MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0
SHA3-384 hash: 04a15c44f6b2a41cd269252fc672c811f07e91447b82bd8c6fac6a69cf3d0eb4224049411dc6cd3d966738ae61cf03c9
SHA1 hash: bc52f081433b9ac2b1f1e6a07ab1434382189f39
MD5 hash: 4c30e2a5a9204553cd88ec280e50a9ef
humanhash: alabama-hydrogen-london-enemy
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:8'204'493 bytes
First seen:2026-01-31 23:24:11 UTC
Last seen:2026-02-01 09:11:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 13 x HijackLoader, 5 x Adware.IObit)
ssdeep 196608:k5O2zZxvQGIxfXK0Z7EPM1qjFTYGhYLQd:kfnIRXWE1qje0
Threatray 26 similar samples on MalwareBazaar
TLSH T15E863352C7E74038E1DB4933A4AADC91DF7378B148DAB4662CB6D20C1A7C3C1AD3A795
TrID 70.9% (.EXE) Inno Setup installer (107240/4/30)
9.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-gcleaner exe HIjackLoader U UNIQ.file


Avatar
Bitsight
url: http://195.178.136.38/service

Intelligence

File Origin
# of uploads :
5
# of downloads :
169
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ea0e3c28-1274-4609-a208-3e520c3678ed/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-31 23:24:50 UTC
Tags:
delphi hijackloader loader
Link:
https://app.any.run/tasks/2b4128fe-14f2-4acd-8bde-d5dc58d2f53e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51053/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697e8f2f848d0f834c8c3da9
Tags:
vmdetect dropper virus crypt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm crypto embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404
Link:
https://www.filescan.io/uploads/697e8f28c9bfb60ece19f90f/reports/95a1b14f-2c8e-4d72-a16a-b1e11095f7f3/overview
Verdict:
Suspicious
Labled as:
Malware_51.3
Link:
https://www.hybrid-analysis.com/sample/31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-31T21:30:00Z UTC
Last seen:
2026-02-01T20:55:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0/results?tab=lookup
Malware family:
IDAT Loader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a855d0a4-af3e-45c4-b635-65d4b64a00cc
Score:
13%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/4c30e2a5a9204553cd88ec280e50a9ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Suspicious
First seen:
2026-01-31 23:25:37 UTC
File Type:
PE (Exe)
Extracted files:
306
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gg3rpvyq2o6tsjpixsvfr5nmxi2wrv2sgekm2thamrb5hdoru7ia._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0
HijackLoader
54f2ac23b773789a411dbc870422e5887ed955754e0bfeb9e0ef91f057ec46da
HijackLoader
57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
HijackLoader
731a72d29320e1bf43b2004ee56583c7b9c279790c01b3569141bd8849d3afca
HijackLoader
a1432c163d00964e629cbf199b69634bf44fe9d36cae4d14bfff91326018043f
HijackLoader
b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060
HijackLoader
e2754bc0876932908aaeecb3479ee8e8d42a298268e32fc096310c520b0c02ac
HijackLoader
error
HijackLoader
+ 16 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access discovery installer loader spyware stealer
Link:
https://tria.ge/reports/260131-3dwlxabv6g/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Unpacked files
SH256 hash:
31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0
MD5 hash:
4c30e2a5a9204553cd88ec280e50a9ef
SHA1 hash:
bc52f081433b9ac2b1f1e6a07ab1434382189f39
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
acab26841ed18a06bacd8cc206ab0a5983ce00387f073d7ddec05214ddf76269
MD5 hash:
77e54dce92b7eca5375819b7c591b22f
SHA1 hash:
1ab2ea886e52a31764632646dac60205e3a8637a
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
923ccf448398abb669be56cbb9894ef0b4946c3ff63a0d00868af95023f206dc
MD5 hash:
b5831e3a2759603bab2e19721d2828eb
SHA1 hash:
25a3c85643f581ce5248410c00696881b65f880c
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
Parent samples :
57748e42e68e56c1f8813ed1c6a372191dfacc6488b4500f973a3aad93add2ed
31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0
SH256 hash:
fe84cd37dfea50314e038b37de150e960ab9def33e384ce90cc6c3c87bbc0fbe
MD5 hash:
d079f1b0c4e1adb44e5394f1959bc3d3
SHA1 hash:
267cc777ee9726ec600d3407a8c9dc927e843718
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
321be247267c62d796db462d97331dfe1375c2a8c7c78f9c6bea90b69d5adbe4
MD5 hash:
651050985d9a17413e588f4aa9dd43bf
SHA1 hash:
5fa26a8d8f43dd54928dcf1fc31dffc5e951f05c
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
fc9900f2534faa5af73abd407501b6f28a5569c9aa898ad75c368ce503309991
MD5 hash:
702252caa5d078d7ea5dc8dc62dc77fd
SHA1 hash:
94af382510c7187ade906da3617a68eb6bceeed0
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
d81b2ac9d59e6ece15797796f28c01e25ef89f3d29cb938dbf8347f8b3733f4f
MD5 hash:
616a3baa60404c103ce9e2ee54b9ae4e
SHA1 hash:
bc5957f59ac4d56c0db96b81cc5863812848fb0f
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
d73f567f767392a3b5d4cce9b62853e00bc20f1a9e2fc523bad34afba046b330
MD5 hash:
cb5db026b98819098f20c7a470034dc2
SHA1 hash:
bfc81aa0532f75d5b26955c0db16cb42ec2e377f
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
ffae8f3ca3337eefb42d90acc14e451ace418e21fc85ca0911eaa13782b64d65
MD5 hash:
6aa6fc442f4a89a44fab2da29583effc
SHA1 hash:
c9a27aeadb206e91430987d1ba10212a5e311462
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
abe71bd1599ed656bc634891a48b6d97569bfff305847856e745a5e4c887aaf4
MD5 hash:
1197e392d2cc0ca8d786e3f33d961c62
SHA1 hash:
faf84862ed79f481254dc3e0c6dd8d6879be1e94
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
8f0beb5863d190b7b2cfe7f506f3b721ab6b9e892337a133364f2ba710931b25
MD5 hash:
be3cc5717f5951662adb399d613f20cc
SHA1 hash:
f776bc4344ad59fbd6950d24d3aa6dddb3df215a
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
fb4d8e7f4001010d76d903da39df670e20bf5a85da99914a2df8345786de1c2e
MD5 hash:
6d6ea598ffbe515f649f8840a0da1d3c
SHA1 hash:
62f2027bb205024799454a7f864dffd3f2b1021a
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
08a93ad91061aeda02121ae6a4fc9ec024f612e39626c615fd5f3765957608a4
MD5 hash:
2e259afb699d02eecfa0817e791e3324
SHA1 hash:
3873b36b6b1257dfa6543124383e932d553126a4
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/d7bb28fd-33f3-42be-ac56-538031bea822/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31b717d710d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe 31b717d710d3bd3925e8bcaa58f5acba3568d7523114cd4ce06443d38dd1a7d0

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/51053/

Comments