MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 396619b3f50f9f0de1a6ddcf012729e02939927c2234a56c8509e659e3f92b7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 396619b3f50f9f0de1a6ddcf012729e02939927c2234a56c8509e659e3f92b7a
SHA3-384 hash: 46208222217d2d27652de43a1b726b4d8c393f59ce838f4b1b9871a7489456cc91a4835925e15fa1ecc98078cc8456d2
SHA1 hash: 4820ccf25e8ab2e49ef4bf6dc454225a205a3691
MD5 hash: 2f29dce03245644b619e2c90465aabd5
humanhash: nitrogen-robert-carolina-leopard
File name:J.ps1
Download: download sample
Signature HijackLoader
Create hunting rule
File size:15'015 bytes
First seen:2025-11-09 17:02:25 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 384:cEiB1NQ59ciDR655NGwmPJf1YclyaJZlQ75YIYpiVVgdW:c+59HpPJN7yaJZk6piVydW
Threatray 33 similar samples on MalwareBazaar
TLSH T1F462C0E24985F4A4C188218F90ED4BFD85B6376510582168F7DB287CB7FD4CC3962F60
Magika powershell
Reporter JAMESWT_WT
Tags:booking HIjackLoader naskkr-com ps1 Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6910c92b1ce80129a41e22a1
Tags:
shellcode spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6910c9278938e2fe221962c5/reports/71708bc6-9931-4ec4-b528-7353a439f6e1/overview
Verdict:
Suspicious
Labled as:
PowerShell/Kryptik.KT trojan
Link:
https://www.hybrid-analysis.com/sample/396619b3f50f9f0de1a6ddcf012729e02939927c2234a56c8509e659e3f92b7a
Verdict:
Clean
File Type:
ps1
First seen:
2025-11-09T14:15:00Z UTC
Last seen:
2025-11-09T14:20:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/396619b3f50f9f0de1a6ddcf012729e02939927c2234a56c8509e659e3f92b7a/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/396619b3f50f9f0de1a6ddcf012729e02939927c2234a56c8509e659e3f92b7a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/396619b3f50f9f0de1a6ddcf012729e02939927c2234a56c8509e659e3f92b7a/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/396619b3f50f9f0de1a6ddcf012729e02939927c2234a56c8509e659e3f92b7a
Threat name:
Script-PowerShell.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-09 17:02:33 UTC
File Type:
Text
AV detection:
6 of 24 (25.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hftbtm7vb6pq3yng3xhqcjzj4auttet4ei2kk3efbhtfty7zfn5a._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6
HijackLoader
0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462
HijackLoader
65a44df3f521f11fef1138c8fb32ad16749f12830025eeea925f9fb19f32edf1
HijackLoader
6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134
HijackLoader
a78ffd85baef5049b36b9e694d41509aa3c9308a1ec5294c0ab5ae97eb95b18d
HijackLoader
a8a4d5359e832c8d0c8068f84e94d373ada45e8f3590ba02931000bcf37d3b11
HijackLoader
da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6
HijackLoader
df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
HijackLoader
ec9a9dbe295a2d36ee807934a1acdd00fb7de1befa3bdda7cae45d3d659dff1a
HijackLoader
error
HijackLoader
+ 23 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery execution loader persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/251109-vkb7va1kfj/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments