MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HijackLoader

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa
SHA3-384 hash:	03139ef3551deb25ac551a92e69e9a3ab405e8881dab79cb53050f5077e054eb2c02c98740611952c8f2991b0b1bfa43
SHA1 hash:	0d7a2733f33690476f1fbb07e8dbe10c67107c33
MD5 hash:	fabd48afaaef4cae33c2049b1dc1c3d5
humanhash:	lima-lemon-hotel-venus
File name:	file
Download:	download sample
Signature	HijackLoader Create hunting rule
File size:	6'355'970 bytes
First seen:	2025-12-23 23:23:17 UTC
Last seen:	2025-12-24 01:34:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	657e40fb09b2c5e277b865a7cf2b8089 (6 x AsyncRAT, 4 x Arechclient2, 3 x DanaBot)
ssdeep	98304:cKaAh0t/+lHgPgIlvZWfE3wV3uWOjdzck8Ir9IFL+oLJCkcAPMN:vlatGuIkwfEvRjdzck8+IFLfLJp5PMN
Threatray	33 similar samples on MalwareBazaar
TLSH	T1C95623326152303BE6F529B3F454C2302D6DA2282B5CC5AECAD0DD5C79686D1AFFB346
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-gcleaner exe HIjackLoader U UNIQ.file

Bitsight

url: http://194.38.20.224/service

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa.exe

Verdict:

Malicious activity

Analysis date:

2025-12-23 23:25:08 UTC

Tags:

delphi hijackloader loader

Link:

https://app.any.run/tasks/a46e3aa5-6a3e-434c-b522-7a0b527ecfe7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45960/

Detection(s):

ditekSHen.MALWARE.Win.Ransomware.STOP.UNOFFICIAL

SecuriteInfo.com.Win32.Trojan.Agent.LBDJYX.8166.24425.UNOFFICIAL

SecuriteInfo.com.Trojan.Siggen31.4764.UNOFFICIAL

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694b24a301c7b4a8fe553f8c

Tags:

ransomware dropper smtp

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm crypto expand fingerprint fingerprint installer installer installer-heuristic lolbin microsoft_visual_cc overlay runonce wix

Link:

https://www.filescan.io/uploads/694b249f84afa5547b5d19aa/reports/c035d0ef-3c23-4291-89e8-ff80cba7ce44/overview

Verdict:

Suspicious

Labled as:

Trojan.Penguish

Link:

https://www.hybrid-analysis.com/sample/5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-23T17:47:00Z UTC

Last seen:

2025-12-23T20:44:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb HEUR:Trojan.Win32.Penguish.gen UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa/results?tab=lookup

Malware family:

IDAT Loader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00d6112a-ad2a-426e-9e6a-6d74c08ed8a6

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/fabd48afaaef4cae33c2049b1dc1c3d5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa/

Verdict:

Malicious

Threat:

Family.HIJACKLOADER

Link:

https://tip.neiki.dev/file/5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa

Threat name:

Win32.Trojan.Hijackloader

Status:

Malicious

First seen:

2025-12-23 20:53:03 UTC

File Type:

PE (Exe)

Extracted files:

156

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=llexhnyoqpdgkl23bm6nbi64tmbpm5vo5n6n6oy3w4fbmw6hnwva._file

Verdict:

malicious

Label(s):

r77rootkit

HijackLoader

5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa

HijackLoader

7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e

HijackLoader

8bbc251d2ac9f059e23e593e77a2394bf81da09b468ff00946a1b82f0ccb9370

HijackLoader

987765aa8da3a5f4ed465cca83080bbe1213f3c5bd4db631edc5db635fb2085b

HijackLoader

ba8f2313b3398187c424d9abed5f735907d01ebc9a11077136d2919e369501d6

HijackLoader

bbec376bc531a18adb2d4edc8e1bd781d7936bb9df29753e033cb2d423da2655

HijackLoader

d67d1628ff5ea924c25c8056446a8143e1171fab7e30dddb24aca3255dad8817

HijackLoader

error

HijackLoader

+ 23 additional samples on MalwareBazaar

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:hijackloader credential_access discovery loader spyware stealer

Link:

https://tria.ge/reports/251225-nylj4saq71/

Behaviour

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Detects HijackLoader (aka IDAT Loader)

HijackLoader, IDAT loader, Ghostulse,

Hijackloader family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9754c68f-c620-4ac7-93cb-a3240d5141a2

