MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
SHA3-384 hash: 6e6ec0e6588c0dcb367d2ecfca9ebb317f83aba27ff194ee02994720359df3ddc995eb339f84e31f44bfbdbc4d427040
SHA1 hash: 80b1694d2d19220faf6dbe43cb281cee5852aaff
MD5 hash: 137452f7f8cb7d554f02b748484a29e6
humanhash: colorado-table-nineteen-stream
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:5'428'568 bytes
First seen:2025-11-07 17:01:03 UTC
Last seen:2025-11-07 18:16:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (7 x OffLoader, 4 x HijackLoader, 3 x ValleyRAT)
ssdeep 98304:rDblFQ4I0p9rmppUGX2Y3gNroRM+DPhGBoTpKJ0JNf4faxe:rDbLzbppm3UQV8roRnhGYpKScaU
Threatray 7 similar samples on MalwareBazaar
TLSH T128461213F24E633EE469563659729A10953FBE60651E8CA3C6EC3E4CCE391601E3EE47
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 HIjackLoader


Avatar
Bitsight
url: http://178.16.54.200/files/7882370143/gx4eV0u.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
85
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351.exe
Verdict:
Malicious activity
Analysis date:
2025-11-07 17:01:51 UTC
Tags:
drayn stealer inno installer delphi hijackloader loader auto generic deerstealer ultravnc rmm-tool
Link:
https://app.any.run/tasks/aea59e76-df90-49b5-a679-d10354c265ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36463/
Detection(s):
SecuriteInfo.com.FileRepMalware.81749437.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690e25e030bacec888c97536
Tags:
injection dropper emotet obfusc
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Connection attempt
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed zero
Link:
https://www.filescan.io/uploads/690e25fb8938e2fe22144415/reports/842d93be-31d8-4fea-bac7-f154132bfdcd/overview
Verdict:
Malicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-07T14:07:00Z UTC
Last seen:
2025-11-09T13:02:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Dropper.Win32.Agent.gen Trojan.Win32.Penguish.sb
Link:
https://opentip.kaspersky.com/bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351/results?tab=lookup
Malware family:
Sunstream Labs
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cd59453e-6e3a-41bc-9aae-91874322e3b2
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/137452f7f8cb7d554f02b748484a29e6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-11-07 17:01:43 UTC
File Type:
PE (Exe)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5xaynb6yuct3kn5buh2k54dt4ax5xe2nz3axnqr7mjuettccniq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
deerstealer
Create hunting rule
Similar samples:
0852ae81624c390a57e57d930e86b8c1bc080813481ee5bd505f81352c7e6fe6
HijackLoader
25b34f7a1aa68458a150182a2a292ea61bc3a45a72782839fdc0be58b90bd655
HijackLoader
36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
HijackLoader
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
HijackLoader
9705b02f24c62bc938211d125bfeb3c4fc842b2cd74f05df36cfb3a23c7bbcec
HijackLoader
c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd
HijackLoader
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader spyware stealer
Link:
https://tria.ge/reports/251107-vjv9bstlbj/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f53e8055-5a40-441e-a86a-6b6efc85f4c3
Unpacked files
SH256 hash:
bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
MD5 hash:
137452f7f8cb7d554f02b748484a29e6
SHA1 hash:
80b1694d2d19220faf6dbe43cb281cee5852aaff
Link:
https://www.unpac.me/results/99ffe90c-3b4d-401f-9c9e-172af4d90a87/
SH256 hash:
aa36c500f036a7894295f510753b0503981d2e2a0bc9e9778778ccd339c46f1e
MD5 hash:
0bec16733f404c822f98615fb0d40886
SHA1 hash:
95626c19837e07af414b8bba213f479b6a8eb252
Link:
https://www.unpac.me/results/99ffe90c-3b4d-401f-9c9e-172af4d90a87/
SH256 hash:
1571392b232070fe3cc45c3405e38440c5d662882c4cca08f805b1198260655e
MD5 hash:
26a8a603b8943831a91ac06a9e750a08
SHA1 hash:
95c40e66e4769a8902222037b07d1d0bb2ad7ae9
Link:
https://www.unpac.me/results/99ffe90c-3b4d-401f-9c9e-172af4d90a87/
SH256 hash:
97cd939517496823804af0a737d4e5d92fb5cec1c3ee9c3ffd6ac72213a8295c
MD5 hash:
209507736199fc8926d79916add9d7b7
SHA1 hash:
4d23a789f200f5d592f91662b718bf467be4a287
Link:
https://www.unpac.me/results/99ffe90c-3b4d-401f-9c9e-172af4d90a87/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf6e0c343ec5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/36463/
  
URLhaus
https://urlhaus.abuse.ch/url/3699026/

Comments