MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930
SHA3-384 hash: 3c142016589e99ef81f7f2fe9e91c6195d243bc76a3c3ce832f6472935853fc53754530d740e7e4a13fc7b73b65dde7d
SHA1 hash: cfd482a2487ff31a4990cd3c5e34f039abb55f24
MD5 hash: a972df6a4bf4678b1d5da7b3e8dad3f2
humanhash: montana-lemon-nevada-mike
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:10'146'008 bytes
First seen:2025-11-05 15:44:19 UTC
Last seen:2025-11-05 19:45:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (7 x OffLoader, 4 x HijackLoader, 3 x ValleyRAT)
ssdeep 196608:rDby0Tbyj47tDL6p/QrlLXfPBDKjHLK8ZiHEDtWzYApsyfXvZ9pKScaq:rDXn7tDLs/Ul3o/K8ZiHM0zY149p9q
Threatray 2 similar samples on MalwareBazaar
TLSH T111A62323F64E673EE06A553659729A10543FAE50650A8CB38AEC3E4CCE390A01D7FF57
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 HIjackLoader


Avatar
Bitsight
url: http://178.16.54.200/files/5638395652/knJHFvy.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
89
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2025-11-05 15:45:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/37e0ca20-96e9-498a-88fa-e1e43279050f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35542/
Detection(s):
SecuriteInfo.com.Trojan.Loader.1827.9282.16421.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690b7119ea0f3e915c232ffb
Tags:
vmprotect shellcode injection dropper
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed zero
Link:
https://www.filescan.io/uploads/690b711685b61a93a7380aa6/reports/0f52983e-50d9-4bf0-8bfb-6d1130dd1364/overview
Verdict:
Suspicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930
Verdict:
Unknown
File Type:
Link:
https://opentip.kaspersky.com/5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930/results?tab=lookup
Malware family:
Sunstream Labs
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3822bf08-238b-45ac-8be4-0c6f4bfa95fa
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/a972df6a4bf4678b1d5da7b3e8dad3f2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-05 15:45:07 UTC
File Type:
PE (Exe)
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l74akjnifedjextkl4anmzd22t5tynzo64yywcnbfgfsdc22jeya._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
deerstealer
Create hunting rule
Similar samples:
6c0d55be0a3d4ebb1cf17f7a7ab169474e295d8bb59171c1d4e7eea568cd2a8e
HijackLoader
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader
Link:
https://tria.ge/reports/251105-s69n5afq4t/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/52a6575a-c730-460c-805d-2a8759f9d06d
Unpacked files
SH256 hash:
5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930
MD5 hash:
a972df6a4bf4678b1d5da7b3e8dad3f2
SHA1 hash:
cfd482a2487ff31a4990cd3c5e34f039abb55f24
Link:
https://www.unpac.me/results/bf4101d4-4d61-4115-a5cb-9a9099cccaff/
SH256 hash:
5a4e742b0e562d5117e14ed12646f36e08a72aeae8c5001ae230827429e257f3
MD5 hash:
1746895ac3a70b439253e78777ea4e0a
SHA1 hash:
7ff468d34ca33d68b40e35c7db4e928bad63833f
Link:
https://www.unpac.me/results/bf4101d4-4d61-4115-a5cb-9a9099cccaff/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/bf4101d4-4d61-4115-a5cb-9a9099cccaff/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ff80525a829/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe 5ff80525a82906925e6a5f00d6647ad4fb3c372ef7318b09a1298b218b5a4930

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/35542/
  
URLhaus
https://urlhaus.abuse.ch/url/3697229/

Comments