Unpacked files

SH256 hash:

5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa

MD5 hash:

fabd48afaaef4cae33c2049b1dc1c3d5

SHA1 hash:

0d7a2733f33690476f1fbb07e8dbe10c67107c33

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

4f1724a472950faf462c3f0a5b62609e80cc59c974f57ddbdde1389f498b7001

MD5 hash:

9a837c2e5967484b227c7b0678d87850

SHA1 hash:

da2888cd17156221d7f484a42695a87c7698de8f

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

cfe0811d23b8ffba3d6dda0e89b9a84c32b51c6cf3c092e9bb7ed4d8937e5815

MD5 hash:

190f59df45cf938e7e4a5d7741de427f

SHA1 hash:

07cd6023a3294458d4ee19d3aa116681de498cb0

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

b9622d2381c774c851f4d03ece4983462c78df845b0be3f485e627cd3245662c

MD5 hash:

b33bb0a0e6ccdadc255e72b33aae4063

SHA1 hash:

1f3d9c546d6c372e30c2619d5bfd563583a6fed4

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

29c6eb49b611ad6772dc9b80c05551ee648eb30fa2c209aa1a131fc0c977bf96

MD5 hash:

ceb3b2d432fa5bdb2c38877da84dc298

SHA1 hash:

2e5a919529ebfa2f0a6a6f9350f473b5a0c904cb

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

dee34d0789077090d055ef5e78d67e16fff2b3268dc86f40602b90ded765de33

MD5 hash:

3c45e0f7057d63d2640cc4f72fce2233

SHA1 hash:

43e44dcacbb404293e540203ba397e9034dc8593

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

1f1d71a77f1221b3989a08da0853010c8636dc71486f6d64686f7ec73cbca01f

MD5 hash:

f85f420f645effb4c516cda128ce6b1f

SHA1 hash:

97ee610edfa8227e5bf4fb363e54ac9fc09162fd

Detections:

win_samsam_auto

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

c49defc944e4526315573431230306a76118d092adfe868f25696caf0528d1d5

MD5 hash:

c1e585589269d49b15e4694204dfe464

SHA1 hash:

a8896c5bad96625b99b459af2d06c4bc4490d568

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

374a249f290422dae5f23fd968ca8f94cee3d2bfccc3aeb62cda7996165025f0

MD5 hash:

1b042aca4fb97df88e1618ae097bdd7c

SHA1 hash:

c2d256f155e2c11650af05979e05e3517052d225

Detections:

win_samsam_auto

win_get2_a0

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

00a27e436d92393b22939956d20aa76f79f1efaa2e8b2b8846cfab587c09c7b3

MD5 hash:

fbef4e9a9ba05593404e46594a8f19c9

SHA1 hash:

e365a056f3e8da9ae92b5f019f275799225f1801

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

6036be1c9a8819998ad10879dff6c04edc787d34a142a3e0841c0fca36fb9c6e

MD5 hash:

7c76e3100bd67c47f176a0edde3ef79a

SHA1 hash:

bff22f39f3ba61cddd695b8a27b5139c5675afba

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0

MD5 hash:

cabb58bb5694f8b8269a73172c85b717

SHA1 hash:

9ed583c56385fed8e5e0757ddb2fdf025f96c807

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

5152a2fd35d829063dde046f58988a2b97fb2f526cb66321665e99c6f1000e83

MD5 hash:

28a76e19f2901ff4391ac96a58cffb9e

SHA1 hash:

a8ddd1e59e37cfcd049f146a22d7033f51ebd8c3

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe

MD5 hash:

d4dae7149d6e4dab65ac554e55868e3b

SHA1 hash:

b3bea0a0a1f0a6f251bcf6a730a97acc933f269a

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

SH256 hash:

1d853ad30ea2c61379a538c5db1d4db9e87577c1fb7558044bd31a3389e4aa95

MD5 hash:

a3bc59591af1403edec8f6bfbb8a4d16

SHA1 hash:

e71c52fa49229a84b028f91ae57d626d0a8591b0

Link:

https://www.unpac.me/results/a689dc34-cd43-4970-a0a6-b3c48c01ef5a/

Malware family:

IDATLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5ac973b70e83/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

exe 5ac973b70e83c6652f5b0b3cd0a3dc9b02f676aeeb7cdf3b1bb70a165bc76daa

(this sample)

Dropped by

Gcleaner

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/45960/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample