MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f
SHA3-384 hash: cc6185e01de53f1e909dfbabeabf2be9a35b662a69ca8efe4bf6573ec9563522e8c7dd1d75eec77250171441b6d42158
SHA1 hash: a9825250a69a737e97f5e419b3a9827147f0a6ac
MD5 hash: bb8dbe93d1bf59f7949fd3e5d800a502
humanhash: batman-lamp-magnesium-fillet
File name:02WLPQTDGE.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:13'611'008 bytes
First seen:2025-09-17 18:20:42 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:OeQJkaFXCGXdkhI7SRMhCLFsQKXN6JCzhLZHPjxzRbsKr650/76nVuB2oE4hWj7i:bmyKdkhI7am+CphjJRl6qunVuBxEKM
Threatray 2 similar samples on MalwareBazaar
TLSH T10AD63323FAA1176BC2832D3C2668F3715BBD7C0A3B0652AB510737A554F76E26534A0F
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:AcreedStealer apiwin-bet dropped-by-ACRStealer HIjackLoader msi signed

Code Signing Certificate

Organisation:Qihoo 360 Technology Ltd
Issuer:Qihoo 360 Technology Ltd
Algorithm:sha1WithRSA
Valid from:2018-12-31T23:00:00Z
Valid to:2098-12-31T23:00:00Z
Serial number: -3b26472c3736bf62bd782c8675aaece1
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 355f429b04060c796462ef121e9a0809128642526da08519b9f9e056767cdb0d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
iamaachum
http://mi.raisindispose.com/kaWt2QXfpPueNM/F.ct/02WLPQTDGE.msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27987/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cafc2e88b9544392475b6e
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug expired-cert installer signed wix
Link:
https://www.filescan.io/uploads/68cafc375ebd1d861ec4d661/reports/bbc1e2d9-b371-44ee-9230-76d58d3cdb93/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-17T15:39:00Z UTC
Last seen:
2025-09-17T15:39:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Coins.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb HEUR:Trojan-PSW.OLE2.Coins.gen
Link:
https://opentip.kaspersky.com/3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1779496
Signature
Contains functionality to infect the boot sector
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Switches to a custom stack to bypass stack traces
Writes many files with high entropy
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779496 Sample: 02WLPQTDGE.msi Startdate: 17/09/2025 Architecture: WINDOWS Score: 96 61 bsc-testnet-dataseed.bnbchain.org 2->61 63 apiwin.bet 2->63 65 ac4305617488db6f8.awsglobalaccelerator.com 2->65 79 Found malware configuration 2->79 81 Yara detected HijackLoader 2->81 83 PE file has nameless sections 2->83 85 Joe Sandbox ML detected suspicious sample 2->85 8 aw.exe 6 2->8         started        12 msiexec.exe 91 51 2->12         started        14 msiexec.exe 3 2->14         started        signatures3 process4 file5 47 C:\Users\user\AppData\Local\...\99A92CC.tmp, PE32 8->47 dropped 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->87 89 Maps a DLL or memory area into another process 8->89 91 Found direct / indirect Syscall (likely to bypass EDR) 8->91 16 QHAccount.exe 967 8->16         started        21 XPFix.exe 8->21         started        49 C:\Users\user\AppData\Local\Bontebok\aw.exe, PE32 12->49 dropped 51 C:\Users\user\AppData\Local\...\quazip.dll, PE32 12->51 dropped 53 C:\Users\user\AppData\...\openvr_api.dll, PE32 12->53 dropped 55 12 other files (none is malicious) 12->55 dropped 23 aw.exe 25 12->23         started        signatures6 process7 dnsIp8 57 35.71.129.99, 443, 49723, 49726 MERIT-AS-14US United States 16->57 59 apiwin.bet 104.21.72.79, 443, 49712, 49719 CLOUDFLARENETUS United States 16->59 31 C:\...\AeonikPro-Regular.f67c8799.woff2, Web 16->31 dropped 33 C:\...\AeonikPro-Regular.397ead0a.woff2, Web 16->33 dropped 35 C:\...\AeonikPro-Regular.2b6e2f45.woff, Web 16->35 dropped 43 47 other malicious files 16->43 dropped 69 Found direct / indirect Syscall (likely to bypass EDR) 16->69 37 C:\Users\user\AppData\Local\...\QHAccount.exe, PE32 23->37 dropped 39 C:\ProgramData\QHAccount\XPFix.exe, PE32 23->39 dropped 41 C:\Users\user\AppData\Local\...\8751ADD.tmp, PE32 23->41 dropped 45 14 other files (none is malicious) 23->45 dropped 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->71 73 Found many strings related to Crypto-Wallets (likely being stolen) 23->73 75 Found hidden mapped module (file has been removed from disk) 23->75 77 2 other signatures 23->77 25 QHAccount.exe 2 23->25         started        29 XPFix.exe 1 23->29         started        file9 signatures10 process11 dnsIp12 67 ac4305617488db6f8.awsglobalaccelerator.com 52.223.48.152, 443, 49696, 49697 AMAZONEXPANSIONGB United States 25->67 93 Found many strings related to Crypto-Wallets (likely being stolen) 25->93 95 Contains functionality to infect the boot sector 25->95 97 Writes many files with high entropy 25->97 99 Switches to a custom stack to bypass stack traces 29->99 101 Found direct / indirect Syscall (likely to bypass EDR) 29->101 signatures13
Score:
98%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/bb8dbe93d1bf59f7949fd3e5d800a502
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gmdlgkdilegybx54v6v2hrwlx42rjn5wwquxyqkwdtwh25u5pmhq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f
HijackLoader
3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f
HijackLoader
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/250917-wzlv9sar9x/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Badlisted process makes network request
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a4d84c78-eabd-41d5-812e-301aad89551a
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3306b3286859/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Surtr
Create hunting rule
Author:Katie Kleemola
Description:Rule for Surtr Stage One
Rule name:SurtrStrings
Create hunting rule
Author:Katie Kleemola
Description:Strings for Surtr

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi 3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f

(this sample)

  
Link
https://tria.ge/250917-wwsveatzbw/behavioral1
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27987/

Comments