MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HijackLoader

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f
SHA3-384 hash:	6eb7aa1992a24f9bed0186c416045eefca6ba9ca19234df32b4979b084fa165aa97588d9a7f41c97ab51c17dde427125
SHA1 hash:	1d480429f1465b16668bec0539389e9eb49f37e2
MD5 hash:	86d077fc5093a2eb29481a3d0d49609a
humanhash:	mango-potato-idaho-bakerloo
File name:	SGBBWWKU.exe
Download:	download sample
Signature	HijackLoader Create hunting rule
File size:	11'779'185 bytes
First seen:	2025-06-17 00:02:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep	196608:+pJjiRFBXrL+8thK5PJsCIJzls+qsyAwKsNgUQTsbk9d+ZOw5FTA8stJbYCwxqts:+pJjWfe8tA4ta+qsyABTsSk5eFtJbYxp
Threatray	22 similar samples on MalwareBazaar
TLSH	T1CAC6335133D8B5F9DEB9C1B14F14CF21C634E6662222A9D7E1E4AE3E2DD329728074C9
TrID	38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 24.6% (.EXE) Win64 Executable (generic) (10522/11/4) 11.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4504/4/1) 4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter	skocherhan
Tags:	chainnode-shop exe HIjackLoader

skocherhan

https://chainnode.shop/SGBBWWKU.exe

Intelligence

File Origin

# of uploads :

# of downloads :

769

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7961bfb8d78690f646a2ae6073720cae.exe

Verdict:

Malicious activity

Analysis date:

2025-06-09 11:43:37 UTC

Tags:

stealer ultravnc rmm-tool auto generic hijackloader loader delphi

Link:

https://app.any.run/tasks/32f0c566-6f87-4438-8a9d-df4732d28c1f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/9750/

Verdict:

Malicious

Score:

98.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6850b0a4fb325921bbe3b923

Tags:

dropper ramnit virus hype

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

Creating a file in the %AppData% subdirectories

DNS request

Connection attempt

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc377f16-b49e-4589-8f42-50827f098225

Score:

83%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f/

Threat name:

Win32.Trojan.Rugmi

Status:

Malicious

First seen:

2025-06-07 19:04:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lbf4kbbed635ynxuyl7v2of7s5l5tl22g2okaebh2lqvdvj5smxq._file

Verdict:

malicious

Label(s):

idatloader

HijackLoader

584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f

HijackLoader

9272725ce2c04a04ac68741c6fce964648592933f3aba618fed7c585706b6d2a

HijackLoader

92cc9d78c033ca6e664952bf094275b72d7ca247db8e7509807df3b5c40b7b7c

HijackLoader

d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

HijackLoader

error

HijackLoader

+ 12 additional samples on MalwareBazaar

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:hijackloader discovery loader

Link:

https://tria.ge/reports/250617-abss1stwcy/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d8770bf2-a43c-4f83-9147-b1589162c28c

Unpacked files

SH256 hash:

584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f

MD5 hash:

86d077fc5093a2eb29481a3d0d49609a

SHA1 hash:

1d480429f1465b16668bec0539389e9eb49f37e2

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

08ea03756105cf691149cd312f89a3443f1106447e253f377ccd9e8ed2365745

MD5 hash:

f14ca88377292ee6300d91a45a7ac62f

SHA1 hash:

14a18c7745d785d80fc8e4f3c1174c998af6d177

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

eff8cadcdc0cfbbfb21a5167a9fcc66e7ef4b80ed0be24adff89e53133a52f27

MD5 hash:

f0679094affc80f9c3bdae5a3d2f544a

SHA1 hash:

157a915ed56afd494787ee3b667823d035211db6

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

81276b50b90ce1182748dda8eff90871091adfa0eb6392b3831b349b4905cf53

MD5 hash:

5214514ab571863ec8bd777095626e80

SHA1 hash:

18fdb30fa7d6e790e4fdb2e8cbe85ff659e3053d

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

bbab6f18e3ac425dda37780f81e52303011a144aa2dc81dcfad62645c7f0a588

MD5 hash:

3ebc2282e7addeb85262dc7252f9be45

SHA1 hash:

3ea7389f2cee7e8bf9eb5907e1156eedf45926db

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

060e449d8804da9a6fcdc0768fe1a993e580eba0945aa6bd68f863fde09b580f

MD5 hash:

62dd064c21b5b55f9c39853aa37aaf46

SHA1 hash:

5fbfae2948d06b25869bcfb40332906e2c37f950

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

c3568a3f300ad9c15ced9f31c0b66319dfe2eecfd0c38636ec4b842bbb080294

MD5 hash:

8f78e8d0d161dbb5dfb88b09a6abd70e

SHA1 hash:

7a4d2a0eca46b7ef489c0de64c570c6c44417661

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

2937c2af3f77f7435d1ec567c91bd6b479d17859d95d8e57ebd0f855d1e59193

MD5 hash:

466e364c6bac72dc1f3f19281606a20a

SHA1 hash:

7b9eec483cc4d70a1dc0aa3bd252f01ee00515d1

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

f7a3b018fc85b6c0997a20eb9b64f6a892e33f1cc220a40341643080369a555a

MD5 hash:

239d320a2c81199b1c19489e2cef16aa

SHA1 hash:

94f9d42e4f55de07f332ab8d855fdf8c0f53b68c

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

12dd746331004d00d0ec53c75a922f9230ab54878c38559e61f89c316c2a841e

MD5 hash:

84d17fe72cf90654a5412107dedc63fb

SHA1 hash:

2895c6400cff53244dcc39f3652e051fd26cbe61

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

bea7cce3d8213c4add9b24feb924b37e3e597049b905e941838ce60a221ca38c

MD5 hash:

70d2d754c08031588cf0c92e308b4e75

SHA1 hash:

ba0be177a38ef6336ceaedb6e25d189feb6d08f5

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

e599812bf5502edbf3dc84c473a6b54dee95ace690b911b6578697db43f6bf86

MD5 hash:

3fb5bd731801ad3c2de588cc5a99593d

SHA1 hash:

d8586dcf0ec1e2232d6bf4dadf3f9230c68daadb

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

0823b2bf3fcc268f31281d520a29e8c0be43df4b2414c3023657f5257a9a103e

MD5 hash:

ebf678ed606696584c9252c051690e22

SHA1 hash:

5bf8a4854c17c75f6ae170ad7e6232ae8296d129

Detections:

win_samsam_auto

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

Parent samples :

2e8ac3980feb2ed56f39fac3763eed0fba77740a7b5cd74bccd8b7d59223c79d
64e2811f4c55a0b962e31c3fd01aa653ff5a55d56146ff2f4b6fbef6236c46a4
78ed91aa3f80105bc099ac45eb8c5d50536aeeab5442a81d80aedfa90e42988d
e68aaae515c5a9209fad7b4217f534de39b36ec66aff13c900c6c729e14dd31f
58a5e3bb70bcb50147587807794bcee8ee3c7e5c67a630b092e7899d2a50c83b
584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f
ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
9e05baee59cd27a85f08cf2fa678f54c3bb639f29d4521bfa0319bf174c04dba
6ffd4fb10bc191d0a3b5b47bec951397628f2dad1f5defce506c753c90c0f296
a7c5e1f4789b6b066c8030a3966786c99682371751c255e4e77d4b5a485237ae
46091fc17ded829d91a0563354ca16ff416f6b92912ad7ddd39ff326d787299b
f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081
f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca
516523a72a445b175b620ee3ec70e0be6d7ddd9e217c22867527a3e17b7bb8b2
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
772b547b8e01d86b2d4a32e308a42388f298ca4faedb0d6a3b78fb0d4dce8826
cabf319baf5f3c955f6e251d101bdc61a1d7c3ced40e3f313c7d43f8571c00dd
9de72bbf7efdb9b528351ec7ad706d6197e860a78b2846adf700cbc10d0760fa
59ba1a24163e85ec4b5c473f45fbed52da955e49c4f3b9578df4baf0593b9c66

SH256 hash:

a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0

MD5 hash:

cabb58bb5694f8b8269a73172c85b717

SHA1 hash:

9ed583c56385fed8e5e0757ddb2fdf025f96c807

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

SH256 hash:

68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe

MD5 hash:

d4dae7149d6e4dab65ac554e55868e3b

SHA1 hash:

b3bea0a0a1f0a6f251bcf6a730a97acc933f269a

Link:

https://www.unpac.me/results/e840a461-40c6-4733-9f19-669555f3e584/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	observer Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked observer malware samples.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	sus_pe_free_without_allocation Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution

Rule name:	Windows_Trojan_GhostPulse_caea316b Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

exe fd81468eeb74e091f0b328344cb992093a92d10c18dfe9ba45ebbd88a4673d4b

HijackLoader

exe 584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f

(this sample)

Dropped by

MD5 7961bfb8d78690f646a2ae6073720cae

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/9750/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetDiskFreeSpaceExW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::GetSystemDirectoryW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample