MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092
SHA3-384 hash: 08acdd55537e43c2aaf97707b039426e2cd4b05df73e23289ffd7a78343931ae239b72d5bbacb794f2f382f264f554e9
SHA1 hash: 842c5bebca7f15597bbb22e6f5d29f6d3cfd231f
MD5 hash: 7b5f3973a2d479d674baa51ab400e01d
humanhash: emma-hydrogen-pluto-fruit
File name:sso.ps1
Download: download sample
Signature HijackLoader
Create hunting rule
File size:136 bytes
First seen:2026-02-03 19:09:02 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:vTqdLLLQ6DFVkidrAITH3x8ovOAIiW/HNdy8EyOGoZympln:7qZFvk4AILh8sOAIi0td4z9tn
TLSH T164C02B322108237150D4AC037833C542A33618CA051F3C700B057449E4C23E07C29094
Magika powershell
Reporter aachum
Tags:91-84-123-231 ClickFix HIjackLoader ps1


Avatar
iamaachum
178.17.59.26:5506/sso.txt

IOC: 91.84.123.231:3333

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698247d96b1af47db72c852f
Tags:
shellcode agent shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64
Link:
https://www.filescan.io/uploads/698247d9930564ff3c879788/reports/34b6ac47-1593-4145-842a-6c6595c2a501/overview
Verdict:
Suspicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092
Verdict:
Malicious
File Type:
ps1
First seen:
2026-02-03T16:25:00Z UTC
Last seen:
2026-02-04T05:57:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Win32.Agentb.gen Trojan-Spy.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan-PSW.Win32.Coins.sb Trojan-Downloader.Agent.HTTP.C&C HEUR:Trojan.OLE2.Alien.gen Trojan.Win32.Penguish.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Sheet.sb Trojan.Win32.Strab.sb Trojan.Win32.Resetter.sb Trojan.PowerShell.Strion.sb NetTool.PowerShellGet.HTTP.C&C NetTool.PowerShellUA.HTTP.C&C Trojan.PowerShell.Agent.azs
Link:
https://opentip.kaspersky.com/642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862762
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Contains VNC / remote desktop functionality (version string found)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs new ROOT certificates
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Yara detected HijackLoader
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862762 Sample: sso.ps1 Startdate: 03/02/2026 Architecture: WINDOWS Score: 100 54 pub-50a54badab6f4f408cd8e6c0a3dbfa4f.r2.dev 2->54 56 example.com 2->56 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 6 other signatures 2->74 9 msiexec.exe 89 50 2->9         started        12 powershell.exe 15 22 2->12         started        signatures3 process4 dnsIp5 46 C:\Users\user\AppData\Local\...\zpsres.US.dll, PE32 9->46 dropped 48 C:\Users\user\AppData\Local\...\zcl.dll, PE32 9->48 dropped 50 C:\Users\user\AppData\...\libiomp5md.dll, PE32 9->50 dropped 52 10 other files (none is malicious) 9->52 dropped 16 S_Circuitr.exe 16 9->16         started        58 178.17.59.26, 49718, 5506 FOURD-ASGB Germany 12->58 60 pub-50a54badab6f4f408cd8e6c0a3dbfa4f.r2.dev 104.18.54.45, 443, 49719 CLOUDFLARENETUS United States 12->60 82 Installs new ROOT certificates 12->82 84 Found suspicious powershell code related to unpacking or dynamic code loading 12->84 20 conhost.exe 12->20         started        22 msiexec.exe 12->22         started        file6 signatures7 process8 file9 34 C:\ProgramData\superhost_v8\S_Circuitr.exe, PE32 16->34 dropped 36 C:\ProgramData\superhost_v8\zpsres.US.dll, PE32 16->36 dropped 38 C:\ProgramData\superhost_v8\zcl.dll, PE32 16->38 dropped 40 10 other files (none is malicious) 16->40 dropped 66 Switches to a custom stack to bypass stack traces 16->66 24 S_Circuitr.exe 5 16->24         started        signatures10 process11 file12 42 C:\Users\user\AppData\Roaming\...\Crisp.exe, PE32 24->42 dropped 44 C:\Users\user\AppData\Local\...\PlaneV128.exe, PE32 24->44 dropped 76 Maps a DLL or memory area into another process 24->76 78 Switches to a custom stack to bypass stack traces 24->78 80 Found direct / indirect Syscall (likely to bypass EDR) 24->80 28 PlaneV128.exe 5 24->28         started        32 Crisp.exe 3 24->32         started        signatures13 process14 dnsIp15 62 91.84.123.231, 3333, 49725, 49727 ECLIPSEGB United Kingdom 28->62 64 example.com 104.18.27.120, 49726, 49728, 49730 CLOUDFLARENETUS United States 28->64 86 Query firmware table information (likely to detect VMs) 28->86 88 Contains VNC / remote desktop functionality (version string found) 28->88 90 Unusual module load detection (module proxying) 28->90 92 Found direct / indirect Syscall (likely to bypass EDR) 28->92 94 Switches to a custom stack to bypass stack traces 32->94 signatures16
Score:
64%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 19:09:27 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mquzh5t7c23msigordcz6l7fszev5ptws43wnkaztajz7swu2cja._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access discovery execution loader persistence spyware stealer
Link:
https://tria.ge/reports/260203-xtwc7aev9d/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Drops file in Drivers directory
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Malware Config
Dropper Extraction:
http://178.17.59.26:5506/swq.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_ClickFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:ClickFix social engineering and malicious PowerShell commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

PowerShell (PS) ps1 642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092

(this sample)

HijackLoader

PowerShell (PS) ps1 d63f35ea58cfc62c280c18845cb77ad804ce13735dd7825961b607fe421ac0e0

anyrun
any.run
https://app.any.run/tasks/bb52552e-29a3-44da-9ff2-2482565eeb42
  
Delivery method
Distributed via web download
  
Dropping
SHA256 d63f35ea58cfc62c280c18845cb77ad804ce13735dd7825961b607fe421ac0e0
  
Dropping
MD5 1954b5346fd9b192d1efe9b1c0049a50
  
Dropping
SHA256 10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9
  
Dropping
MD5 55b6a68958ce593e8d3fc7420e234886

Comments