MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef39d2174a6162c386ae3141371de560c8d66dc2d80d708d6b0a2dd3991ebde7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef39d2174a6162c386ae3141371de560c8d66dc2d80d708d6b0a2dd3991ebde7
SHA3-384 hash: 6e9d29e4292f66677e45029b972ac9af432cfb8a753a34033b65674b0d3c9fef03ae10b3b0adedab49b46ec88cf7a9e8
SHA1 hash: dd0c0c21aa23a665f9f0bb93022da17696c8a811
MD5 hash: 3623c25f768c03b4c7590c1711513a24
humanhash: network-winter-network-fanta
File name:psd3.ps1
Download: download sample
Signature HijackLoader
Create hunting rule
File size:102 bytes
First seen:2026-03-17 07:06:18 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:VSJJFISFX1HFH+ILT2rGjCMeasGSq5IFORRAcPKCG:s8SFX1HFH+W2ijPeanS0wcPKCG
TLSH T14CB01297894D13B8490F40F7A41E6E04998C319343C620B2B3B2892F78C298C8380740
Magika batch
Reporter JAMESWT_WT
Tags:152-89-244-70 booking HIjackLoader NetSupport ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Heur.BZC.MNT.Boxter.794.32D5A767.8450.3581.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b8fd6e88c80c01586b0e74
Tags:
vmdetect autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69b8fd6e4ec2f522cc4c1de2/reports/ca7c24ed-c5eb-4d43-a174-bb2170e82d18/overview
Verdict:
Malicious
Labled as:
BZC.MNT.Boxter.794
Link:
https://www.hybrid-analysis.com/sample/ef39d2174a6162c386ae3141371de560c8d66dc2d80d708d6b0a2dd3991ebde7
Verdict:
Malicious
File Type:
ps1
Detections:
HEUR:Trojan.PowerShell.Generic
Link:
https://opentip.kaspersky.com/ef39d2174a6162c386ae3141371de560c8d66dc2d80d708d6b0a2dd3991ebde7/results?tab=lookup
Score:
22%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/ef39d2174a6162c386ae3141371de560c8d66dc2d80d708d6b0a2dd3991ebde7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef39d2174a6162c386ae3141371de560c8d66dc2d80d708d6b0a2dd3991ebde7/
Verdict:
Malicious
Threat:
Trojan.PowerShell
Link:
https://tip.neiki.dev/file/ef39d2174a6162c386ae3141371de560c8d66dc2d80d708d6b0a2dd3991ebde7
Threat name:
Text.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 06:51:55 UTC
File Type:
Text (Batch)
AV detection:
5 of 22 (22.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5445ef2kmfrmhbvogfatohpfmdenm3oc3agxbdllbiw5hgi6xxtq._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery execution loader spyware stealer
Link:
https://tria.ge/reports/260317-hxtlfafz7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Badlisted process makes network request
Downloads MZ/PE file
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef39d2174a6162c386ae3141371de560c8d66dc2d80d708d6b0a2dd3991ebde7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments