MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac
SHA3-384 hash: 1229d406edd5398f3d56220a8e4b61bf3fc1eb2aa3cbdd8656ed3a33a51f508f0a4c735ca2751f86e44716eda556cbfa
SHA1 hash: 5cb52d890830db0774f4bc1b560742abaccea862
MD5 hash: 8959d414dea38bce141f054b714bf764
humanhash: lemon-october-tennessee-eighteen
File name:vm.bat
Download: download sample
Signature HijackLoader
Create hunting rule
File size:936 bytes
First seen:2025-09-16 19:18:06 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24:+leD8y3U4Fhzse293VUvq2HShIGCDRaSsIGJeRiEM+1FbpiB2gw/aIEje:IeDBle2i0RfWJeR7s+5
Threatray 12 similar samples on MalwareBazaar
TLSH T1F411BD0E2B0E356FA472CB9F93581382FB45109F2E5466C6351D852F0F5F29B57A9884
Magika batch
Reporter aachum
Tags:bat ClickFix DeerStealer FakeCaptcha HIjackLoader


Avatar
iamaachum
https://favorite-hotels.com/ => http://80.253.249.186:5504/vm.bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vm.bat
Verdict:
Malicious activity
Analysis date:
2025-09-16 19:21:31 UTC
Tags:
loader auto generic stealer ultravnc rmm-tool hijackloader
Link:
https://app.any.run/tasks/30db74b3-a13c-455f-aa71-e9cae2790796

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27793/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c9b8efe579c633a4b5c410
Tags:
dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-16T14:27:00Z UTC
Last seen:
2025-09-16T14:27:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.DLLhijack.wim Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778795
Signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Yara detected HijackLoader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1778795 Sample: vm.bat Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Antivirus detection for URL or domain 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 4 other signatures 2->70 8 msiexec.exe 81 41 2->8         started        11 cmd.exe 1 2->11         started        14 svchost.exe 1 1 2->14         started        process3 dnsIp4 50 C:\Users\user\AppData\Local\...\Stat-H.exe, PE32+ 8->50 dropped 52 C:\Users\user\AppData\Local\...\libmp4v2.dll, PE32+ 8->52 dropped 54 C:\Users\user\AppData\Local\...\WS_Log.DLL, PE32+ 8->54 dropped 56 2 other files (none is malicious) 8->56 dropped 17 Stat-H.exe 8 8->17         started        76 Suspicious powershell command line found 11->76 21 powershell.exe 12 11->21         started        23 conhost.exe 11->23         started        25 chcp.com 1 11->25         started        62 127.0.0.1 unknown unknown 14->62 file5 signatures6 process7 file8 42 C:\ProgramData\validFm_3\Stat-H.exe, PE32+ 17->42 dropped 44 C:\ProgramData\validFm_3\libmp4v2.dll, PE32+ 17->44 dropped 46 C:\ProgramData\validFm_3\WS_Log.DLL, PE32+ 17->46 dropped 48 2 other files (none is malicious) 17->48 dropped 72 Found direct / indirect Syscall (likely to bypass EDR) 17->72 27 Stat-H.exe 4 17->27         started        74 Suspicious execution chain found 21->74 31 cmd.exe 4 3 21->31         started        signatures9 process10 file11 58 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 27->58 dropped 78 Found direct / indirect Syscall (likely to bypass EDR) 27->78 33 curl.exe 2 31->33         started        36 conhost.exe 31->36         started        38 where.exe 1 31->38         started        40 3 other processes 31->40 signatures12 process13 dnsIp14 60 80.253.249.186, 49681, 5504 ADEOXTECHUS Turkey 33->60
Score:
59%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac
Threat name:
Script-BAT.Downloader.FakeCaptcha
Create hunting rule
Status:
Malicious
First seen:
2025-09-15 18:58:49 UTC
File Type:
Text (Batch)
AV detection:
8 of 24 (33.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kqgqfso26yxh4l2xzjk3fofhpgpho4zm3lvaj6r5cla67qniowa._file
Verdict:
malicious
Label(s):
deerstealer
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
44c485a90f85327a21de9b24918822457230a635ea2c0fd45f6767404a86672f
HijackLoader
64e2811f4c55a0b962e31c3fd01aa653ff5a55d56146ff2f4b6fbef6236c46a4
HijackLoader
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
HijackLoader
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
HijackLoader
bcc062030c3615d3f8e42e3a2a0b4410e07cf5c845c72c95b56d41d81bac5f46
HijackLoader
e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
HijackLoader
ea623740c81d566c3ad240c8b7c481a3ff5e5e0dd34c5e24e28204727c0e75cc
HijackLoader
error
HijackLoader
+ 2 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:hijackloader defense_evasion execution loader ransomware stealer
Link:
https://tria.ge/reports/250916-x1nlxsxpw4/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
DeerStealer
Deerstealer family
Detects DeerStealer
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Batch (bat) bat f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac

(this sample)

HijackLoader

Microsoft Software Installer (MSI) msi e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418

HijackLoader

Microsoft Software Installer (MSI) msi ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151

  
Link
https://tria.ge/250916-xtd4xaztfx/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151
  
Dropping
MD5 a0f4dd0e9ac7e37fe5b7e3e01f3752a1
Cape
Cape
https://www.capesandbox.com/analysis/27793/

Comments