MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7835afd2be9d2b8c770633a8b7fcf635d6a6fb232327bb15dad103bfdf7c058. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HijackLoader

Vendor detections: 5

Intelligence 5 IOCs YARA 25 File information Comments

SHA256 hash:	a7835afd2be9d2b8c770633a8b7fcf635d6a6fb232327bb15dad103bfdf7c058
SHA3-384 hash:	f802489bef12dc9ffb4a944334a709d0ec6e6b78a4b0a3e5ff280e64704fc2fb3cbdad474ba1f8793d256463790e594d
SHA1 hash:	14331c241da4b6f0e1e82a2de1a2a9a00608eaac
MD5 hash:	ea1b79e4ad6a58619a3e355b5ef4f7d8
humanhash:	comet-queen-cardinal-floor
File name:	Installer.08-79-1-98.zip
Download:	download sample
Signature	HijackLoader Create hunting rule
File size:	15'389'715 bytes
First seen:	2025-10-17 21:21:53 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	393216:K1vThznL1urBB8on2EcaXQcU2lGNKiIa9UkgENKhmPY7CK:aLh34rlHtXX/lGQI9UkgjHt
TLSH	T18CF633C0FCFA1763D649E5B693A076063D0B8C518F551E2A62F533223E733999626BCC
Magika	zip
Reporter	aachum
Tags:	DeerStealer FakeUpdates HIjackLoader zip

iamaachum

https://statswpmy.com/mixx.html => https://pianepal.com/download.php

DeerStealer C2: rodoiluctcrrcqqmbe.com
Other IOCs:
https://api.telegram.org/bot7972762095:AAE_DZEcCA4tkMpVK-peSGL6x4j4GMgl-3g/sendMessage -d chat_id=8093548175

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 18 file(s), sorted by their relevance:

File name:	{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
File size:	658'696 bytes
SHA256 hash:	85107cd1137f2a3dd84ac80fd2aa8b66d7c1e05c6c39bcc5e1e26d11829767b2
MD5 hash:	d6a60cfc6ad57ad8f4a130446b380425
MIME type:	application/octet-stream
Signature	HijackLoader

File name:	appicon_128.png
File size:	12'093 bytes
SHA256 hash:	7595f8fcda88faac9e780daec64537141dd1cd7debde6e61ff23d4d847588d8a
MD5 hash:	8e29b69e420d4683529549857d3bfaeb
MIME type:	image/png
Signature	HijackLoader

File name:	appicon_32.png
File size:	1'936 bytes
SHA256 hash:	8f0eac6ae9f575b12f0b0ee13cd842198a01cfcb793c4de35637ea8019f4cbb9
MD5 hash:	ab3a4b1972c4caea8668e32a0836be1b
MIME type:	image/png
Signature	HijackLoader

File name:	appicon_16.png
File size:	724 bytes
SHA256 hash:	06f6a637890d692a72860f612e7c035af6919b19e75e290cf20d83bbb2faa7d5
MD5 hash:	b61c6bef055f70a9071bcea3aebfcb0d
MIME type:	image/png
Signature	HijackLoader

File name:	Installer.08-79-1-98.ini
File size:	308 bytes
SHA256 hash:	4516cafb1a38ee581f7dd6b7220182e03f2f64eceb384166046ae219b032d306
MD5 hash:	71a20228bcc222df52eb74d16a610a44
MIME type:	text/plain
Signature	HijackLoader

File name:	Installer.08-79-1-98.exe
File size:	227'168 bytes
SHA256 hash:	bf0e870e0b9de578ab72a4b8cee7b12e23bc5bdde92748e37df72456ab11308e
MD5 hash:	e900661b57ac262f1c1470a9ed925bc9
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	Installer-08-79-1-98.exe
File size:	18'427'544 bytes
SHA256 hash:	c1c84e86807e1a0f0594fae6883f904c958710e8dbeb760249fcc59eec9e9949
MD5 hash:	58b991179f8d4da130a15fbf7c6a5dbe
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	appicon_75.png
File size:	7'446 bytes
SHA256 hash:	ea78ca5fae638cebf7663be92e212c4ddd8ce713d186b81ddd6e5704a47a5384
MD5 hash:	c692296206b9f1a8a8b3380be1f818ac
MIME type:	image/png
Signature	HijackLoader

File name:	error_log
File size:	5'696 bytes
SHA256 hash:	09bfd8ca04c2328c751ad331bb9a19d893e5c56d46217db85bc821f2cc71936c
MD5 hash:	df234ece8f1acfa8b5782979100a64ca
MIME type:	text/plain
Signature	HijackLoader

File name:	Readme.txt
File size:	75 bytes
SHA256 hash:	42241d10c9c6aa8e38f9a4097ef722fb362dea7b0bb1253dae76b5f3bc5526e5
MD5 hash:	aec5dc9a01419df4765ced7418ac9a44
MIME type:	text/plain
Signature	HijackLoader

