MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462
SHA3-384 hash: 64cbffbd401430149cd7878766dc207470d08ed50ad33e9ad377cbd828c770c9abc666cfabc469c7a0b9f1110cd9c90c
SHA1 hash: 9bfaee3d8550bf5177da42134a696e257277d569
MD5 hash: 93a3571e1a57c74daf4cd0138df96d2a
humanhash: beer-california-north-alpha
File name:ps.ps1
Download: download sample
Signature HijackLoader
Create hunting rule
File size:233 bytes
First seen:2025-11-09 17:01:59 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6:s8SMVnxV7NevE8ydH1O7kC9kO6hQzFSnRpr0UOHn4s+n:s8z9evE8ydH1OgC9kO6hQZUROXHn+n
Threatray 88 similar samples on MalwareBazaar
TLSH T15ED0A7A9BDDCCDC467ADA09004C61D0D27754647C73429E522441E816C4C700CBF70A9
Magika batch
Reporter JAMESWT_WT
Tags:booking HIjackLoader naskkr-com ps1 Spam-ITA


Avatar
JAMESWT_WT
booking
https://naskkr-com/OHKJZRUM.msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6910c92926a48f18ae1e22a1
Tags:
ransomware obfuscate xtreme
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/6910c926b2332ab627db5885/reports/cf723ff1-17dd-4094-b8c0-76b2892140e3/overview
Verdict:
Suspicious
Labled as:
TrojanDropper/PS.Maloader
Link:
https://www.hybrid-analysis.com/sample/0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462
Verdict:
Clean
File Type:
ps1
First seen:
2025-11-09T14:16:00Z UTC
Last seen:
2025-11-09T14:20:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462/results?tab=lookup
Score:
31%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462
Threat name:
Script-PowerShell.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-09 17:02:31 UTC
File Type:
Text (Batch)
AV detection:
3 of 24 (12.50%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5nbateun3bsheewmgv3rtoxocpc4nwe2fthegkmrggeq37m4rra._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6
HijackLoader
65a44df3f521f11fef1138c8fb32ad16749f12830025eeea925f9fb19f32edf1
HijackLoader
6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134
HijackLoader
a8a4d5359e832c8d0c8068f84e94d373ada45e8f3590ba02931000bcf37d3b11
HijackLoader
d8f11fe16666255b4be2a16416de176217c51f9fe8a063ec19df6691ff82a0fc
HijackLoader
da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6
HijackLoader
df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
HijackLoader
e61a0c457a57eb941199d4461934f73a88db58ee64b74a28373f28c85d757c84
HijackLoader
ec9a9dbe295a2d36ee807934a1acdd00fb7de1befa3bdda7cae45d3d659dff1a
HijackLoader
error
HijackLoader
+ 78 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery execution loader persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/251109-vkb7va1ker/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f5a104c946e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments