MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd
SHA3-384 hash: c5e5da3cb37850450488adf0875c17f5acc6461eab7bb79735a16240279b7952b0c3878c5ec864d7972b1c5cd5ad4a9a
SHA1 hash: 7cb3f9fd942fa702c159f26cee35d69fdcc37ed4
MD5 hash: 1c8fc60a0d4fd0f0c07fdd8f65d23848
humanhash: double-harry-carbon-indigo
File name:cl.vbs
Download: download sample
Signature HijackLoader
Create hunting rule
File size:997 bytes
First seen:2025-11-03 10:18:49 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:9vWdlAohr6SOpBPspLqmpmqJ5i+tC1RzZlW7FtfWdOF3MvmNHgY5D/RTb9LFcpiI:9AlAol6zpmpvptjYrm3kmN1pAALEd/T
Threatray 47 similar samples on MalwareBazaar
TLSH T13F11440BB50B9630163199B8A5A1D42DEC41D2D3D119A9AC7A4C80C75F347F09B858DF
Magika vba
Reporter abuse_ch
Tags:HIjackLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35080/
Detection(s):
SecuriteInfo.com.JS.Downloader-24.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Downloader-44.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6904a776706befaf4ecab1d2
Tags:
spawn micro sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin msiexec net obfuscated
Link:
https://www.filescan.io/uploads/69088238d176c1584f6f9e9c/reports/2d1050ac-2837-41bf-9c56-42ba33ee4f98/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd
Verdict:
Malicious
File Type:
vbs
First seen:
2025-10-31T09:44:00Z UTC
Last seen:
2025-11-03T12:17:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.VBS.SLoad.gen HEUR:Trojan.OLE2.Alien.gen Trojan.Win32.Crypt.sb Trojan-PSW.Win32.Rhadamanthys.sb Trojan.Win64.SBEscape.sb PDM:Trojan.Win32.Generic Trojan-Downloader.VBS.SLoad.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan-Downloader.JS.SLoad.sb
Link:
https://opentip.kaspersky.com/c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd/results?tab=lookup
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1806808
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disables security and backup related services
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Windows Service Tampering
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected HijackLoader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806808 Sample: cl.vbs Startdate: 03/11/2025 Architecture: WINDOWS Score: 100 79 cloudflare-dns.com 2->79 101 Found malware configuration 2->101 103 Antivirus detection for URL or domain 2->103 105 Antivirus detection for dropped file 2->105 107 9 other signatures 2->107 9 msiexec.exe 90 51 2->9         started        12 wscript.exe 15 2->12         started        16 GridDevice.exe 5 2->16         started        signatures3 process4 dnsIp5 67 C:\Users\user\AppData\Local\...\WsBurn.dll, PE32 9->67 dropped 69 C:\Users\user\AppData\Local\...\WS_Log.dll, PE32 9->69 dropped 71 C:\Users\user\AppData\...\WS_ImageProc.dll, PE32 9->71 dropped 77 10 other malicious files 9->77 dropped 18 GridDevice.exe 17 9->18         started        81 91.215.85.215, 49687, 5506 PINDC-ASRU Russian Federation 12->81 73 C:\Windows\Temp\LQBJXCPX.msi, Unknown 12->73 dropped 115 System process connects to network (likely due to code injection or exploit) 12->115 117 VBScript performs obfuscated calls to suspicious functions 12->117 119 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->119 121 Disables security and backup related services 12->121 22 cmd.exe 1 12->22         started        24 cmd.exe 1 12->24         started        26 msiexec.exe 12->26         started        75 C:\Users\user\AppData\Local\...\FB3A04D.tmp, PE32+ 16->75 dropped 123 Modifies the context of a thread in another process (thread injection) 16->123 125 Maps a DLL or memory area into another process 16->125 28 ParallelSchedule.exe 16->28         started        31 XPFix.exe 16->31         started        file6 signatures7 process8 dnsIp9 59 C:\ProgramData\VpnGuard\WsBurn.dll, PE32 18->59 dropped 61 C:\ProgramData\VpnGuard\WS_Log.dll, PE32 18->61 dropped 63 C:\ProgramData\VpnGuard\WS_ImageProc.dll, PE32 18->63 dropped 65 10 other malicious files 18->65 dropped 109 Switches to a custom stack to bypass stack traces 18->109 111 Found direct / indirect Syscall (likely to bypass EDR) 18->111 33 GridDevice.exe 7 18->33         started        37 net.exe 1 22->37         started        39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        43 sc.exe 1 24->43         started        83 arorectal.click 104.21.84.120, 443, 49704, 49709 CLOUDFLARENETUS United States 28->83 85 rorectal.click 104.21.92.158, 443, 49707, 49711 CLOUDFLARENETUS United States 28->85 113 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->113 file10 signatures11 process12 file13 53 C:\Users\user\ParallelSchedule.exe, PE32+ 33->53 dropped 55 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 33->55 dropped 57 C:\Users\user\AppData\Local\...13F596.tmp, PE32+ 33->57 dropped 93 Drops PE files to the user root directory 33->93 95 Modifies the context of a thread in another process (thread injection) 33->95 97 Found hidden mapped module (file has been removed from disk) 33->97 99 3 other signatures 33->99 45 ParallelSchedule.exe 33->45         started        49 XPFix.exe 33->49         started        51 net1.exe 1 37->51         started        signatures14 process15 dnsIp16 87 cloudflare-dns.com 104.16.248.249, 443, 49692, 49694 CLOUDFLARENETUS United States 45->87 89 172.67.191.242, 443, 49693, 49696 CLOUDFLARENETUS United States 45->89 91 3 other IPs or domains 45->91 127 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->127 129 Found direct / indirect Syscall (likely to bypass EDR) 45->129 131 Switches to a custom stack to bypass stack traces 49->131 signatures17
Score:
88%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd
Verdict:
Malware
YARA:
1 match(es)
Tags:
ADODB.Stream Microsoft.XMLHTTP Scripting.FileSystemObject VBScript WScript.Shell
Link:
https://app.malva.re/file/1c8fc60a0d4fd0f0c07fdd8f65d23848
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd/
Verdict:
Malicious
Threat:
Trojan.Win32.Strab
Link:
https://tip.neiki.dev/file/c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd
Threat name:
Script-WScript.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-10-31 12:11:36 UTC
File Type:
Text (VBS)
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfmuqz4nu35fhhckqhsgqycuwupb7gjwluc6waraax7haput366q._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
0852ae81624c390a57e57d930e86b8c1bc080813481ee5bd505f81352c7e6fe6
HijackLoader
25b34f7a1aa68458a150182a2a292ea61bc3a45a72782839fdc0be58b90bd655
HijackLoader
36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
HijackLoader
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
HijackLoader
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
HijackLoader
9705b02f24c62bc938211d125bfeb3c4fc842b2cd74f05df36cfb3a23c7bbcec
HijackLoader
e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
HijackLoader
error
HijackLoader
f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac
HijackLoader
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion execution
Link:
https://tria.ge/reports/251103-md2vxsfw6g/
Behaviour
Runs net.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Checks computer location settings
Disables service(s)
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35080/

Comments