MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194
SHA3-384 hash: 45743ef5da0891ad365afbf82e099552489803605d7683e3aced724cbfb712acd66b52c2aab6be65749bcefb5b2fda06
SHA1 hash: 0280e4fc1b285d4614c37615faf7a5792144b4fe
MD5 hash: 81d348e269973aa9d46fdc3651b01245
humanhash: stairway-winter-wyoming-washington
File name:fd6ObfS.exe
Download: download sample
Signature HijackLoader
Create hunting rule
File size:6'279'156 bytes
First seen:2025-10-03 12:10:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:+pXW04HvwKEesGQhuzHA4lIVoJFDuyMc1h9RQo5IedrI5Cb+wVMrzgr:+pXf4PIUHVIVKk3I3ZIedrI5U+s
Threatray 7 similar samples on MalwareBazaar
TLSH T1F55633517389E8F0DEDAEA31CE1ACF2111B2F7B217984E46A3654D802EE6335524F9DC
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe HIjackLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-10-03 09:28:14 UTC
Tags:
hijackloader loader deerstealer stealer
Link:
https://app.any.run/tasks/105b3be1-0dbe-420e-968c-1e44716dbd2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30027/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68dfbd4c46f20313bf386a65
Tags:
shellcode injection dropper
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68dfbd72c564c8e81d0d4bae/reports/42e81658-5b59-4945-8347-da435648d43f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-03T06:35:00Z UTC
Last seen:
2025-10-05T03:35:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d405dfa9-6e88-44b3-bd20-24bf81c4b53c
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1788736
Signature
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1788736 Sample: fd6ObfS.exe Startdate: 03/10/2025 Architecture: WINDOWS Score: 96 70 Found malware configuration 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected HijackLoader 2->76 9 fd6ObfS.exe 9 2->9         started        12 Utilit_Sha.exe 5 2->12         started        15 Utilit_Sha.exe 5 2->15         started        process3 file4 52 C:\Users\user\AppData\Local\...\mfc110u.dll, PE32+ 9->52 dropped 54 C:\Users\user\AppData\...\Utilit_Sha.exe, PE32+ 9->54 dropped 56 C:\Users\user\AppData\Local\...\MSVCR110.dll, PE32+ 9->56 dropped 62 2 other malicious files 9->62 dropped 17 Utilit_Sha.exe 8 9->17         started        58 C:\Users\user\AppData\Local\...\C281121.tmp, PE32+ 12->58 dropped 84 Modifies the context of a thread in another process (thread injection) 12->84 86 Maps a DLL or memory area into another process 12->86 21 tcpvcon.exe 1 12->21         started        23 FusionOrches.exe 12->23         started        60 C:\Users\user\AppData\Local\Temp\C1ECFA.tmp, PE32+ 15->60 dropped 25 tcpvcon.exe 1 15->25         started        27 FusionOrches.exe 15->27         started        signatures5 process6 file7 44 C:\ProgramData\dockerplugin\Utilit_Sha.exe, PE32+ 17->44 dropped 46 C:\ProgramData\dockerplugin\mfc110u.dll, PE32+ 17->46 dropped 48 C:\ProgramData\dockerplugin\MSVCR110.dll, PE32+ 17->48 dropped 50 2 other files (none is malicious) 17->50 dropped 78 Found direct / indirect Syscall (likely to bypass EDR) 17->78 29 Utilit_Sha.exe 7 17->29         started        33 conhost.exe 21->33         started        35 conhost.exe 25->35         started        signatures8 process9 file10 64 C:\Users\user\FusionOrches.exe, PE32+ 29->64 dropped 66 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 29->66 dropped 68 C:\Users\user\AppData\Local\...\B44B3CE.tmp, PE32+ 29->68 dropped 88 Drops PE files to the user root directory 29->88 90 Modifies the context of a thread in another process (thread injection) 29->90 92 Found hidden mapped module (file has been removed from disk) 29->92 94 2 other signatures 29->94 37 tcpvcon.exe 2 29->37         started        40 FusionOrches.exe 29->40         started        signatures11 process12 signatures13 80 Switches to a custom stack to bypass stack traces 37->80 42 conhost.exe 37->42         started        82 Found direct / indirect Syscall (likely to bypass EDR) 40->82 process14
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/81d348e269973aa9d46fdc3651b01245
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-03 09:28:22 UTC
File Type:
PE (Exe)
Extracted files:
867
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xb4tfjxmesm5pu3mu5skmts3hcratun3s42g55sseyec3nudagka._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
deerstealer
Create hunting rule
Similar samples:
10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3
HijackLoader
44c485a90f85327a21de9b24918822457230a635ea2c0fd45f6767404a86672f
HijackLoader
64e2811f4c55a0b962e31c3fd01aa653ff5a55d56146ff2f4b6fbef6236c46a4
HijackLoader
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
HijackLoader
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:hijackloader discovery loader stealer
Link:
https://tria.ge/reports/251003-pcnm1sbr5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DeerStealer
Deerstealer family
Detects DeerStealer
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/11da1be0-fb30-4814-adf5-4b095288ebd1
Unpacked files
SH256 hash:
b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194
MD5 hash:
81d348e269973aa9d46fdc3651b01245
SHA1 hash:
0280e4fc1b285d4614c37615faf7a5792144b4fe
Link:
https://www.unpac.me/results/014cd278-4c94-4fdd-8d2f-4562d7b771a9/
SH256 hash:
27f394ae01d12f851f1dee3632dee3c5afa1d267f7a96321d35fd43105b035ad
MD5 hash:
7caa1b97a3311eb5a695e3c9028616e7
SHA1 hash:
2a94c1cecfb957195fcbbf1c59827a12025b5615
Link:
https://www.unpac.me/results/014cd278-4c94-4fdd-8d2f-4562d7b771a9/
SH256 hash:
c2a2846f3775e641218ce24189e795acbac3562d7b2f0f27a4e08f43173898c1
MD5 hash:
285af5df9e15cd1467966e50e4a933f8
SHA1 hash:
bbecab72bb3de048a73857abec8728ffede17926
Link:
https://www.unpac.me/results/014cd278-4c94-4fdd-8d2f-4562d7b771a9/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b87932a6ec24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/30027/
  
URLhaus
https://urlhaus.abuse.ch/url/3646556/
  
Delivery method
Distributed via web download

Comments