MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49ff4510b5a9e49b445045cb2ec9fbfdd273bf37b2b3a8b49374beaafa68b8a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49ff4510b5a9e49b445045cb2ec9fbfdd273bf37b2b3a8b49374beaafa68b8a9
SHA3-384 hash: 19635b61c17b4eb68c5b35ca711bd9428e80ec4b1b71271454cf4306ef6985d45a3a6006422d63394321ca53c9d65035
SHA1 hash: bcddc769940df6d2d9af38db9a309a15f133abaf
MD5 hash: 7f2da2b4fa69df3d498682206de525e9
humanhash: magnesium-lithium-don-kentucky
File name:JNQTLNBZ.zip
Download: download sample
Signature HijackLoader
Create hunting rule
File size:3'405'723 bytes
First seen:2025-06-04 09:18:04 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:uk3CQLZZ+Ai+RZELYGDy3F9qbGPU9KOG7B5HrgE+0yzhsT+1lsRV7:uk3Zl3FGmF9qbGmtG7B5Z+DUN
TLSH T184F5331920BDB230CBCCA85CF6F41E61EB683A3C26C86F1599A5C5117D87A9C2FD0796
Magika zip
Reporter JAMESWT_WT
Tags:clickcease-biz HIjackLoader zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684010c88bd5d68a12e50004
Tags:
n/a
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/49ff4510b5a9e49b445045cb2ec9fbfdd273bf37b2b3a8b49374beaafa68b8a9/results/dashboard
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
expired-cert fingerprint microsoft_visual_cc overlay signed
Link:
https://www.filescan.io/uploads/68400f65171e01f959359cfd/reports/3ecb02c8-5505-4830-be00-e2c2d2487a84/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/49ff4510b5a9e49b445045cb2ec9fbfdd273bf37b2b3a8b49374beaafa68b8a9
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/49ff4510b5a9e49b445045cb2ec9fbfdd273bf37b2b3a8b49374beaafa68b8a9
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
6%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/49ff4510b5a9e49b445045cb2ec9fbfdd273bf37b2b3a8b49374beaafa68b8a9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49ff4510b5a9e49b445045cb2ec9fbfdd273bf37b2b3a8b49374beaafa68b8a9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-03 17:33:32 UTC
File Type:
Binary (Archive)
Extracted files:
6
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jh7ukefvvhsjwrcqixfs5sp37xjhhpzxwkz2rnetos7kv6tixcuq._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader
Link:
https://tria.ge/reports/250604-l5wmjsvyhx/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49ff4510b5a9e49b445045cb2ec9fbfdd273bf37b2b3a8b49374beaafa68b8a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:elysium
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked elysium stealer malware samples.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

zip 49ff4510b5a9e49b445045cb2ec9fbfdd273bf37b2b3a8b49374beaafa68b8a9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3557205/
  
Delivery method
Distributed via web download

Comments