MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a2c9d7bede240c16a028a9ce884af292ef1f0dbdb76d5c2ea04db2d9f36c1f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a2c9d7bede240c16a028a9ce884af292ef1f0dbdb76d5c2ea04db2d9f36c1f4
SHA3-384 hash: 12bb3248625daaecf0bc72487652489e78f093d83904766922be959678c5ddafb9de75cf197cafb4ec98fbb77c9f4e38
SHA1 hash: 80831a50dc5bc26255db5e40a19f8d0d4c61010e
MD5 hash: aa52198237f403d589eade6b4d5b4878
humanhash: autumn-mountain-foxtrot-mars
File name:UPZDKGAF.bin
Download: download sample
Signature HijackLoader
Create hunting rule
File size:5'856'678 bytes
First seen:2025-07-11 18:08:50 UTC
Last seen:2025-07-13 12:26:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (20 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:8p2JP4wq2KDE9xBjYzGCWmRRBvJS17U6WCLmW3+Ud2UphzXy:8p2JgwVV7juGGNShzrldLp9y
Threatray 4 similar samples on MalwareBazaar
TLSH T129463353BB9835B8CC22D9B1CFCCC327217BC35B6B554E9B07D1AE145C822659307AEA
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter aachum
Tags:AcreedStealer dropped-by-ACRStealer exe HIjackLoader IDATLoader


