MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98153ac06f5570ee6b94ed63c0eecda41b54e6e36a3a9f33ab466e5b2d421a4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98153ac06f5570ee6b94ed63c0eecda41b54e6e36a3a9f33ab466e5b2d421a4a
SHA3-384 hash: 3748cc8d311e370fd8a906cd8c08dde1c3024d291369006b89f87a9e03717c18acf75ebcd761ce54adde3f551775e304
SHA1 hash: 74cd4b95605cf1208b9da65ec36d32d9c4df164b
MD5 hash: 86925f7a40d854847d54f7c1689975bf
humanhash: stairway-early-queen-uniform
File name:Setup.exe
Download: download sample
Signature HijackLoader
Create hunting rule
File size:13'097'928 bytes
First seen:2025-11-27 19:43:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 86b68f0acc7701b549ae2015f28af696 (1 x HijackLoader, 1 x Stealc)
ssdeep 393216:dWsVkN/0VHpVoANEruZBqz8zL0uNKhmkaIKsf:dWNOHpVhNkE0z8zAgmjD
Threatray 144 similar samples on MalwareBazaar
TLSH T160D623952A9881E4C0B6CA38C5F54163F2773C416FB5EEDF19696A1E3D3B6E04E38321
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter smica83
Tags:exe HIjackLoader signed

Code Signing Certificate

Organisation:Linkus Corporation
Issuer:Microsoft ID Verified CS AOC CA 01
Algorithm:sha384WithRSAEncryption
Valid from:2025-11-25T12:56:36Z
Valid to:2025-11-28T12:56:36Z
Serial number: 3300066cc50aec31f33a55ef36000000066cc5
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 24911378177c0f5c764824787f40266d2e3f00cb2f6d1472868ea0f77f165229
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-11-27 19:43:40 UTC
Tags:
auto-startup hijackloader loader
Link:
https://app.any.run/tasks/74f5a688-30ca-4a85-9b45-ce2794ea0d90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41675/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6928aa726657e34332819517
Tags:
dropper virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug fingerprint installer-heuristic lolbin microsoft_visual_cc overlay runonce short-lived-cert signed
Link:
https://www.filescan.io/uploads/6928a9d8d0d5e7288b4e5041/reports/1049d41f-0298-4834-93c4-907ee5b0dcf5/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/98153ac06f5570ee6b94ed63c0eecda41b54e6e36a3a9f33ab466e5b2d421a4a
Verdict:
Clean
File Type:
exe x64
First seen:
2025-11-27T15:32:00Z UTC
Last seen:
2025-11-27T16:56:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/98153ac06f5570ee6b94ed63c0eecda41b54e6e36a3a9f33ab466e5b2d421a4a/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7496b3db-4eb5-4112-b15b-001685fc9905
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/1821904
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Unusual module load detection (module proxying)
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1821904 Sample: Setup.exe Startdate: 27/11/2025 Architecture: WINDOWS Score: 66 75 filedn.com 2->75 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Yara detected HijackLoader 2->85 12 Setup.exe 11 2->12         started        signatures3 process4 file5 65 C:\Users\user\AppData\Local\...\_isD8C1.exe, PE32+ 12->65 dropped 15 _isD8C1.exe 1 84 12->15         started        process6 file7 67 C:\Users\user\AppData\...\Uti_Hyper32.exe, PE32+ 15->67 dropped 69 C:\Users\user\AppData\Local\...\Setup_UI.dll, PE32+ 15->69 dropped 71 C:\Users\user\AppData\Local\...\SSLEAY32.dll, PE32+ 15->71 dropped 73 9 other files (none is malicious) 15->73 dropped 18 Uti_Hyper32.exe 13 15->18         started        process8 file9 43 C:\ProgramData\...\Uti_Hyper32.exe, PE32+ 18->43 dropped 45 C:\ProgramData\winorchestrator\SSLEAY32.dll, PE32+ 18->45 dropped 47 C:\ProgramData\winorchestrator\Qt5Xml.dll, PE32+ 18->47 dropped 49 7 other files (none is malicious) 18->49 dropped 87 Found direct / indirect Syscall (likely to bypass EDR) 18->87 22 Uti_Hyper32.exe 5 18->22         started        signatures10 process11 file12 51 C:\Users\user\AppData\Local\ParaDock.exe, PE32+ 22->51 dropped 53 C:\Users\user\AppData\Local\...\39D3A85.tmp, PE32+ 22->53 dropped 89 Modifies the context of a thread in another process (thread injection) 22->89 91 Found hidden mapped module (file has been removed from disk) 22->91 93 Maps a DLL or memory area into another process 22->93 95 2 other signatures 22->95 26 ParaDock.exe 15 22->26         started        31 cmd.exe 3 22->31         started        signatures13 process14 dnsIp15 77 85.192.49.81, 49694, 80 DINET-ASRU Russian Federation 26->77 79 filedn.com 74.120.8.113, 443, 49695 LEMURIACOUS United States 26->79 63 C:\Users\user\...\qkbjurczaovpcgubqmzs.exe, PE32+ 26->63 dropped 97 Unusual module load detection (module proxying) 26->97 99 Found direct / indirect Syscall (likely to bypass EDR) 26->99 33 qkbjurczaovpcgubqmzs.exe 10 26->33         started        101 Switches to a custom stack to bypass stack traces 31->101 36 conhost.exe 31->36         started        file16 signatures17 process18 file19 41 C:\Users\user\AppData\Local\...\_is822B.exe, PE32+ 33->41 dropped 38 _is822B.exe 1 93 33->38         started        process20 file21 55 C:\Users\user\AppData\Local\...\vclx120.bpl, PE32 38->55 dropped 57 C:\Users\user\AppData\Local\...\vcl120.bpl, PE32 38->57 dropped 59 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 38->59 dropped 61 18 other files (none is malicious) 38->61 dropped
Score:
11%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/98153ac06f5570ee6b94ed63c0eecda41b54e6e36a3a9f33ab466e5b2d421a4a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/86925f7a40d854847d54f7c1689975bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98153ac06f5570ee6b94ed63c0eecda41b54e6e36a3a9f33ab466e5b2d421a4a/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/98153ac06f5570ee6b94ed63c0eecda41b54e6e36a3a9f33ab466e5b2d421a4a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=taktvqdpkvyo424u5vr4b3wnuqnvjzxdni5j6m5lizxfwlkcdjfa._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
wikiloader
Create hunting rule
Similar samples:
140ecf21d10354385de279ce0b5104078f251c096583d156f8627c623502a4ca
HijackLoader
2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0
HijackLoader
4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd
HijackLoader
6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134
HijackLoader
772a30aed296438ac6b15e39125e213a8beea7abd862b72c21906d3326b19b03
HijackLoader
a78ffd85baef5049b36b9e694d41509aa3c9308a1ec5294c0ab5ae97eb95b18d
HijackLoader
a8a4d5359e832c8d0c8068f84e94d373ada45e8f3590ba02931000bcf37d3b11
HijackLoader
c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f
HijackLoader
df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
HijackLoader
e61a0c457a57eb941199d4461934f73a88db58ee64b74a28373f28c85d757c84
HijackLoader
error
HijackLoader
+ 134 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader
Link:
https://tria.ge/reports/251127-yfdfwscn8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9b41c4b-a0bc-461d-a9c4-700c3978b555
Unpacked files
SH256 hash:
98153ac06f5570ee6b94ed63c0eecda41b54e6e36a3a9f33ab466e5b2d421a4a
MD5 hash:
86925f7a40d854847d54f7c1689975bf
SHA1 hash:
74cd4b95605cf1208b9da65ec36d32d9c4df164b
Link:
https://www.unpac.me/results/20b692a5-0036-46d6-85c7-b2ccaaa8a0b2/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/98153ac06f55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98153ac06f5570ee6b94ed63c0eecda41b54e6e36a3a9f33ab466e5b2d421a4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41675/

Comments