MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca
SHA3-384 hash: 10a005be8440c82edb9c48f5c8cf931bbbbd3028fba85b8fc282b28c3b0440640e248201525e81a5a72b83f52577d069
SHA1 hash: a7a56f18c067ce06762c335e471b500551683905
MD5 hash: 9c004138bea1f426fa43b6edbae46da0
humanhash: sad-shade-robin-nineteen
File name:rw6eMTC.exe
Download: download sample
Signature HijackLoader
Create hunting rule
File size:5'445'218 bytes
First seen:2025-07-22 06:09:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:+p4g1jNGVAjP3tZytkWWr42NZtQwR+r1gzAvtvPHyb2tbklDL0qnKVOqzCX/O84M:+p4g7sMPKtkWWrXmwMrFXSb0oCHCPO7M
Threatray 96 similar samples on MalwareBazaar
TLSH T16D463391B7E27EF6CA92C6774F069B720272D68C1B461E0B768A1F196DC70F066070ED
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter abuse_ch
Tags:exe HIjackLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
36
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
901c74726ac32fa835ee9c3b0d09e78347dea9686c29dbd7db150ccc2a15b7b2.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-07-21 22:34:20 UTC
Tags:
lumma stealer themida loader amadey botnet rdp ms-smartcard auto-reg susp-powershell upx salatstealer golang telegram auto generic gcleaner deerstealer autoit
Link:
https://app.any.run/tasks/07654c5c-b430-48aa-9c36-bc8cab5317b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16233/
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687f2b6184b37dd61ef080fc
Tags:
injection dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/76f2fc3d-cc77-4a45-9d78-6ece65b69f01
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1741830
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected unpacking (overwrites its own PE header)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1741830 Sample: rw6eMTC.exe Startdate: 22/07/2025 Architecture: WINDOWS Score: 100 65 pyrrhic-delivery.pro 2->65 67 beacons.gcp.gvt2.com 2->67 69 beacons-handoff.gcp.gvt2.com 2->69 87 Suricata IDS alerts for network traffic 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 2 other signatures 2->93 11 rw6eMTC.exe 10 2->11         started        14 SwitchEnterprise.exe 5 2->14         started        signatures3 process4 file5 55 C:\Users\user\...\SwitchEnterprise.exe, PE32 11->55 dropped 57 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32 11->57 dropped 59 C:\Users\user\AppData\...\Qt5Network.dll, PE32 11->59 dropped 63 3 other files (none is malicious) 11->63 dropped 17 SwitchEnterprise.exe 9 11->17         started        61 C:\Users\user\AppData\Local\...\B28C3DC.tmp, PE32+ 14->61 dropped 103 Modifies the context of a thread in another process (thread injection) 14->103 105 Maps a DLL or memory area into another process 14->105 21 XPFix.exe 14->21         started        23 FFramework64.exe 14->23         started        signatures6 process7 file8 41 C:\ProgramData\...\SwitchEnterprise.exe, PE32 17->41 dropped 43 C:\ProgramData\gahPatch\VCRUNTIME140.dll, PE32 17->43 dropped 45 C:\ProgramData\gahPatch\Qt5Network.dll, PE32 17->45 dropped 47 3 other files (none is malicious) 17->47 dropped 83 Switches to a custom stack to bypass stack traces 17->83 85 Found direct / indirect Syscall (likely to bypass EDR) 17->85 25 SwitchEnterprise.exe 7 17->25         started        signatures9 process10 file11 49 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 25->49 dropped 51 C:\Users\user\AppData\...\FFramework64.exe, PE32+ 25->51 dropped 53 C:\Users\user\AppData\Local\...\A135275.tmp, PE32+ 25->53 dropped 95 Modifies the context of a thread in another process (thread injection) 25->95 97 Found hidden mapped module (file has been removed from disk) 25->97 99 Maps a DLL or memory area into another process 25->99 101 2 other signatures 25->101 29 FFramework64.exe 25->29         started        33 XPFix.exe 25->33         started        signatures12 process13 dnsIp14 81 pyrrhic-delivery.pro 104.21.89.79, 443, 49686 CLOUDFLARENETUS United States 29->81 107 Detected unpacking (overwrites its own PE header) 29->107 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->109 111 Tries to harvest and steal browser information (history, passwords, etc) 29->111 115 5 other signatures 29->115 35 chrome.exe 2 29->35         started        113 Switches to a custom stack to bypass stack traces 33->113 signatures15 process16 dnsIp17 71 192.168.2.8, 138, 443, 49381 unknown unknown 35->71 73 192.168.2.16 unknown unknown 35->73 38 chrome.exe 35->38         started        process18 dnsIp19 75 www.google.com 142.251.32.100, 443, 49692, 49701 GOOGLEUS United States 38->75 77 www3.l.google.com 38->77 79 3 other IPs or domains 38->79