File name:	license.txt
File size:	35'800 bytes
SHA256 hash:	b5cd774c1d086cebb073999a7a93d17cb81525540d5f6096c044a949d0bd91b1
MD5 hash:	4e9137b92abd5e5ba212cf667d833b2c
MIME type:	text/plain
Signature	HijackLoader

File name:	wfpdiag.etl
File size:	1'048'576 bytes
SHA256 hash:	cae45c3d181ee6e25920713207ac1a4806f263a8b7f0415647bc3aebc0234622
MD5 hash:	5bd8fcbd1f1eb64bb72e1d7e13824c31
MIME type:	application/octet-stream
Signature	HijackLoader

File name:	splash.jpg
File size:	17'927 bytes
SHA256 hash:	817b4ee7aadf6d994bce4a42af84710607ea0292dc74b134d1a527f4faf760cf
MD5 hash:	d74ce0192511e3b83ae6ea975f81d030
MIME type:	image/jpeg
Signature	HijackLoader

File name:	appinfo.ini
File size:	347 bytes
SHA256 hash:	32962a66786cc5b655fc30f9003905031fd71e2843adf03ca930e173f462fc3e
MD5 hash:	025230dc0e53f69d081d3d3f619e8c0f
MIME type:	application/x-wine-extension-ini
Signature	HijackLoader

File name:	cversions.2.db
File size:	16'384 bytes
SHA256 hash:	79cc1ea90927349d3b5d6436097656e5d4d4b25f39686a1d971c8a0f0e1c961f
MD5 hash:	11ae98c4beba2826ef6e5576106effab
MIME type:	application/x-tplink-bin
Signature	HijackLoader

File name:	Windows-gather.db-wal
File size:	4'161'232 bytes
SHA256 hash:	0ec0e666c123f120de016cb39f77a5af19ddaac69c6bfd778f4e0b4d02dee6a7
MD5 hash:	94664a431d7d0b9da0eb4df2cd5b0f98
MIME type:	application/octet-stream
Signature	HijackLoader

File name:	{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
File size:	307'040 bytes
SHA256 hash:	26f702dfa7038cef3b55260a7e0998ae7ed2ac024031c333ddcbf9257eb4d1c6
MD5 hash:	fee239f4944be708f2cf183b1fdafabb
MIME type:	application/octet-stream
Signature	HijackLoader

File name:	Installer-08-79-1-98.dll
File size:	9'748'001 bytes
SHA256 hash:	36af9fbe47933494156f7aef50b5c37b5cffe5152bc29183c9f6149f546219a0
MD5 hash:	57e87293d56fae4edbf4e73506c0b1da
MIME type:	text/plain
Signature	HijackLoader

Vendor Threat Intelligence

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f2b3a772d478f90598d501

Tags:

dropper

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a7835afd2be9d2b8c770633a8b7fcf635d6a6fb232327bb15dad103bfdf7c058

Verdict:

Unknown

File Type:

zip

Link:

https://opentip.kaspersky.com/a7835afd2be9d2b8c770633a8b7fcf635d6a6fb232327bb15dad103bfdf7c058/results?tab=lookup

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) Zip Archive

Link:

https://app.malva.re/file/ea1b79e4ad6a58619a3e355b5ef4f7d8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a7835afd2be9d2b8c770633a8b7fcf635d6a6fb232327bb15dad103bfdf7c058/

Threat name:

Script-JS.Trojan.Heuristic

Status:

Malicious

First seen:

2025-10-17 21:23:45 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

4 of 24 (16.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u6bvv7jl5hjlrr3qmm5iw76pmnowu35sgizhxmk5vuidx7pxybma._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.53

Link:

https://yomi.yoroi.company/submissions/a7835afd2be9d2b8c770633a8b7fcf635d6a6fb232327bb15dad103bfdf7c058

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	attack_India Create hunting rule

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	SUSP_Base64 Create hunting rule
Author:	Eslam Hassan
Description:	Detects hex encoded code that has been base64 encoded
Reference:	Internal Research

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

zip a7835afd2be9d2b8c770633a8b7fcf635d6a6fb232327bb15dad103bfdf7c058

(this sample)

unknown 36af9fbe47933494156f7aef50b5c37b5cffe5152bc29183c9f6149f546219a0

any.run

https://app.any.run/tasks/6a7778ce-de50-4f43-a162-366daa99a1ea

Delivery method

Distributed via web download

Dropping

SHA256 36af9fbe47933494156f7aef50b5c37b5cffe5152bc29183c9f6149f546219a0

Dropping

MD5 57e87293d56fae4edbf4e73506c0b1da

Dropping

SHA256 cabf319baf5f3c955f6e251d101bdc61a1d7c3ced40e3f313c7d43f8571c00dd

Dropping

MD5 fefd3627416d34ab1f1aef77720fdfe0

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample