MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
SHA3-384 hash: 6cc1ae86ce20b50082e971932883cfb54124dbb35668ce108fa3d106a0205ae81c78bdf18f9a9a6078ba4d3ff45b0bcf
SHA1 hash: 251c4063dbd5b09b9ff675f1ee65b7cd905c9e15
MD5 hash: 51b4b4ac907bbeec797028f1764f190c
humanhash: shade-october-zebra-single
File name:SecuriteInfo.com.Other.Malware-gen.53368632
Download: download sample
Signature HijackLoader
Create hunting rule
File size:3'891'200 bytes
First seen:2025-10-31 07:17:10 UTC
Last seen:2025-10-31 08:19:05 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:uuTMXHTkOs98HQeDwJRcW7BNg3cszCDkUrf:VMDc8QlcvBz3k
Threatray 34 similar samples on MalwareBazaar
TLSH T170063332319643EFD045A9B4511AD688CF831C25BFFDE1648F29B42D28738652FD3DAA
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SecuriteInfoCom
Tags:HIjackLoader msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
47
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34874/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69046290706befaf4ecaa444
Tags:
obfusc overt crypt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint installer installer keylogger packed wix
Link:
https://www.filescan.io/uploads/690462a2a3d16310952327ec/reports/56c7b6f1-6325-4b3e-aac9-f5c4de74708d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
Verdict:
Malicious
File Type:
msi
First seen:
2025-10-30T10:57:00Z UTC
Last seen:
2025-11-02T01:50:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Crypt.sb HEUR:Trojan.OLE2.Alien.gen
Link:
https://opentip.kaspersky.com/36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed/results?tab=lookup
Score:
10%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/51b4b4ac907bbeec797028f1764f190c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Suspicious
First seen:
2025-10-30 15:06:55 UTC
File Type:
Binary (Archive)
Extracted files:
77
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3wsk73sazyecwxq7pkma342cfkxfvr6sgb7fukcx2xepn2myxwq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
25b34f7a1aa68458a150182a2a292ea61bc3a45a72782839fdc0be58b90bd655
HijackLoader
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
HijackLoader
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
HijackLoader
9705b02f24c62bc938211d125bfeb3c4fc842b2cd74f05df36cfb3a23c7bbcec
HijackLoader
e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
HijackLoader
ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151
HijackLoader
error
HijackLoader
f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac
HijackLoader
+ 24 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/251031-h4sygsfy3c/
Behaviour
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/36ed257f7206/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi 36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3691747/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34874/

Comments