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/9c004138bea1f426fa43b6edbae46da0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6khmm3vhfkzflybixghdcayhbyhecibqguvzyzvk62lcm37nhdfa._file
Verdict:
malicious
Label(s):
ghostpulse
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
10cd6b68b312a4c66967da95c7c3f98ab2c4f5ecc77eb2b6096759118f6cc4e3
HijackLoader
584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f
HijackLoader
60972229523eb137860bae114a667ace6d6109ebeec4f219628cdfe00e88d145
HijackLoader
64e2811f4c55a0b962e31c3fd01aa653ff5a55d56146ff2f4b6fbef6236c46a4
HijackLoader
78ed91aa3f80105bc099ac45eb8c5d50536aeeab5442a81d80aedfa90e42988d
HijackLoader
a5e0756405dea5b805018097497b69a945289cda1c57f1577f1da2706c7b52bb
HijackLoader
b309a34d8f0fd69613d30cf544609536fd08e724ec3c8c42991fc91c2a5d3812
HijackLoader
dbbbe41beae2c8513cf1199814e03f70f5b4ed34b9a93382c57ffa741eca456f
HijackLoader
e78d5c1530afc8284fa602b221cfe47c25ff7a6d12549d300d61143da67b2aa4
HijackLoader
error
HijackLoader
+ 86 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader spyware stealer
Link:
https://tria.ge/reports/250722-gxbvysswhy/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cb92b940-c352-4e46-b2cc-ff7598ed8b94
Unpacked files
SH256 hash:
f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca
MD5 hash:
9c004138bea1f426fa43b6edbae46da0
SHA1 hash:
a7a56f18c067ce06762c335e471b500551683905
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
SH256 hash:
b552c388a2e71fb60f852cbb57cb2c7edc4ee32f3224f3ecd60424797fb69b75
MD5 hash:
2c2c5947be53f385338b5ec264f2679e
SHA1 hash:
24f84f83a1e352144a2c6bfd09c55c3271d3b087
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
SH256 hash:
195c18f16996050c6dfeff5c5c99c26450f59c97ba09e270d2aee1bab0ffa5f5
MD5 hash:
c1de1a6c6c22cfcc7b476d69f7ef908c
SHA1 hash:
2e483f63b9252c4adf27aae81a05310bd30a29c5
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
SH256 hash:
5bbf31075da9b17eae629df22daca736f81b55a7d5182a9dc861df75e6f307e0
MD5 hash:
cf45ce2a20cae9cec5b26502b0e8efb3
SHA1 hash:
818b390b7ad97ac2a41c446e727dcae647470787
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
SH256 hash:
04d587f9d29efa33612e5589b93901a48a0e8c88e4e2caacf47bd36bc2f11b41
MD5 hash:
8f81ff0b9a68003d94cc7adf17f41bab
SHA1 hash:
c829d158ac4909361d0a1fc6d0fbd5b78fbc966b
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
SH256 hash:
631f6efca45a4728326219fe898c168a810c1dfa179ccb0512506c0f8bb8018e
MD5 hash:
b73c417bcb57254601a99d65e076525f
SHA1 hash:
d2d74d3e76683940468d89622761b04e5b8f40e3
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
SH256 hash:
b8a0338656f232620222d3502326753b3c9aac79646e35467ede32afc06a0314
MD5 hash:
51f42fac26c387daf4dc3763020d3057
SHA1 hash:
f0f83154df72c175495fc87bf278ac9ee65027d7
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
SH256 hash:
0823b2bf3fcc268f31281d520a29e8c0be43df4b2414c3023657f5257a9a103e
MD5 hash:
ebf678ed606696584c9252c051690e22
SHA1 hash:
5bf8a4854c17c75f6ae170ad7e6232ae8296d129
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
Parent samples :
2e8ac3980feb2ed56f39fac3763eed0fba77740a7b5cd74bccd8b7d59223c79d
64e2811f4c55a0b962e31c3fd01aa653ff5a55d56146ff2f4b6fbef6236c46a4
78ed91aa3f80105bc099ac45eb8c5d50536aeeab5442a81d80aedfa90e42988d
e68aaae515c5a9209fad7b4217f534de39b36ec66aff13c900c6c729e14dd31f
58a5e3bb70bcb50147587807794bcee8ee3c7e5c67a630b092e7899d2a50c83b
584bc504241fb7dc36f4c2ff5d38bf9757d9af5a369ca01027d2e151d53d932f
ff6ba4489c2fe94e5ed49e2bbb411abbb6677f73b56df746ffb36c6c0ea6b81f
9e05baee59cd27a85f08cf2fa678f54c3bb639f29d4521bfa0319bf174c04dba
6ffd4fb10bc191d0a3b5b47bec951397628f2dad1f5defce506c753c90c0f296
a7c5e1f4789b6b066c8030a3966786c99682371751c255e4e77d4b5a485237ae
46091fc17ded829d91a0563354ca16ff416f6b92912ad7ddd39ff326d787299b
f7540df042b56cb25b0f90b17255b173d9e078b1bc3bf72d4d7a476174ef9081
f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca
516523a72a445b175b620ee3ec70e0be6d7ddd9e217c22867527a3e17b7bb8b2
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
772b547b8e01d86b2d4a32e308a42388f298ca4faedb0d6a3b78fb0d4dce8826
cabf319baf5f3c955f6e251d101bdc61a1d7c3ced40e3f313c7d43f8571c00dd
9de72bbf7efdb9b528351ec7ad706d6197e860a78b2846adf700cbc10d0760fa
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/e1baca8d-007c-4416-872e-1dd74958c0c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:observer
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked observer malware samples.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe f28ec66ea72ab255e028b98e3103070e0e412030352b9c66aaf696266fed38ca

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/16233/
  
URLhaus
https://urlhaus.abuse.ch/url/3581113/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments