MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060
SHA3-384 hash: 39f61ca0f709f5d822ef2ae7b334992656576c96ca50fcbb55d6580eaf6e0ebc4b431bdcace874b3f938a9f806f9cbb7
SHA1 hash: e50bf3e5e06cda72f829c062e3dc7fb2de978a00
MD5 hash: 84f9389fa2e5ace44a78c40085421c56
humanhash: july-pizza-three-yellow
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:9'109'641 bytes
First seen:2025-12-07 15:27:50 UTC
Last seen:2025-12-11 20:16:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 5 x Adware.IObit, 5 x LummaStealer)
ssdeep 196608:v5O2zZXE80mWVs4ATLwF23q9LXf7EPM1qjFTYGhYLdd:vSUWq/TmX90E1qjeT
Threatray 12 similar samples on MalwareBazaar
TLSH T1FD963353D3E740B0C499883AD4A6D951AF73B8F658D7AC1A3CB2C31D4076A83BA327D5
TrID 70.9% (.EXE) Inno Setup installer (107240/4/30)
9.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-gcleaner exe G HIjackLoader US.file


Avatar
Bitsight
url: http://194.38.20.224/service

Intelligence

File Origin
# of uploads :
35
# of downloads :
102
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/182034ec-968b-4e36-bc68-e27d74885c0c/
Malware family:
n/a
ID:
1
File name:
_b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060.exe
Verdict:
Malicious activity
Analysis date:
2025-12-07 15:32:39 UTC
Tags:
evasion auto generic hijackloader loader delphi
Link:
https://app.any.run/tasks/a45dd797-8f62-4983-9db2-00b32402686e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42918/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69359d13c61465c74cbc0ce7
Tags:
vmdetect dropper extens smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed
Link:
https://www.filescan.io/uploads/69359d13bc15eab491f65e21/reports/fa5f1d98-5b8c-45ee-987c-276f1e5a49e5/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-07T13:02:00Z UTC
Last seen:
2025-12-08T16:13:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Dropper.Win32.Agent.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Delf.sb HEUR:Trojan.Win32.Loader.gen Trojan.Win64.Agentb.lfjp
Link:
https://opentip.kaspersky.com/b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060/results?tab=lookup
Malware family:
Remote Utilities LLC
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/45e49449-d126-4205-a338-3e7ab0b3e056
Score:
27%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/84f9389fa2e5ace44a78c40085421c56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Suspicious
First seen:
2025-12-07 15:28:17 UTC
File Type:
PE (Exe)
Extracted files:
306
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xb7mkgruamaufdwftyxh2eyeegzqmrrbxw7y5anl24wk7ryvwbqa._file
Verdict:
malicious
Label(s):
deerstealer
Create hunting rule
Similar samples:
14d140999ab5d2ab903ddf1aedda4d868be68db054424c7fad70b8927b32a145
HijackLoader
54f2ac23b773789a411dbc870422e5887ed955754e0bfeb9e0ef91f057ec46da
HijackLoader
731a72d29320e1bf43b2004ee56583c7b9c279790c01b3569141bd8849d3afca
HijackLoader
error
HijackLoader
+ 2 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery installer loader spyware stealer
Link:
https://tria.ge/reports/251207-swfy3a1lek/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/f91fadf0-c2de-4526-bfc7-3bac8665ccc5
Unpacked files
SH256 hash:
b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060
MD5 hash:
84f9389fa2e5ace44a78c40085421c56
SHA1 hash:
e50bf3e5e06cda72f829c062e3dc7fb2de978a00
Link:
https://www.unpac.me/results/a1d53789-2448-461e-90e9-efc78b0d1ad9/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/a1d53789-2448-461e-90e9-efc78b0d1ad9/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/a1d53789-2448-461e-90e9-efc78b0d1ad9/
SH256 hash:
8f0beb5863d190b7b2cfe7f506f3b721ab6b9e892337a133364f2ba710931b25
MD5 hash:
be3cc5717f5951662adb399d613f20cc
SHA1 hash:
f776bc4344ad59fbd6950d24d3aa6dddb3df215a
Link:
https://www.unpac.me/results/a1d53789-2448-461e-90e9-efc78b0d1ad9/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b87ec51a3403/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:MoleBoxv20
Create hunting rule
Author:malware-lu
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:sus_pe_free_without_allocation
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe b87ec51a340301428ec59e2e7d130421b3064621bdbf8e81abd72cafc715b060

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/42918/

Comments