MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5deb702c44e2668f5778e5ab9c3dc70f4d80914e6ea89138eaef29e90901f77f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HijackLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	5deb702c44e2668f5778e5ab9c3dc70f4d80914e6ea89138eaef29e90901f77f
SHA3-384 hash:	adfa7187d48c80d02fb3ead04d11893510eb747a14a8ce356d744d37d7ba674e16d63838ede4a9ba6daa9c3fbb899aef
SHA1 hash:	6284333cd6b5b2bf817b2ebfce1d5db05a78105f
MD5 hash:	6ea9d305b5b80a29481ad1e8175bc930
humanhash:	orange-arizona-louisiana-finch
File name:	YYDUPJQM.msi
Download:	download sample
Signature	HijackLoader Create hunting rule
File size:	7'462'912 bytes
First seen:	2025-09-19 06:38:11 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	98304:oBEwKVPxgn9tQIY9JM+Gt41ZFDUcHr85Pie0LMxpcNuVZ4R37vxUID8Ep6ra850J:oBEDBxu9g3+4rGciPirLMuDRt/6m86
Threatray	2 similar samples on MalwareBazaar
TLSH	T19C7633C27615E7B3C8F857B0EF27564125582DDBC3C9D89306A03F8969B3F9A13E6482
TrID	88.4% (.MST) Windows SDK Setup Transform script (61000/1/5) 11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	JAMESWT_WT
Tags:	80-253-249-210 booking HIjackLoader maut-swiss-com msi Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/28259/

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ccfa746b621794b130d4de

Tags:

n/a

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

installer threat wix

Link:

https://www.filescan.io/uploads/68ccfa80254431b688d49726/reports/35816235-f309-43b3-9ac6-568cd41d80ac/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/5deb702c44e2668f5778e5ab9c3dc70f4d80914e6ea89138eaef29e90901f77f

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/5deb702c44e2668f5778e5ab9c3dc70f4d80914e6ea89138eaef29e90901f77f

Verdict:

Malicious

File Type:

msi

First seen:

2025-09-19T05:21:00Z UTC

Last seen:

2025-09-19T05:21:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5deb702c44e2668f5778e5ab9c3dc70f4d80914e6ea89138eaef29e90901f77f/results?tab=lookup

Score:

26%

Verdict:

Benign

File Type:

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:hijackloader discovery loader persistence privilege_escalation ransomware

Link:

https://tria.ge/reports/250919-hekwksek2t/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates connected drives

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e8ef5f70-8dd0-4a00-9d7a-19ad1e28cb28

Malware family:

IDATLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5deb702c44e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5deb702c44e2668f5778e5ab9c3dc70f4d80914e6ea89138eaef29e90901f77f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	Windows_Trojan_GhostPulse_caea316b Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/28259/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample