MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60972229523eb137860bae114a667ace6d6109ebeec4f219628cdfe00e88d145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HijackLoader

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	60972229523eb137860bae114a667ace6d6109ebeec4f219628cdfe00e88d145
SHA3-384 hash:	054b18aa0a0a7beef70f9fc968cd9fbacbf1cd2b9989135654a20bdecb2c4219d278bc7765c79192126a26b8fa68b421
SHA1 hash:	e032d4fa641bd0df92311bcb395981c13bc20e48
MD5 hash:	24bbacbf39c24cd2be96d071b49f5ab7
humanhash:	black-oxygen-dakota-seventeen
File name:	7ZSfxMod_x86.exe
Download:	download sample
Signature	HijackLoader Create hunting rule
File size:	3'242'264 bytes
First seen:	2025-05-31 22:46:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep	98304:gpQpRHxFqdEHNfmVXdbGy5WqJ39bKFfixF7qd/pjsn+m:gpQpRRFXIRGy5xjmfYcbw+m
Threatray	1 similar samples on MalwareBazaar
TLSH	T1CAE533213788B8F2D7B1C4B6CF8AFB6245F6F69623045E8795466F452F432B1030B5EA
TrID	38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 24.6% (.EXE) Win64 Executable (generic) (10522/11/4) 11.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4504/4/1) 4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter	SquiblydooBlog
Tags:	exe HIjackLoader LLC-Stroy-Klining signed

Code Signing Certificate

Organisation:	LLC Stroy-Klining
Issuer:	GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-05-20T13:30:30Z
Valid to:	2026-05-21T13:30:30Z
Serial number:	0632bf3a5f5e1456fecba3f3
Intelligence:	8 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	2766f51e000026a9f6da6a135552641a25330773066eecab9388ea6197a4e155
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

460

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7ZSfxMod_x86.exe

Verdict:

Malicious activity

Analysis date:

2025-05-31 22:31:25 UTC

Tags:

stealer hijackloader loader ultravnc rmm-tool

Link:

https://app.any.run/tasks/74ec6725-070b-4834-9f0a-41601b85f43e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6603/

Detection(s):

SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683b88d0668438e362e94548

Tags:

autorun dropper virus spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a file

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context fingerprint installer microsoft_visual_cc overlay packed packer_detected signed

Link:

https://www.filescan.io/uploads/683b86f1e336a33801e12b27/reports/003f9fb9-1518-4d5a-af59-3197204b0719/overview

Verdict:

Malicious

Labled as:

Trojan_Win32_Malgent

Link:

https://www.hybrid-analysis.com/sample/60972229523eb137860bae114a667ace6d6109ebeec4f219628cdfe00e88d145

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b2ce112f-2f2c-48fd-9285-b0a3aad3d317

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1703099

Signature

Found direct / indirect Syscall (likely to bypass EDR)

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Behaviour

Behavior Graph:

Download SVG

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/60972229523eb137860bae114a667ace6d6109ebeec4f219628cdfe00e88d145

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60972229523eb137860bae114a667ace6d6109ebeec4f219628cdfe00e88d145/

Threat name:

Win32.Trojan.Malgent

Status:

Malicious

First seen:

2025-05-29 20:41:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 36 (30.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mclsekksh2ytpbqlvyiuuzt2zzwwccpl53cpeglcrtp6adui2fcq._file

Verdict:

malicious

Label(s):

idatloader

HijackLoader

error

HijackLoader

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:hijackloader discovery loader

Link:

https://tria.ge/reports/250531-2qlf2afr3v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d90a7d74-815b-40b2-81fb-c27ad6055a97

Unpacked files

SH256 hash:

60972229523eb137860bae114a667ace6d6109ebeec4f219628cdfe00e88d145

MD5 hash:

24bbacbf39c24cd2be96d071b49f5ab7

SHA1 hash:

e032d4fa641bd0df92311bcb395981c13bc20e48

Link:

https://www.unpac.me/results/c75c809e-1ed8-45d5-ad81-21791a189a20/

SH256 hash:

e4e2bcc065f6f8242aff4177790eef379cb530e87f315e4765ae70f9a66856fb

MD5 hash:

58d816178ee5dca92e1e57a6fe4aa117

SHA1 hash:

3f2116e2afbbb693b37d195fb982e45f1822557b

Link:

https://www.unpac.me/results/c75c809e-1ed8-45d5-ad81-21791a189a20/

SH256 hash:

354cb15464a980c118190a210ebace6d7dd02b59c5fbf2c5fe033afcc0d07646

MD5 hash:

0ff65365df01dd109be7aa2b83ce4246

SHA1 hash:

b7ce283f72aa99d4bdf78adb770bf58e778a6eb1

Link:

https://www.unpac.me/results/c75c809e-1ed8-45d5-ad81-21791a189a20/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/60972229523eb137860bae114a667ace6d6109ebeec4f219628cdfe00e88d145

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/6603/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetDiskFreeSpaceExW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::GetSystemDirectoryW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample