MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984
SHA3-384 hash: 84600eeda0edac850694a3e2fda58a4d9b72ed799227c2241a234bcc4c06b8f2b8e3119c7f8d5c3579a99cfcf1e5f139
SHA1 hash: 8c6fcab574066aa19d537053704d0d5720e909fe
MD5 hash: 4e063332d7dfb2b3aec7df98fc34758d
humanhash: december-idaho-charlie-california
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:8'480'683 bytes
First seen:2025-12-27 19:02:58 UTC
Last seen:2025-12-28 06:13:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 67715e556e3a78ea78c756db800102a3 (2 x HijackLoader, 1 x Smoke Loader, 1 x Phorpiex)
ssdeep 196608:aXYi97AjQLUKzu4eIixtAcHgQSBH91ViebEt50hWHLAGpSl:a/D47IlKSf+rTi
TLSH T1F8863332E594402EEBF20973ED5495316EB9A6186F20D0ABF3C8ED5E297C45267B3313
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-gcleaner exe G HIjackLoader US.file


Avatar
Bitsight
url: http://194.38.20.224/service

Intelligence

File Origin
# of uploads :
8
# of downloads :
121
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984.exe
Verdict:
No threats detected
Analysis date:
2025-12-27 19:04:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/abbd9f2c-67e6-4e91-90f5-2549f6fb2b70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46240/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69502d7d6de7591fd8fbc6c8
Tags:
ransomware downloader dropper
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-27T16:14:00Z UTC
Last seen:
2025-12-27T18:21:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic Trojan.Win32.Zenpak.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Penguish.gii
Link:
https://opentip.kaspersky.com/e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/052c4b13-0141-42a6-8d08-69decbe4c8d0
Score:
53%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:MSZIP Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/4e063332d7dfb2b3aec7df98fc34758d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Suspicious
First seen:
2025-12-27 19:03:23 UTC
File Type:
PE (Exe)
Extracted files:
171
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hes52uwrhjbc454oljcxe275hfsb62vn5omzh7wtecjjsrgrgca._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access discovery loader spyware stealer
Link:
https://tria.ge/reports/251227-xqkghswqdl/
Behaviour
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ef51b406-62b0-4cae-a9d0-412de712b1f4
Unpacked files
SH256 hash:
e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984
MD5 hash:
4e063332d7dfb2b3aec7df98fc34758d
SHA1 hash:
8c6fcab574066aa19d537053704d0d5720e909fe
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
SH256 hash:
1ad70e63b2cf157baf48bb820bdd53ee41b7d0ea2d38a7bd5ffa369f3fb7b1aa
MD5 hash:
dc8ec92eae3760f59fdbdb006ee15045
SHA1 hash:
5503f5cc04851e0ca24f79cd98c5c402dc588a45
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
SH256 hash:
12b9a086e988c7899c2f24cc6ae0c9b9b5c95e6c5b545c15586f9ad4425f4eef
MD5 hash:
f420037d048e9fb65f62f2daca9e8dfb
SHA1 hash:
ba9091d6bb30bdeec2e5186aeaa9b33fa17602f6
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
SH256 hash:
30b9b877aa1112105069be6b4de794b7a7147a1d968e71fa63f2edc7397e126f
MD5 hash:
54b87d3271a4fa9b1e1fea51c2ef9c14
SHA1 hash:
fd79e145376a6268827ed9693f276c6bb8bca326
Detections:
win_samsam_auto
Create hunting rule
win_get2_a0
Create hunting rule
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
Parent samples :
7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
8c14a08d112b1d4ff732a8d5496dcc4296b744909e335703518f414fe5e99f6f
907f5339415509568af0e01da37534ccd36f88f563e8cbdbacc01d84bcb21045
e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984
SH256 hash:
340d84a0bfd03dc58dcfe7c06f655df2a99285627fb36e209c5fadc1710ff0f9
MD5 hash:
cde18404f6df8f6eb225f5f4d0f3d1d8
SHA1 hash:
7c5b6cf5ff412b46f671ad214885c65e2218655e
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
SH256 hash:
49a3d2f3cb7e4c7b5d4dc5fd25bd878a154f16577344d06dc71999c59a6eeafe
MD5 hash:
17a550f567bc9a5dccf52fb48c70ad3e
SHA1 hash:
3bfeabe4ef07518b0e9a0693ddc6dc35023d3d82
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
SH256 hash:
4b33ee0e8a4153c0c8ccd945adb18d8f91b5b824746a15986bf6781f081f9968
MD5 hash:
27d48c6c48d5259a4e2ad7be369ce906
SHA1 hash:
66ea6266024a66826a9dd57a1420b8ce6fd13b0c
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
SH256 hash:
58ef42507d9fc1e8a7b240ef5cddc9f600c3d9a61ee6a42a4045278bb332b86a
MD5 hash:
23b3a972dc6e25581b6fa9e01bafc375
SHA1 hash:
39b54451f58d16cc76f875c137d72c2fe93bb3af
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
SH256 hash:
6036be1c9a8819998ad10879dff6c04edc787d34a142a3e0841c0fca36fb9c6e
MD5 hash:
7c76e3100bd67c47f176a0edde3ef79a
SHA1 hash:
bff22f39f3ba61cddd695b8a27b5139c5675afba
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
SH256 hash:
8fcae9719a3f831cb73ef50b587a6222ff73d6c1a6ae617636cb31c6e02d5e3a
MD5 hash:
c6328e8342538b7e2502b752e5cb1e28
SHA1 hash:
fdbb116ce30ea6a0a61fd0e36084dfb26e683b22
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
SH256 hash:
e841fe9fa09ddc4292f22db95cb2d348d8f37594513f5848d545db92e3b07c66
MD5 hash:
c63b86e4e9290bf304e86e03c8a1f235
SHA1 hash:
6d75607cf590ae4d65b79ffab3f9f4f56700b932
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/1ed06a1d-693a-488f-be2b-52b138e7eb3f/
Parent samples :
7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
8c14a08d112b1d4ff732a8d5496dcc4296b744909e335703518f414fe5e99f6f
907f5339415509568af0e01da37534ccd36f88f563e8cbdbacc01d84bcb21045
e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e1c92eea9689/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe e1c92eea9689d21173bc72d22b935fe9cb20fb556f5ccc9ff6990494ca268984

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/46240/

Comments