MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f037a658f8a9340faa41f98f2ea03e91966cacf5ac61ba99c049545373e6f4a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HijackLoader

Vendor detections: 9

Intelligence 9 IOCs YARA 44 File information Comments

SHA256 hash:	f037a658f8a9340faa41f98f2ea03e91966cacf5ac61ba99c049545373e6f4a4
SHA3-384 hash:	f5796a328266278dd493d18e57ffc32a9e4ec6e00b9b45668f01e0d92fb39c01789f4838561691b9ebea58490f3845fa
SHA1 hash:	6d3d2650b0d119fbe25c3d8c822063de80e4cfd3
MD5 hash:	1f023326c28945f966a289d621f080e9
humanhash:	georgia-romeo-fourteen-football
File name:	myapp.zip
Download:	download sample
Signature	HijackLoader Create hunting rule
File size:	13'299'407 bytes
First seen:	2026-03-17 07:26:29 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	393216:T4R6risk+S6gBjXpNq59Da1Rwa2PKCMCsVBp9ISbK:T44rwN6kj/q/D4OaFV9ISG
TLSH	T1C0D63329D02AAA2653B681B544FAEC7D01537FD14D31F11C816BD19CA21EC9F2EEEB0D
Magika	zip
Reporter	JAMESWT_WT
Tags:	69-5-189-8 HIjackLoader oevaofvwuf-com zip

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 11 file(s), sorted by their relevance:

File name:	session_mon.xml
File size:	36'874 bytes
SHA256 hash:	e41410787857ffdf0efeef8a4cbc188892b5e542531355462f13acad92c20217
MD5 hash:	7c39d16dae934ed55c78a058a9cdcea2
MIME type:	application/octet-stream
Signature	HijackLoader

File name:	MSVCP140.dll
File size:	635'040 bytes
SHA256 hash:	76c9060fd749d837c92b716a91a190b038f2c03e46da124a36f88075361a9be5
MD5 hash:	ab15feb56d735f4589217d02464b1a06
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	vcruntime140_1.dll
File size:	49'792 bytes
SHA256 hash:	e30b3f4979b63b50438d061858c9cde962f4494e585c627a11c98b6c5b7b2592
MD5 hash:	851760a3cc87354e057985e42e69f425
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	Qt5Widgets.dll
File size:	5'588'088 bytes
SHA256 hash:	635900e8566b58b6c7217e31e8ab5d87c03f54fab1347c4e42f8b61a8c361063
MD5 hash:	5f06de94123c883e2a0db53b3f89b17f
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	Qt5Network.dll
File size:	1'325'176 bytes
SHA256 hash:	771ae4b6b73f387757de5c7d4dd04959e514a8144d3ad99109f6f7e3208fda6c
MD5 hash:	7ee72ce1ffffc3be4e48c3ee4d8f2d33
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	CAgent32.exe
File size:	5'845'328 bytes
SHA256 hash:	a90826f5e2b3cb3721fbca9b6d4989da4113b844ef767e0ade4589984c8880d7
MD5 hash:	da31436bf598131d032df2285f512a4d
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	physics.yaml
File size:	2'927'926 bytes
SHA256 hash:	3cfff37762323f9d20ee44306c043f924b94e53806056198e9b2347345c8422b
MD5 hash:	bfccd7a856b6b43753a724840c99f4d2
MIME type:	application/octet-stream
Signature	HijackLoader

File name:	Qt5Gui.dll
File size:	6'503'032 bytes
SHA256 hash:	cd3fadd0fac5dccbe96550804fc6e72cf8851f04ff657fedf4128fde97d51140
MD5 hash:	ddcbc3b38c2690e98a6b6e02de4e6bb6
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	VCRUNTIME140.dll
File size:	85'232 bytes
SHA256 hash:	6cadb4fef773c23b511acc8b715a084815c6e41dd8c694bc70090a97b3b03fb9
MD5 hash:	0c583614eb8ffb4c8c2d9e9880220f1d
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	VMProtectSDK64.dll
File size:	68'096 bytes
SHA256 hash:	2a6a30697557cc40fa3426bff2e44ab58abe6e2298c5bc3a56bcfa1fd81fff8c
MD5 hash:	f97351872896121295d5423d314d9577
MIME type:	application/x-dosexec
Signature	HijackLoader

File name:	Qt5Core.dll
File size:	6'158'456 bytes
SHA256 hash:	2b3e736cb6dfddefb0b035d1130b4dc288436dda702796aa41f5116385c75ec4
MD5 hash:	b9012628283b8a319f9f8fb61476e17e
MIME type:	application/x-dosexec
Signature	HijackLoader

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/051e1e3e-50e3-4b1b-aefe-5358bf2cfa19/

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b8fe2d93b644ca466ad6bc

Tags:

vmdetect

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug base64 expired-cert fingerprint invalid-signature keylogger microsoft_visual_cc signed

Link:

https://www.filescan.io/uploads/69b902502000fc76c3e4d489/reports/62964e3c-6eb2-4a08-af82-6368bae270db/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/f037a658f8a9340faa41f98f2ea03e91966cacf5ac61ba99c049545373e6f4a4

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/f037a658f8a9340faa41f98f2ea03e91966cacf5ac61ba99c049545373e6f4a4

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

File Type:

zip

Link:

https://opentip.kaspersky.com/f037a658f8a9340faa41f98f2ea03e91966cacf5ac61ba99c049545373e6f4a4/results?tab=lookup

Score:

Verdict:

Benign

File Type:

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:hijackloader discovery loader spyware stealer

Link:

https://tria.ge/reports/260317-qhegzacy5x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Detects HijackLoader (aka IDAT Loader)

HijackLoader, IDAT loader, Ghostulse,

Hijackloader family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.76

Link:

https://yomi.yoroi.company/submissions/f037a658f8a9340faa41f98f2ea03e91966cacf5ac61ba99c049545373e6f4a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_all_IPv6_variants Create hunting rule
Author:	Bierchermuesli
Description:	Generic IPv6 catcher

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	SUSP_Websites Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference of suspicious sites that might be used to download further malware

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample