MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f
SHA3-384 hash: fe01cbb70da29db50d474b6e5d3d5ed30e0b19112c2197ca8055dc774c6e40233a139dd9c2ec8ec22b88a26dd5496db6
SHA1 hash: 5a994b7478de7c081c68835227817a43b0903f38
MD5 hash: e66180198be0e557e26e57b93c1f68b1
humanhash: pip-vegan-nine-quebec
File name:Driver Booster 13 [by j0nb4].exe
Download: download sample
Signature HijackLoader
Create hunting rule
File size:6'209'721 bytes
First seen:2025-09-17 09:59:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 492a5d3560401c2811de048088bf91d0 (4 x DonutLoader, 2 x HijackLoader, 1 x QuasarRAT)
ssdeep 98304:2CgOPB3KSfvKTiZQ5SUeg0MpHlrDpQd+BYwPIgvWZCI6BJQisEtCiRTipHYjWIz:xvPBaAT1UegpQd+BDPzuZCI6BXsEtCiL
TLSH T1D4563308E7F011F9D1BB91B1CA569A06D7B67C5A0B605BCF13F449AA1F2B2909D3F312
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter JaffaCakes118
Tags:exe HIjackLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DriverBooster13byj0nb4.exe
Verdict:
Malicious activity
Analysis date:
2025-09-17 10:02:15 UTC
Tags:
hijackloader loader auto-startup
Link:
https://app.any.run/tasks/5c57da95-4525-463f-aef6-84dc6f58a274

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27892/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ca867e88b9544392472779
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 expand expired-cert explorer fingerprint fingerprint keylogger lolbin microsoft_visual_cc overlay overlay packed wmic
Link:
https://www.filescan.io/uploads/68ca867db29d966a312c5dcb/reports/f2242ab1-2e88-47b9-ba15-ef9af00d46e8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-16T22:50:00Z UTC
Last seen:
2025-09-16T22:50:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Penguish.sb Trojan.Win32.Crypt.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan.Win64.Penguish.sbd VHO:Trojan.Win32.Penguish.frz PDM:Trojan.Win32.Generic Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.frz
Link:
https://opentip.kaspersky.com/f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c98408e9-a15c-4fbd-b5ef-98b6d66e53db
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/e66180198be0e557e26e57b93c1f68b1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f
Threat name:
Win64.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2025-09-17 08:57:30 UTC
File Type:
PE+ (Exe)
Extracted files:
998
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kzqpsmfzv4baonvjtt727wfrmkpfs4lkxfm235jq6rjdraifnhq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader
Link:
https://tria.ge/reports/250917-lz8pxsxzex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8ebf3eee-3b79-4622-a284-84c3d728a213
Unpacked files
SH256 hash:
f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f
MD5 hash:
e66180198be0e557e26e57b93c1f68b1
SHA1 hash:
5a994b7478de7c081c68835227817a43b0903f38
Link:
https://www.unpac.me/results/96f7de0b-ed02-4b53-9e8e-607a4947e8cf/
SH256 hash:
0df1b66054cab7ee025381a13c547ab60fd03cff30533d5811f5e16fcb6a18a1
MD5 hash:
883967960cb8908e4842cabf9134c81d
SHA1 hash:
bc7fedba079eda4d4947118814bfb45c448fb38b
Link:
https://www.unpac.me/results/96f7de0b-ed02-4b53-9e8e-607a4947e8cf/
SH256 hash:
14c64e71a3f1edac861370abe291eeee4dbf5ea4a83315ca2fe07c40d4fdd84a
MD5 hash:
9aeb2d782c07245e1f065ffdd63ba7e8
SHA1 hash:
f5f5c342bad936ccc9848e594d9b77c85143d252
Link:
https://www.unpac.me/results/96f7de0b-ed02-4b53-9e8e-607a4947e8cf/
SH256 hash:
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad
MD5 hash:
8ff1898897f3f4391803c7253366a87b
SHA1 hash:
9bdbeed8f75a892b6b630ef9e634667f4c620fa0
Link:
https://www.unpac.me/results/96f7de0b-ed02-4b53-9e8e-607a4947e8cf/
SH256 hash:
57972c5ce575ea09835212dba27791f33b8f07980bba69393d75b1cc20d58a6c
MD5 hash:
14bf5d3b181d00eaa72e0fe4a3c4d138
SHA1 hash:
53d6030fdf0077b1a4e4c362ed16b0a7ff9e8bf1
Link:
https://www.unpac.me/results/96f7de0b-ed02-4b53-9e8e-607a4947e8cf/
SH256 hash:
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5
MD5 hash:
1a84957b6e681fca057160cd04e26b27
SHA1 hash:
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe
Link:
https://www.unpac.me/results/96f7de0b-ed02-4b53-9e8e-607a4947e8cf/
SH256 hash:
d6fba69d7734c0f6ede30a4e40801927ced68c143e8ee4eff8dd946402391138
MD5 hash:
25c5312e42671499ab2b49e322dafa77
SHA1 hash:
e9d4a196f2a8a90ff29844cf84c01b57f55494ce
Link:
https://www.unpac.me/results/96f7de0b-ed02-4b53-9e8e-607a4947e8cf/
SH256 hash:
e422c9366a53536a35e307ef301f08661c28c29b7fcda1b454333c6a41c6bb21
MD5 hash:
e76b52d11db435d36453d26c8b446a8f
SHA1 hash:
6e20c17ed973e38d4a3f26cfc020af05ff9a6eea
Link:
https://www.unpac.me/results/96f7de0b-ed02-4b53-9e8e-607a4947e8cf/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2b307c985cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27892/

Comments