MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852
SHA3-384 hash: 72508e57094ac91e8e475c2a891c522d460335fbac01ccb6ab1b2336d9513d3b6bcede6740ab89b869ff080ba4bc28d2
SHA1 hash: fbe8d1098701d9a1eb10237abca27bcbec58b82c
MD5 hash: 16e982cb2d92cb461b6823c025bb05c5
humanhash: fish-texas-berlin-rugby
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:9'059'259 bytes
First seen:2025-10-16 04:02:14 UTC
Last seen:2025-10-16 04:06:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7e2fd259780271687ffca462b9e69b7 (6 x AsyncRAT, 6 x LummaStealer, 6 x AurotunStealer)
ssdeep 196608:sfUzs7e53HTWmZaatdiDEpPbCKCWU/MvNpnSTh4ol6:8erAmYaZeiU/WnSTh45
TLSH T1D596333295500032F6F10277BE38A6306E7CB728275589AAE7D4FC5D7EB848277B7216
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe HIjackLoader


Avatar
Bitsight
url: http://178.16.55.189/files/1760829628/N2HlqRs.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
73
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
251015-qhj3fszygs_pw_infected.zip
Verdict:
Malicious activity
Analysis date:
2025-10-16 00:59:57 UTC
Tags:
arch-exec lumma stealer amadey auto redline botnet credentialflusher generic evasion loader stealc vidar rustystealer gcleaner anti-evasion rdp phishing autoit hijackloader pastebin miner winring0-sys vuln-driver api-base64 xor-url themida remote xworm rust winscp rmm-tool purecrypter unlocker-eject tool rhadamanthys
Link:
https://app.any.run/tasks/821ed606-c555-4c82-9860-749b0fb159ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32980/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f03e6804e22ce9acda97ed
Tags:
vmdetect autorun delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm CAB crypto evasive expand explorer fingerprint fingerprint installer lolbin lolbin microsoft_visual_cc obfuscated overlay packed packed packer_detected remote rundll32 runonce threat
Link:
https://www.filescan.io/uploads/68f06e623fe1a004456a9855/reports/830b65c1-5fcd-4123-91ab-71aae4adb8b6/overview
Verdict:
Malicious
Labled as:
Generik.MYKVGUM trojan
Link:
https://www.hybrid-analysis.com/sample/f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-15T02:48:00Z UTC
Last seen:
2025-10-16T12:42:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Agent.sb Trojan-PSW.MSIL.Stealer.sb Trojan-Dropper.Win32.Injector HEUR:Trojan-Dropper.Win32.Agent.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan-PSW.Win32.Coins.sb Trojan.Win32.Delf.sb
Link:
https://opentip.kaspersky.com/f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852/results?tab=lookup
Malware family:
IObit
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f3b9788c-0e11-45d0-acb2-7a0c334763d9
Score:
70%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:MSZIP Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/16e982cb2d92cb461b6823c025bb05c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-10-15 08:04:50 UTC
File Type:
PE (Exe)
Extracted files:
235
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hifxfhjfholii6dbuul3uzzj7xleintbuxav45lqyyvegxtjbja._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader
Link:
https://tria.ge/reports/251016-el419abp9y/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/db4c425b-0e02-4e8a-b7a2-5947a13db879
Unpacked files
SH256 hash:
f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852
MD5 hash:
16e982cb2d92cb461b6823c025bb05c5
SHA1 hash:
fbe8d1098701d9a1eb10237abca27bcbec58b82c
Link:
https://www.unpac.me/results/119e1cc9-0798-472d-a64a-8db178039106/
SH256 hash:
b3a7665d9377816531355f0ba82a687b75a22a79da7b6d538d1b45b073a52bff
MD5 hash:
9f716f2bd1a46ca785542e2d50bb8d4a
SHA1 hash:
5d8ed161483967943c729fa3b5e1d6653a73372f
Link:
https://www.unpac.me/results/119e1cc9-0798-472d-a64a-8db178039106/
SH256 hash:
25d86f888db2acdb7edc980de16ccff09c6a053d4606fdb447370e5287ee4845
MD5 hash:
a5d335ebd8eca8adeae81b0e69ce4545
SHA1 hash:
8daf4f4bd8ea6a246f6afe921b6dcc26b554c159
Link:
https://www.unpac.me/results/119e1cc9-0798-472d-a64a-8db178039106/
SH256 hash:
4e5f1f42f90316819b9fe431722c5cc8c0a91d90e0fea87e580f17629e088a9a
MD5 hash:
022568111d51b5dbb92c0ab0872b380c
SHA1 hash:
37962202c8f5b74532829796821d5989e0f2d673
Link:
https://www.unpac.me/results/119e1cc9-0798-472d-a64a-8db178039106/
SH256 hash:
56b76e6230f60af2366c6c216588c0f96ae68633490a4be3a1feb2410e5171a9
MD5 hash:
04e88fd32d5bdb83c65d3344d8265eee
SHA1 hash:
6922023d4cf8d9926ca8f8da4d6ef9199906cfac
Link:
https://www.unpac.me/results/119e1cc9-0798-472d-a64a-8db178039106/
SH256 hash:
859d84044efc9b130c639db1c9e65250546606ffd7e3f27f491099e56fbca97c
MD5 hash:
d5145c203ad9d94a13416b1e5400ab2d
SHA1 hash:
ebcbb8948b16760854dd87742d88ac9bf0cb3c78
Link:
https://www.unpac.me/results/119e1cc9-0798-472d-a64a-8db178039106/
SH256 hash:
d987a17b4566602232353909027fa07ac5bf2c38f0613b24873e84fcc5e1d336
MD5 hash:
3747108570b8433d047a7e1208fda541
SHA1 hash:
787518792f39a7e2365a424711dbfc3abcd60dc0
Link:
https://www.unpac.me/results/119e1cc9-0798-472d-a64a-8db178039106/
SH256 hash:
e4d63c9aefed1b16830fdfce831f27b8e5b904c58b9172496125ba9920c7405b
MD5 hash:
1e0b2ef7208c86e2e66a2945b0716738
SHA1 hash:
e327aa368ee953910c9ca0703b132a6ffa741e51
Link:
https://www.unpac.me/results/119e1cc9-0798-472d-a64a-8db178039106/
SH256 hash:
eee7b9791ea33a9dc4b7294c0e3ad2d33e4f58a0f6c0e16d0cf3a67451bcfe33
MD5 hash:
86f2b3eb9d962bdbf4b85faff3d42b05
SHA1 hash:
cf94cd44eaca0ff1d0278df757a40e43e1eff5b4
Link:
https://www.unpac.me/results/119e1cc9-0798-472d-a64a-8db178039106/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1d05b94e929/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe f1d05b94e929dcb423c30d28bdd3394feeb221b30d2e0af3ab8631521af34852

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3678486/
Cape
Cape
https://www.capesandbox.com/analysis/32980/

Comments