MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02
SHA3-384 hash: e8368491fa860576a2c71c422f7299f73fafbd0cecfac092c841b1c28e1d927cd62d501f42b7f9b9fe637194681e449e
SHA1 hash: 3ce6fd79fe5202b01df95e52118649bb13d6eb22
MD5 hash: 66295a7bae7d797c6c51f51c8b5500af
humanhash: minnesota-stream-pip-crazy
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:8'948'824 bytes
First seen:2025-11-28 11:35:05 UTC
Last seen:2025-11-29 03:04:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (9 x OffLoader, 8 x HijackLoader, 7 x Tofsee)
ssdeep 196608:rDbytMiibX8dnS3CAGsyoyrpt9tpSoNruW31RYmkY6rd0Tbyj47QpKScaB:rDuGZbXr38/9+o31kYVn7Qp9B
Threatray 10 similar samples on MalwareBazaar
TLSH T1AF962313F24E633EE469563A49729950953FBE20A51A8CA3C6EC3D4CCE2A1601D7FF47
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-gcleaner exe G HIjackLoader US.file


Avatar
Bitsight
url: http://194.38.20.224/service

Intelligence

File Origin
# of uploads :
4
# of downloads :
128
Origin country :
US US
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-11-28 11:35:45 UTC
Tags:
hijackloader loader rat asyncrat remote
Link:
https://app.any.run/tasks/948a5fbc-f3e5-4de7-b339-aa0e02aa85f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41713/
Detection(s):
Win.Malware.Generic-10058577-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692988fb6657e3433281c990
Tags:
vmprotect shellcode injection dropper
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a file in the %AppData% subdirectories
DNS request
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed
Link:
https://www.filescan.io/uploads/692988f7efb2056353586566/reports/f0ad6fd3-033a-44d7-8b1c-30c65238d6b5/overview
Verdict:
Suspicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-28T08:39:00Z UTC
Last seen:
2025-11-30T08:46:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.PatchedLoader.sb HEUR:Trojan-Dropper.Win32.Agent.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Loader.qtd Trojan.Win32.Delf.sb
Link:
https://opentip.kaspersky.com/9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c65593cf-2ad4-49b0-8665-c2aeee2600de
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/66295a7bae7d797c6c51f51c8b5500af
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2025-11-28 11:35:23 UTC
File Type:
PE (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tzsvwy3s54m4z2lrhiqr5nd3q5nfezy247mikyboq5hg5yfn5mba._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
4859f2c31e07b67cdab2fd06d5dc082728e7498426f3b05dfc09cb31855470c4
HijackLoader
564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874
HijackLoader
5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930
HijackLoader
6c0d55be0a3d4ebb1cf17f7a7ab169474e295d8bb59171c1d4e7eea568cd2a8e
HijackLoader
bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
HijackLoader
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery installer loader
Link:
https://tria.ge/reports/251128-np576avlgm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/006bd15b-26d3-45df-8256-e56ce15dbd1a
Unpacked files
SH256 hash:
9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02
MD5 hash:
66295a7bae7d797c6c51f51c8b5500af
SHA1 hash:
3ce6fd79fe5202b01df95e52118649bb13d6eb22
Link:
https://www.unpac.me/results/ae46f973-7ff1-4d60-ba6a-a2b2b299815d/
SH256 hash:
a7f8a6fbc4c9ff59da717cdd78d5d2daaae18155ea5068cea828c1b1c517ab8d
MD5 hash:
cb10b85c33422a9a72fb4ec3b59906d0
SHA1 hash:
59fe89776ee09c4ce5a1fe184c34c770c471d7a2
Link:
https://www.unpac.me/results/ae46f973-7ff1-4d60-ba6a-a2b2b299815d/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/ae46f973-7ff1-4d60-ba6a-a2b2b299815d/
SH256 hash:
650e262daf91ff7d0bc68a2cbb6b3beb57cac7188d11642dbce2117da9fd4e31
MD5 hash:
bd10fd81a6c2b40f0bb2ead7ed899c75
SHA1 hash:
1d12520b6d76cffaa722e82264972ababc01e57b
Link:
https://www.unpac.me/results/ae46f973-7ff1-4d60-ba6a-a2b2b299815d/
SH256 hash:
2fc2ab39dc3a04f8e764b812c139b6d61578f4adaf4ae472598dd7f61cd3aaf2
MD5 hash:
453675ac458ac625b16a5edf79df25a0
SHA1 hash:
e7732d2d754d4fc078dfdbe8ac0eda9c6ac0e411
Link:
https://www.unpac.me/results/ae46f973-7ff1-4d60-ba6a-a2b2b299815d/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e655b6372ef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe 9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/41713/

Comments