MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df
SHA3-384 hash: f0c47b989846608efc2c015ef1e76a2bd4cea1755d76733a9c3918308445118b161abd0cca0d02839bd5a773438cab5f
SHA1 hash: 67bb9e694053367f2b72a5d6c2a32e7d7c2411be
MD5 hash: b33e1f40fc61f9b6386a9f73c5eacb87
humanhash: asparagus-south-pluto-london
File name:kjard_encoded.ps1
Download: download sample
Signature HijackLoader
Create hunting rule
File size:230 bytes
First seen:2025-12-01 15:25:48 UTC
Last seen:2025-12-01 15:27:32 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6:s8SMVnxV7NevE8ydH1O7kC9kO6hrupHCBtOmCr/qi:s8z9evE8ydH1OgC9kO6hcHCXYD
Threatray 95 similar samples on MalwareBazaar
TLSH T1A5D0A7A6B89CCC8527DF60901083694D23BA8793CA3801B561885D456C58911C7FA1DC
Magika batch
Reporter Mengoh
Tags:ClickFix HIjackLoader powershell ps1


Avatar
Mengoh
Clickfix clipboard payload found on kjarz[.]com

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
US US
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692db39cc908fdc697475ece
Tags:
ransomware obfuscate xtreme
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df
Verdict:
Malicious
File Type:
ps1
First seen:
2025-12-01T12:43:00Z UTC
Last seen:
2025-12-01T13:39:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.DLLhijack.abnt Trojan.Win32.DLLhijack.abns HEUR:Trojan.OLE2.Alien.gen Trojan-Downloader.PowerShell.Agent.sb Trojan.Win32.Penguish.sb Trojan-Downloader.VBS.Agent.bra PDM:Trojan.Win32.Generic Trojan.Win32.Strab.sb NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df/results?tab=lookup
Score:
31%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df/
Verdict:
Malicious
Threat:
AuxiliaryAnalysis.Malware.Generic
Link:
https://tip.neiki.dev/file/7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-01 15:26:20 UTC
File Type:
Text (Batch)
AV detection:
3 of 38 (7.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p6jm43o7mmw5jg3akl3xqv55apt6ad4jszoz2zsiyydxhbd3u3pq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
0a5f07bba72afe6d78126f87467ad8c1b6cf086dee17e64bd7734ca60922af2c
HijackLoader
1aae99b733ab72044e157732a6c1d917edf704851d0c4fe38578c0175121408b
HijackLoader
731a72d29320e1bf43b2004ee56583c7b9c279790c01b3569141bd8849d3afca
HijackLoader
8986d305ceed84c8dbc430ae7caf31b645f22fe5c4c29bca869eaee9abc46585
HijackLoader
ba8f2313b3398187c424d9abed5f735907d01ebc9a11077136d2919e369501d6
HijackLoader
bf91cb86e3d06ae3ac4ac6cd2252a387046c10658701ea8a11ffa706397814c2
HijackLoader
e0faf08ea3b166be17695d6d0de80018bad7509dc3afe8ac4318d5159dd77e4e
HijackLoader
e64bbdb7c4ba3c2b54b6f848cc6c307ef09aec4ac1b63debc65bb0fbd7e36d76
HijackLoader
error
HijackLoader
f9040a4e04ed7681ad1fbcd20d52f0b4393652ad64ba0006cb1b3968f0d5e851
HijackLoader
+ 85 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery execution loader persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/251201-svbmyszjaw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments