MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b
SHA3-384 hash: 0f46a4a103bae5bdd08a5ed135185efb786c706716713680564473fa172a55f7eccad536e4871c89f6d56404d9aac9ed
SHA1 hash: e387b5a9a0442149f8ef24be26df973ea70c5b6d
MD5 hash: bce15d659f2230814643d1c899dffc05
humanhash: fourteen-kilo-artist-two
File name:1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b.exe
Download: download sample
Signature HijackLoader
Create hunting rule
File size:6'453'170 bytes
First seen:2025-09-08 06:23:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 492a5d3560401c2811de048088bf91d0 (4 x DonutLoader, 2 x HijackLoader, 1 x QuasarRAT)
ssdeep 196608:p34VlOucWzaS5KaoXtmeEcrjq8ekQpcOd9UjYL:S6ucWGSZoXtmeEcrjxekMll
TLSH T1AE56331AF7E509FAE2A3D475CD524856E7B17C4E17316BCF23D589928F262808F3A312
TrID 87.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
5.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.4% (.EXE) Win64 Executable (generic) (10522/11/4)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe HIjackLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b.exe
Verdict:
Malicious activity
Analysis date:
2025-09-07 23:01:48 UTC
Tags:
hijackloader loader lumma auto-startup
Link:
https://app.any.run/tasks/410f60f6-e49e-4cc4-9f6c-a228719013a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26206/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68be0edb6e66ba602d78e26e
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand explorer fingerprint lolbin microsoft_visual_cc obfuscated overlay packed packed packer_detected threat
Link:
https://www.filescan.io/uploads/68be769814a3b51cba50d9e6/reports/87f6c4b0-dfb4-402a-bbc9-704a2313dc48/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-07T15:39:00Z UTC
Last seen:
2025-09-07T15:39:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Penguish.sbd Trojan.Win32.Penguish.fqk PDM:Trojan.Win32.Generic Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan.Win32.Crypt.sb
Link:
https://opentip.kaspersky.com/1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3f5f8795-15a5-4161-a9e5-02a05e8f0464
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1772927
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1772927 Sample: 6pimM4IOjD.exe Startdate: 08/09/2025 Architecture: WINDOWS Score: 92 62 Found malware configuration 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected HijackLoader 2->68 9 6pimM4IOjD.exe 17 2->9         started        12 ShaFactory27.exe 5 2->12         started        process3 file4 42 C:\Users\user\AppData\Local\...\mfc100.dll, PE32+ 9->42 dropped 44 C:\Users\user\AppData\...\ShaFactory27.exe, PE32+ 9->44 dropped 46 C:\Users\user\AppData\Local\...\RecZip.dll, PE32+ 9->46 dropped 48 C:\Users\user\AppData\Local\...\MSVCR100.dll, PE32+ 9->48 dropped 15 ShaFactory27.exe 7 9->15         started        50 C:\Users\user\AppData\Local\...\505403F.tmp, PE32+ 12->50 dropped 78 Modifies the context of a thread in another process (thread injection) 12->78 80 Maps a DLL or memory area into another process 12->80 19 PicoColl.exe 12->19         started        21 Chime.exe 12->21         started        signatures5 process6 file7 52 C:\ProgramData\...\ShaFactory27.exe, PE32+ 15->52 dropped 54 C:\ProgramData\Qp_demo_dbgv5\mfc100.dll, PE32+ 15->54 dropped 56 C:\ProgramData\Qp_demo_dbgv5\RecZip.dll, PE32+ 15->56 dropped 58 C:\ProgramData\Qp_demo_dbgv5\MSVCR100.dll, PE32+ 15->58 dropped 60 Found direct / indirect Syscall (likely to bypass EDR) 15->60 23 ShaFactory27.exe 7 15->23         started        27 WerFault.exe 1 21 19->27         started        signatures8 process9 file10 36 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 23->36 dropped 38 C:\Users\user\AppData\Local\...\PicoColl.exe, PE32+ 23->38 dropped 40 C:\Users\user\AppData\Local\...\3649549.tmp, PE32+ 23->40 dropped 70 Modifies the context of a thread in another process (thread injection) 23->70 72 Found hidden mapped module (file has been removed from disk) 23->72 74 Maps a DLL or memory area into another process 23->74 76 Found direct / indirect Syscall (likely to bypass EDR) 23->76 29 PicoColl.exe 23->29         started        32 Chime.exe 2 23->32         started        signatures11 process12 signatures13 82 Found direct / indirect Syscall (likely to bypass EDR) 29->82 34 WerFault.exe 19 16 29->34         started        84 Switches to a custom stack to bypass stack traces 32->84 process14
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/bce15d659f2230814643d1c899dffc05
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b
Threat name:
Win64.Downloader.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-09-07 20:18:27 UTC
File Type:
PE+ (Exe)
Extracted files:
871
AV detection:
6 of 36 (16.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=de3mzv6mb4mkeqrekm7kxguiynytaskripoflgkuftcga5sqguvq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader
Link:
https://tria.ge/reports/250908-g5613a1ry5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7b549aef-d902-40fa-b376-e2c5d404b9a9
Unpacked files
SH256 hash:
1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b
MD5 hash:
bce15d659f2230814643d1c899dffc05
SHA1 hash:
e387b5a9a0442149f8ef24be26df973ea70c5b6d
Link:
https://www.unpac.me/results/813f438a-5565-4b00-a91f-6a1b27f78346/
SH256 hash:
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
MD5 hash:
df3ca8d16bded6a54977b30e66864d33
SHA1 hash:
b7b9349b33230c5b80886f5c1f0a42848661c883
Link:
https://www.unpac.me/results/813f438a-5565-4b00-a91f-6a1b27f78346/
SH256 hash:
2e9582035eaefdf55334df95ea1f572c5b82cccb3fdf8f23ead33cd820c77259
MD5 hash:
bc8bdc4c9713b7b35aad723f5b840303
SHA1 hash:
ff5e6bf4cacda1b8eb4ed0316d1922623a98b191
Link:
https://www.unpac.me/results/813f438a-5565-4b00-a91f-6a1b27f78346/
SH256 hash:
523ee0dd45a11ebcae4abe94ffd20cc40d706a11fb1d904ff0d1614ca7b9ac9f
MD5 hash:
931acf909c24ad698611f630b81a973c
SHA1 hash:
34ab9cb9f6af5cf2e5c1239089511bf4b8dee00e
Link:
https://www.unpac.me/results/813f438a-5565-4b00-a91f-6a1b27f78346/
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1936ccd7cc0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26206/

Comments