MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de159f05285cc600035d92f7da1a7441a092d169df5fbe1cbeada8d2118c3fdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de159f05285cc600035d92f7da1a7441a092d169df5fbe1cbeada8d2118c3fdb
SHA3-384 hash: 4a7b297565097a8690fe88626ff21bf231e623c066b0eb781ea4d02245c89a8f7b4d3aeb5a9752d3fd6b7493de0317f2
SHA1 hash: 8cfaa97167941fd0454626c8f37c9b967bd06448
MD5 hash: d427de5b2969cfbdf7389ab269b8c6ef
humanhash: twenty-solar-oscar-bacon
File name:Test3.lnk
Download: download sample
Signature HijackLoader
Create hunting rule
File size:3'056 bytes
First seen:2025-08-13 08:04:10 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8Ayw/BHYVKVWf+/CWkAZK3YbyZNgER0HrhlczAedd79dsrabxJlpl9l:8y5a3AZKIUqHrhqUedJ9AadrL9
TLSH T14551CF3D5AE61329E2B6DB7298BA6212F837BD42F9308E4D10CE43481723615B4D5F2F
Magika lnk
Reporter abuse_ch
Tags:HIjackLoader lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20220719.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221102.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689c47189901157561b5b791
Tags:
obfuscate phishing xtreme spawn
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/de159f05285cc600035d92f7da1a7441a092d169df5fbe1cbeada8d2118c3fdb/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
Trojan.PowerShell
Link:
https://www.hybrid-analysis.com/sample/de159f05285cc600035d92f7da1a7441a092d169df5fbe1cbeada8d2118c3fdb
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1755861
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected HijackLoader
Yara detected LNK With Padded Argument
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1755861 Sample: Test3.lnk Startdate: 13/08/2025 Architecture: WINDOWS Score: 100 148 zephareos.pro 2->148 150 update-host-one.top 2->150 152 lunared-cdn.asia 2->152 176 Suricata IDS alerts for network traffic 2->176 178 Found malware configuration 2->178 180 Malicious sample detected (through community Yara rule) 2->180 182 10 other signatures 2->182 14 powershell.exe 89 2->14         started        17 msiexec.exe 2->17         started        20 Dr_Service.exe 2->20         started        22 3 other processes 2->22 signatures3 process4 dnsIp5 208 Windows shortcut file (LNK) starts blacklisted processes 14->208 210 Loading BitLocker PowerShell Module 14->210 212 Powershell drops PE file 14->212 25 mshta.exe 16 14->25         started        29 conhost.exe 1 14->29         started        98 C:\Users\user\AppData\Roaming\...\mfc140u.dll, PE32 17->98 dropped 100 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 17->100 dropped 102 C:\Users\user\AppData\...\WebView2Loader.dll, PE32 17->102 dropped 108 5 other malicious files 17->108 dropped 31 Utility-Mesh55.exe 17->31         started        104 C:\Users\user\AppData\Local\...\9C0BE03.tmp, PE32+ 20->104 dropped 214 Modifies the context of a thread in another process (thread injection) 20->214 216 Maps a DLL or memory area into another process 20->216 34 PhaShard.exe 20->34         started        36 Chime.exe 20->36         started        158 127.0.0.1 unknown unknown 22->158 106 C:\Users\user\AppData\Local\...\9CDC324.tmp, PE32+ 22->106 dropped 38 PhaShard.exe 22->38         started        40 Chime.exe 22->40         started        file6 signatures7 process8 dnsIp9 160 update-host-one.top 104.21.32.1, 443, 49690, 49693 CLOUDFLARENETUS United States 25->160 194 Encrypted powershell cmdline option found 25->194 196 Creates processes via WMI 25->196 42 powershell.exe 25->42         started        140 C:\ProgramDataS_Security\mfc140u.dll, PE32 31->140 dropped 142 C:\ProgramData\...\Utility-Mesh55.exe, PE32 31->142 dropped 144 C:\ProgramData\...\libcrypto-1_1.dll, PE32 31->144 dropped 146 5 other files (none is malicious) 31->146 dropped 198 Switches to a custom stack to bypass stack traces 31->198 45 Utility-Mesh55.exe 31->45         started        file10 signatures11 process12 file13 118 C:\Users\user\AppData\Roaming\PCNDPQSC.exe, PE32 42->118 dropped 48 PCNDPQSC.exe 42->48         started        51 conhost.exe 42->51         started        120 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 45->120 dropped 122 C:\Users\user\AppData\Local\...\9F0D17B.tmp, PE32+ 45->122 dropped 124 C:\Users\user\AppData\Local\DeltaH.exe, PE32+ 45->124 dropped 200 Modifies the context of a thread in another process (thread injection) 45->200 202 Found hidden mapped module (file has been removed from disk) 45->202 204 Maps a DLL or memory area into another process 45->204 206 Switches to a custom stack to bypass stack traces 45->206 53 DeltaH.exe 45->53         started        57 Chime.exe 45->57         started        signatures14 process15 dnsIp16 90 C:\Users\user\AppData\Local\...\PCNDPQSC.exe, PE32 48->90 dropped 92 C:\Users\user\AppData\Local\...\setup.exe, PE32 48->92 dropped 94 C:\Users\user\AppData\...\PCNDPQSC.exe (copy), PE32 48->94 dropped 96 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 48->96 dropped 59 PCNDPQSC.exe 48->59         started        154 lunared-cdn.asia 172.67.184.210, 443, 49697 CLOUDFLARENETUS United States 53->154 184 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 53->184 186 Tries to harvest and steal browser information (history, passwords, etc) 53->186 188 Writes to foreign memory regions 53->188 192 3 other signatures 53->192 62 chrome.exe 53->62         started        190 Switches to a custom stack to bypass stack traces 57->190 file17 signatures18 process19 dnsIp20 126 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 59->126 dropped 128 C:\Users\user\...\swresample-4.dll (copy), PE32 59->128 dropped 130 C:\Users\user\AppData\Local\...\swr2AF2.tmp, PE32 59->130 dropped 132 50 other malicious files 59->132 dropped 65 Dr_Service.exe 59->65         started        69 ISBEW64.exe 59->69         started        71 ISBEW64.exe 59->71         started        76 4 other processes 59->76 166 192.168.2.9, 138, 443, 49672 unknown unknown 62->166 73 chrome.exe 62->73         started        file21 process22 dnsIp23 110 C:\ProgramData\Downloaddebug\Dr_Service.exe, PE32 65->110 dropped 112 C:\ProgramData\...\swresample-4.dll, PE32 65->112 dropped 114 C:\ProgramData\...\sqlite3_plex.dll, PE32 65->114 dropped 116 18 other files (none is malicious) 65->116 dropped 168 Switches to a custom stack to bypass stack traces 65->168 170 Found direct / indirect Syscall (likely to bypass EDR) 65->170 78 Dr_Service.exe 65->78         started        162 142.251.40.100, 443, 49704, 49705 GOOGLEUS United States 73->162 164 www.google.com 73->164 file24 signatures25 process26 file27 134 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 78->134 dropped 136 C:\Users\user\AppData\Local\...\8B95268.tmp, PE32+ 78->136 dropped 138 C:\Users\user\AppData\Local\PhaShard.exe, PE32+ 78->138 dropped 218 Modifies the context of a thread in another process (thread injection) 78->218 220 Found hidden mapped module (file has been removed from disk) 78->220 222 Maps a DLL or memory area into another process 78->222 224 2 other signatures 78->224 82 Chime.exe 78->82         started        85 PhaShard.exe 78->85         started        signatures28 process29 dnsIp30 172 Switches to a custom stack to bypass stack traces 82->172 174 Found direct / indirect Syscall (likely to bypass EDR) 82->174 156 zephareos.pro 104.21.37.219, 49695, 80 CLOUDFLARENETUS United States 85->156 88 msiexec.exe 85->88         started        signatures31 process32
Verdict:
Malware
YARA:
2 match(es)
Tags:
Batch Command Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:powershell.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/d427de5b2969cfbdf7389ab269b8c6ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de159f05285cc600035d92f7da1a7441a092d169df5fbe1cbeada8d2118c3fdb/
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-12 18:42:44 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ykz6bjiltdaaa25sl35ugtuigqjfulj35p34hf6vwuneemmh7nq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250813-jyg5gahp4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://update-host-one.top/IreufhGf3/pay1.mp4
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXT_EXPL_ZTH_LNK_EXPLOIT_A
Create hunting rule
Author:Peter Girnus
Description:This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.
Reference:https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Shortcut (lnk) lnk de159f05285cc600035d92f7da1a7441a092d169df5fbe1cbeada8d2118c3fdb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3601482/
  
Delivery method
Distributed via web download

Comments


Avatar
commented on 2025-08-13 09:29:52 UTC

Payload URL:
https://update-host-one.top/IreufhGf3/pay1.mp4