users\user\AppData\...\BlizzardError.exe, PE32+ 28->62 dropped 64 C:\Users\user\AppData\Local\...\PortalM.exe, PE32+ 28->64 dropped 110 Maps a DLL or memory area into another process 28->110 112 Switches to a custom stack to bypass stack traces 28->112 114 Found direct / indirect Syscall (likely to bypass EDR) 28->114 32 PortalM.exe 17 28->32         started        36 BlizzardError.exe 28->36         started        signatures13 process14 dnsIp15 66 bek.beznervov.com 172.67.216.194, 443, 49694, 49695 CLOUDFLARENETUS United States 32->66 68 telegram.me 149.154.167.99, 443, 49693 TELEGRAMRU United Kingdom 32->68 88 Tries to harvest and steal browser information (history, passwords, etc) 32->88 90 Writes to foreign memory regions 32->90 92 Allocates memory in foreign processes 32->92 94 5 other signatures 32->94 38 chrome.exe 3 32->38         started        41 conhost.exe 32->41         started        signatures16 process17 dnsIp18 76 192.168.2.7, 138, 443, 49579 unknown unknown 38->76 43 chrome.exe 38->43         started        process19 dnsIp20 78 play.google.com 142.250.64.142, 443, 49722, 49724 GOOGLEUS United States 43->78 80 www.google.com 142.250.64.196, 443, 49710, 49711 GOOGLEUS United States 43->80 82 3 other IPs or domains 43->82
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=am422h3ytpnsn5xu4qwmhjskzwl3lgcn6uckfrfc5mqz3cewuhda._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery execution loader
Link:
https://tria.ge/reports/260129-r1583scx8g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

PowerShell (PS) ps1 729e593c24f402e38408308ff4f3dac564c9d159788d39941680048b84b35ec0

Vidar

PowerShell (PS) ps1 0339ad1f789bdb26f6f4e42cc3a64acd97b5984df504a2c4a2eb219d8896a1c6

(this sample)

Vidar

Microsoft Software Installer (MSI) msi a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd

  
Link
https://tria.ge/260129-rwhbfscs9g/behavioral1
  
Dropped by
SHA256 729e593c24f402e38408308ff4f3dac564c9d159788d39941680048b84b35ec0
  
Delivery method
Distributed via web download
  
Dropped by
MD5 bfc01060529f0d9f363ae775efed2fbc
  
Dropping
SHA256 a3cbb9bb1185b829a1f3370694b0c79bb0817b16ff8b03d20b43180e9afda0dd
  
Dropping
MD5 1af5b4fa8674e6d8b179303e8dd2533a

Comments