MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30be3ca09db5d5cb347c380215bad0efec926816265f0636efe26fd54f57aba5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HijackLoader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	30be3ca09db5d5cb347c380215bad0efec926816265f0636efe26fd54f57aba5
SHA3-384 hash:	c961b46e0f13c1014473cb423c7ccacca5cd99d58b58aed560e378bb997763644ad253cab3ab5916e80204ab162e00c2
SHA1 hash:	5b2d696a829328e7e94aaa75075dc3448a953d35
MD5 hash:	58d21482426a0ee87e379931d23a939b
humanhash:	ceiling-twelve-floor-october
File name:	30be3ca09db5d5cb347c380215bad0efec926816265f0636efe26fd54f57aba5.zip
Download:	download sample
Signature	HijackLoader Create hunting rule
File size:	5'987'063 bytes
First seen:	2025-12-23 11:28:52 UTC
Last seen:	Never
File type:	zip
MIME type:	application/x-rar
ssdeep	98304:qkUO6tT1VuicNU7k1aFiaV4e3FNH3b2ecn9anP+34fvM811+GRC82NPLDi0+8llQ:qL76NUa4iaVz1NHaec9iPTR1UG09NPL6
TLSH	T15156335C5185E8FC304F75296A2B167A32D488374BEC7E7F8341B66322B81A366FDB44
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	JAMESWT_WT
Tags:	enviojj12-duckdns-org HIjackLoader zip

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 6 file(s), sorted by their relevance:

File name:	SsCustom.dll
File size:	104'888 bytes
SHA256 hash:	8e61724d842cd201f264e7ac75064879f7ebff786ee7d383f1ca29b3e7c35fb4
MD5 hash:	8f99d431a7007dd0901c54a67185df1b
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	Freet.lb
File size:	4'380'034 bytes
SHA256 hash:	d08793f7913b10b25ad2cdd7965bd817243c94483217f642a0d90274c9b4ac7f
MD5 hash:	60b275cc4fe4a33f226b94e2a122b7f6
MIME type:	application/octet-stream
Signature	HijackLoader

File name:	OmgbkupRes_ENU.dll
File size:	104'376 bytes
SHA256 hash:	1a82d7a8a7e62c2217886d0e1b420dcba4a613eb5ef5dc6a336421e357973df1
MD5 hash:	e7b7e1f41e4ab20fa414b99de87896c5
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	2
File size:	381 bytes
SHA256 hash:	4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
MD5 hash:	1e4a89b11eae0fcf8bb5fdd5ec3b6f61
MIME type:	text/xml
Signature	HijackLoader

File name:	002 DEMANDA PENAL.exe
File size:	6'151'608 bytes
SHA256 hash:	fadec4f29e544ee21c83003422e757f56c94876ca54141a33e7fef39b6e39fe1
MD5 hash:	89f65812fd4bfa46db7bbe897d766f1c
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	Gikkaendcrean.rdbi
File size:	26'531 bytes
SHA256 hash:	14e985a375abe239cff78a4d6176d11e0e6f3a16f5bd5ad9097771a867fb21ae
MD5 hash:	e63c457c3027bbdee215c599a05bcdb7
MIME type:	application/octet-stream
Signature	HijackLoader

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/a85fb374-53c8-4c75-b7bf-10882fa3ff27/

Verdict:

Suspicious

Score:

50%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694a7d1b01c7b4a8fe54f997

Tags:

shellcode injection obfusc

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/30be3ca09db5d5cb347c380215bad0efec926816265f0636efe26fd54f57aba5

Verdict:

Malicious

File Type:

rar

First seen:

2025-12-24T03:28:00Z UTC

Last seen:

2025-12-24T03:41:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/30be3ca09db5d5cb347c380215bad0efec926816265f0636efe26fd54f57aba5/results?tab=lookup

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Rar Archive

Link:

https://app.malva.re/file/58d21482426a0ee87e379931d23a939b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30be3ca09db5d5cb347c380215bad0efec926816265f0636efe26fd54f57aba5/

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2025-08-21 15:38:04 UTC

File Type:

Binary (Archive)

Extracted files:

129

AV detection:

18 of 36 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gc7dzie5wxk4wnd4habblowq57wje2awezpqmnxp4jx5kt2xvosq._file

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:hijackloader discovery

Link:

https://tria.ge/reports/251223-np1yfavrgx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Loads dropped DLL

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/30be3ca09db5d5cb347c380215bad0efec926816265f0636efe26fd54f57aba5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample