MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db
SHA3-384 hash: 0ecf77b0275057d4ca758ba3898c80c184382ed820b87523957e613691a8ba3302df98e33c0e65efc254f3fd5454fadc
SHA1 hash: 5d2dd40d9917463be49ff488231e3eb3ad695262
MD5 hash: e39cf166b6108553e9a4ec390c2dede7
humanhash: july-carpet-mockingbird-eight
File name:SecuriteInfo.com.Trojan-Spy.MSI.Agent.12783.31328
Download: download sample
Signature HijackLoader
Create hunting rule
File size:4'194'304 bytes
First seen:2025-11-15 22:19:07 UTC
Last seen:2025-11-15 23:19:14 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:lUSxGnhnHUxNApGpJRwnVPh/TetgO6RsCA6/gs3FRqd4ryoLQrvQP71TuKfm84Qd:lUL5HvSRwVJagut6/V1RM4r9Q051+8G
Threatray 58 similar samples on MalwareBazaar
TLSH T161163386F8421F42F7174935D7926791178ACFA09AC3C096F8ED7269C474BC6202BFA7
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SecuriteInfoCom
Tags:HIjackLoader msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
64
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38320/
Detection(s):
SecuriteInfo.com.Trojan-Spy.MSI.Agent.12783.31328.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6918fc6fbdb0ec3a9dc2163c
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint installer installer wix
Link:
https://www.filescan.io/uploads/6918fc6c0c70fbf813abfdb1/reports/533672d8-1978-42e2-9351-2f1dd999b12c/overview
Verdict:
Suspicious
Labled as:
Generik.YPTIPJ trojan
Link:
https://www.hybrid-analysis.com/sample/770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db
Verdict:
Malicious
File Type:
msi
First seen:
2025-11-15T13:50:00Z UTC
Last seen:
2025-11-17T15:50:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.OLE2.Alien.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb
Link:
https://opentip.kaspersky.com/770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db/results?tab=lookup
Score:
9%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/e39cf166b6108553e9a4ec390c2dede7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4gjf6pndkprl7zweeo6opgt35cgspom7nwcb62f5zoh4qssphnq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
deerstealer
Create hunting rule
Similar samples:
1f1b6bb4c46a91ad98231aa09d8fa31e4443be1afc5c45f5fda62659ac3d5764
HijackLoader
6c0d55be0a3d4ebb1cf17f7a7ab169474e295d8bb59171c1d4e7eea568cd2a8e
HijackLoader
772a30aed296438ac6b15e39125e213a8beea7abd862b72c21906d3326b19b03
HijackLoader
a78ffd85baef5049b36b9e694d41509aa3c9308a1ec5294c0ab5ae97eb95b18d
HijackLoader
b87932a6ec2499d7d36ca764a64e5b38a209d1bb97346ef65226082db6830194
HijackLoader
ba699da64d44b039defd4f42340bc7bec888b8dcef135d5735f2af309ce8ce72
HijackLoader
bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
HijackLoader
c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f
HijackLoader
d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745
HijackLoader
error
HijackLoader
+ 48 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251115-18pezaykhk/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec2cedaa-daa7-4bd1-bfc7-ca33f3c5d7f9
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/770c92f9ed1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi 770c92f9ed1a9f15ff36211de73cd3df44693dccfb6c20fb45ee5c7e425279db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3709518/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38320/

Comments