Avatar
iamaachum
http://193.32.176.219/UPZDKGAF.bin

Intelligence

File Origin
# of uploads :
2
# of downloads :
23
Origin country :
CZ CZ
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UPZDKGAF.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-07-11 18:14:44 UTC
Tags:
hijackloader loader stealer
Link:
https://app.any.run/tasks/5a200b19-b082-4c76-82f8-ec92fdaa285e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13902/
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6871534cc9eb974737686c4f
Tags:
vmdetect dropper botnet virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
DNS request
Connection attempt
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer invalid-signature microsoft_visual_cc overlay packed packer_detected signed
Link:
https://www.filescan.io/uploads/6871534b80b46be06ea05a2e/reports/165a564c-bfc1-419e-8e6b-7507d06688b8/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/4a2c9d7bede240c16a028a9ce884af292ef1f0dbdb76d5c2ea04db2d9f36c1f4
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/079a4b81-ee9d-4983-a719-32c77b40f73b
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1734174
Signature
Contains functionality to infect the boot sector
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes many files with high entropy
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1734174 Sample: UPZDKGAF.bin.exe Startdate: 11/07/2025 Architecture: WINDOWS Score: 100 78 windowsupdateorg.live 2->78 80 ocsp.rootg2.amazontrust.com 2->80 82 5 other IPs or domains 2->82 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 Yara detected UAC Bypass using CMSTP 2->98 100 Joe Sandbox ML detected suspicious sample 2->100 9 _Con.exe 6 2->9         started        13 UPZDKGAF.bin.exe 11 2->13         started        15 _Con.exe 4 2->15         started        signatures3 process4 file5 58 C:\Users\user\AppData\Local\...\5869063.tmp, PE32 9->58 dropped 110 Maps a DLL or memory area into another process 9->110 17 AtomicDrive64.exe 984 9->17         started        21 tcpvcon.exe 9->21         started        60 C:\Users\user\AppData\Local\Temp\_Con.exe, PE32+ 13->60 dropped 62 C:\Users\user\AppData\Local\...\zlibwapi.dll, PE32+ 13->62 dropped 64 C:\Users\user\...\lib_TSCommunication_sdk.dll, PE32+ 13->64 dropped 66 4 other files (none is malicious) 13->66 dropped 23 _Con.exe 16 13->23         started        26 tcpvcon.exe 1 15->26         started        signatures6 process7 dnsIp8 74 windowsupdateorg.live 172.67.159.116, 443, 49735, 49768 CLOUDFLARENETUS United States 17->74 76 3.33.196.84, 49728, 49729, 49730 AMAZONEXPANSIONGB United States 17->76 42 C:\...\AeonikPro-Regular.f67c8799.woff2, Web 17->42 dropped 44 C:\...\AeonikPro-Regular.397ead0a.woff2, Web 17->44 dropped 46 C:\...\AeonikPro-Regular.2b6e2f45.woff, Web 17->46 dropped 54 47 other malicious files 17->54 dropped 28 AtomicDrive64.exe 17->28         started        30 conhost.exe 21->30         started        48 C:\Users\user\AtomicDrive64.exe, PE32 23->48 dropped 50 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 23->50 dropped 52 C:\Users\user\AppData\Local\...\3ADCEB9.tmp, PE32 23->52 dropped 56 6 other files (none is malicious) 23->56 dropped 102 Found many strings related to Crypto-Wallets (likely being stolen) 23->102 104 Drops PE files to the user root directory 23->104 106 Found hidden mapped module (file has been removed from disk) 23->106 108 2 other signatures 23->108 32 AtomicDrive64.exe 20 23->32         started        36 tcpvcon.exe 1 23->36         started        38 conhost.exe 26->38         started        file9 signatures10 process11 dnsIp12 68 a8a00b7a27dd309f6.awsglobalaccelerator.com 15.197.198.189, 49723, 8545 TANDEMUS United States 32->68 70 ocsp.r2m04.amazontrust.com 3.162.114.200, 49726, 80 AMAZON-02US United States 32->70 72 ocsp.rootca1.amazontrust.com 3.171.70.190, 49724, 49725, 80 AMAZON-02US United States 32->72 84 Found many strings related to Crypto-Wallets (likely being stolen) 32->84 86 Contains functionality to infect the boot sector 32->86 88 Writes many files with high entropy 32->88 90 Found direct / indirect Syscall (likely to bypass EDR) 32->90 92 Switches to a custom stack to bypass stack traces 36->92 40 conhost.exe 36->40         started        signatures13 process14
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4a2c9d7bede240c16a028a9ce884af292ef1f0dbdb76d5c2ea04db2d9f36c1f4
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/aa52198237f403d589eade6b4d5b4878
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a2c9d7bede240c16a028a9ce884af292ef1f0dbdb76d5c2ea04db2d9f36c1f4/
Threat name:
Win32.Downloader.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-07-11 18:09:15 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jiwj267n4jamc2qcrkoorbfpfexpd4g33n3nlqxkatns3hzwyh2a._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
7d27dfa5fa896af9fcf1e9928ab0606ed69b594cab8e466e04475d317bf65add
HijackLoader
b71a0f99b2f1e4fc6628add1ec2d633fddffb5d21bdf2bbaf75e43861d5f6932
HijackLoader
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader spyware stealer
Link:
https://tria.ge/reports/250711-wrgxcaywes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/48a5aeeb-780f-4241-bbc2-2e38e3d87e63
Unpacked files
SH256 hash:
4a2c9d7bede240c16a028a9ce884af292ef1f0dbdb76d5c2ea04db2d9f36c1f4
MD5 hash:
aa52198237f403d589eade6b4d5b4878
SHA1 hash:
80831a50dc5bc26255db5e40a19f8d0d4c61010e
Link:
https://www.unpac.me/results/dc28798a-798f-4fcd-bc8d-c42458e46f0d/
SH256 hash:
596b4428300507563e212b75f53c7ef63a0d99f187d30a9a3a78514e2382129f
MD5 hash:
893d856c0bc16da230bfc30fa967cde9
SHA1 hash:
7f8645cd274abee4ffd95651928c32fc6eeac330
Link:
https://www.unpac.me/results/dc28798a-798f-4fcd-bc8d-c42458e46f0d/
SH256 hash:
5d51fefed45a8ba4294dc6b2bae620981f22fb361eaa09b8ed1d12199c9c631b
MD5 hash:
6684a305c90735d022e0bc62efbe1203
SHA1 hash:
15ecd1db4f905ab15edf18a61cffc4aa248f12ed
Link:
https://www.unpac.me/results/dc28798a-798f-4fcd-bc8d-c42458e46f0d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:observer
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked observer malware samples.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Surtr
Create hunting rule
Author:Katie Kleemola
Description:Rule for Surtr Stage One
Rule name:SurtrStrings
Create hunting rule
Author:Katie Kleemola
Description:Strings for Surtr
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe 4a2c9d7bede240c16a028a9ce884af292ef1f0dbdb76d5c2ea04db2d9f36c1f4

(this sample)

  
Link
https://tria.ge/250711-we5smshm5z/behavioral1
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/13902/
  
URLhaus
https://urlhaus.abuse.ch/url/3581742/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments