MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874
SHA3-384 hash: f340eba584070f6083e2753474083cbb2a6acb33193f07aa4ba0b290b14c0feed5d0b22dbebee664448f14e7f0eb25f9
SHA1 hash: 401d109fab04e856b775d1f37c04fa090d042390
MD5 hash: 3a8351004d09d536aab7352ba11386fc
humanhash: one-louisiana-fruit-mexico
File name:SecuriteInfo.com.Trojan.Rugmi.1.Gen.22846.11990
Download: download sample
Signature HijackLoader
Create hunting rule
File size:8'253'440 bytes
First seen:2025-11-26 07:50:53 UTC
Last seen:2025-11-26 08:31:58 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:nrzCn4Oier1v4D3LqqJJVCnC9XKQhrxMNPUKjmi/ai4l/fPkg6L8m1ftfOYiJKf6:q4c1vg38C96IrCFzj3Q/tK1flCU/+
Threatray 4 similar samples on MalwareBazaar
TLSH T14A8633E1F9D1AB41DC2B4131043EC9A6BD627E068774326A28A7F7CA58717F3317B252
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SecuriteInfoCom
Tags:HIjackLoader msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
45
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41528/
Detection(s):
SecuriteInfo.com.Trojan.Rugmi.1.Gen.22846.11990.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6926b1875d7fac83ebf32892
Tags:
n/a
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-11-26T04:21:00Z UTC
Last seen:
2025-11-26T15:33:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874/results?tab=lookup
Score:
6%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/3a8351004d09d536aab7352ba11386fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874/
Threat name:
Binary.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-11-26 03:40:23 UTC
File Type:
Binary (Archive)
Extracted files:
243
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzcdrunp7xqo2pgjouuv7kbobupcbwszql6vvsofu3zdp3co7b2a._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930
HijackLoader
6c0d55be0a3d4ebb1cf17f7a7ab169474e295d8bb59171c1d4e7eea568cd2a8e
HijackLoader
731a72d29320e1bf43b2004ee56583c7b9c279790c01b3569141bd8849d3afca
HijackLoader
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader loader persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/251126-jpy2mawmc1/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fecb081a-26ac-4c52-996a-292587f3ffca
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/564438d1affd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi 564438d1affde0ed3cc975295fa82e0d1e20da5982fd5ac9c5a6f237ec4ef874

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/41528/
  
URLhaus
https://urlhaus.abuse.ch/url/3716968/
  
Delivery method
Distributed via web download

Comments