MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33
SHA3-384 hash: 6e7047c8e5560828129dc88d162c67c9d2ad312e99a50ad0359ed6d05a0ea68036c6ab00931b8461bb2fd1e06236f331
SHA1 hash: e7b966889f5d100e16f691f3a5268d4058629514
MD5 hash: 8b1bbbbac27e285bff9ddeb2773e4859
humanhash: cardinal-utah-tennis-lactose
File name:7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33
Download: download sample
Signature HijackLoader
Create hunting rule
File size:1'193'472 bytes
First seen:2025-09-25 17:44:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dc811f0c6d0f8d16af46165476a22382 (1 x HijackLoader)
ssdeep 24576:gpdo3nebPERW0SQ8VlcaQe6U8vI0frZXeIQgDZ9mvLDyKq:gpdoXebsDSBHQe6U8vI0frZXeAHmW
Threatray 27 similar samples on MalwareBazaar
TLSH T148457D5A93A442F9D0ABC1B8C5064603E3B6741613719BDF06F09BA62F23AF16F7E711
TrID 48.6% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter JAMESWT_WT
Tags:94-124-160-119 exe HIjackLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33
Verdict:
Malicious activity
Analysis date:
2025-09-25 17:49:04 UTC
Tags:
stealer evasion anti-evasion arch-exec auto-startup
Link:
https://app.any.run/tasks/a2e5d647-4d92-4266-b338-ecad1b82bd5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29077/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d57f98cc9425144151ef09
Tags:
shellcode madi sage smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a process from a recently created file
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto fingerprint lolbin microsoft_visual_cc obfuscated remote threat
Link:
https://www.filescan.io/uploads/68d57fd26c140e5b35fe4816/reports/c4dfba9e-1859-4ee3-83cb-d86d3d6a68a2/overview
Verdict:
Malicious
Labled as:
Win64/Agent_AGeneric.EOG trojan
Link:
https://www.hybrid-analysis.com/sample/7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-24T13:43:00Z UTC
Last seen:
2025-09-24T13:43:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.Win32.Agent.sb Trojan-Downloader.Agent.HTTP.C&C Trojan.BitCoinMiner.HTTP.C&C Trojan.Win32.BitCoinMiner.hai NetTool.PlainTextCredentials.FTP.C&C NetTool.cURLGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a2111bd4-b2e8-451a-abf9-7cd3f470fdfc
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/8b1bbbbac27e285bff9ddeb2773e4859
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-24 19:08:53 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oee4oszevcb5xu346xjduelef3ifnwdw4ujacavlqyg2jgcvbyzq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
230f4de7b92166c695ad4f8bc469e2a39a31d0640ceb994d4f46f1afdabea90b
HijackLoader
5fe9e516f35fff47564762f9bcb9804f73df817ebe12f8fc4d85e586f4542b6b
HijackLoader
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
HijackLoader
8753968482ef91fe499489d0d3e3add91fe90f49b98f347793e654da937edaeb
HijackLoader
bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903
HijackLoader
bcc062030c3615d3f8e42e3a2a0b4410e07cf5c845c72c95b56d41d81bac5f46
HijackLoader
error
HijackLoader
f1051b842f6ba781236e736bcb3a1ed9c10bc2036b6f9d2c43062e0bf7b25bba
HijackLoader
f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f
HijackLoader
+ 17 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access defense_evasion discovery loader persistence spyware stealer
Link:
https://tria.ge/reports/250925-wc6xxsej3z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Network Service Discovery
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Uses browser remote debugging
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7e24c190-006e-4ee7-afa6-86bfeac81f59
Unpacked files
SH256 hash:
7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33
MD5 hash:
8b1bbbbac27e285bff9ddeb2773e4859
SHA1 hash:
e7b966889f5d100e16f691f3a5268d4058629514
Link:
https://www.unpac.me/results/ecb7a355-dc31-414b-9f63-0cfa05d2a2b4/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7109c74b24a8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29077/

Comments