MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5
SHA3-384 hash: 37f1ed5b2fcf1c0d5e8dd487d6660a5e95812b4ebb7536b8fd0e689f0271184e9754ee063552608f6df14aa391e16e40
SHA1 hash: 4eed34d45db4d03bf8eda7a4101a45f8526f50f3
MD5 hash: a9fcc8c378891251435c8c26d2dc68c7
humanhash: kentucky-monkey-nevada-eight
File name:Documents.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:5'210'112 bytes
First seen:2025-09-11 14:35:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:TpQPrerQyJqTmND08RtwQI7tSz8CQ88Es+BhdlG1Zpmv90/RugHnTmHrScWLun9b:TpaKkybNDbtwx7XCQ88Es2lGhmOcgHSe
Threatray 236 similar samples on MalwareBazaar
TLSH T1863633E96A6A6D43E242063790A15A4CCE177C141791A9AF7387FA2CD97D3F3C3D3290
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:HIjackLoader invitation-confirm-com msi


Avatar
iamaachum
https://invitation-confirm.com/ => https://raw.githubusercontent.com/bihehuxo26-code/polygon/refs/heads/main/Documents.msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26941/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c2dd81b20052598879d0d8
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/68c2de7fc62f69962388abe3/reports/1690524a-3582-407c-8100-905215480779/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-11T11:53:00Z UTC
Last seen:
2025-09-11T11:53:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.DLLhijack.aat Trojan.Win32.Crypt.sb Trojan.Win32.Agent.sb Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Injector.sb Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1775703
Signature
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Switches to a custom stack to bypass stack traces
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1775703 Sample: Documents.msi Startdate: 11/09/2025 Architecture: WINDOWS Score: 80 66 Found malware configuration 2->66 68 Yara detected HijackLoader 2->68 9 msiexec.exe 80 40 2->9         started        12 Nano-Ex.exe 5 2->12         started        15 msiexec.exe 3 2->15         started        process3 file4 46 C:\Users\user\AppData\Local\...46ano-Ex.exe, PE32+ 9->46 dropped 48 C:\Users\user\AppData\Local\...\mfc110u.dll, PE32+ 9->48 dropped 50 C:\Users\user\AppData\Local\...\MSVCR110.dll, PE32+ 9->50 dropped 52 C:\Users\user\AppData\Local\...\MSVCP110.dll, PE32+ 9->52 dropped 17 Nano-Ex.exe 7 9->17         started        54 C:\Users\user\AppData\Local\...\278A6DF.tmp, PE32+ 12->54 dropped 56 C:\Users\user\AppData\Local\...\25A9AD8.tmp, DOS 12->56 dropped 80 Modifies the context of a thread in another process (thread injection) 12->80 82 Maps a DLL or memory area into another process 12->82 21 XCompiler.exe 12->21         started        23 Chime.exe 12->23         started        signatures5 process6 file7 38 C:\ProgramData\KVH_Scan_v4_x6438ano-Ex.exe, PE32+ 17->38 dropped 40 C:\ProgramData\KVH_Scan_v4_x64\mfc110u.dll, PE32+ 17->40 dropped 42 C:\ProgramData\KVH_Scan_v4_x64\MSVCR110.dll, PE32+ 17->42 dropped 44 C:\ProgramData\KVH_Scan_v4_x64\MSVCP110.dll, PE32+ 17->44 dropped 70 Found direct / indirect Syscall (likely to bypass EDR) 17->70 25 Nano-Ex.exe 7 17->25         started        29 WerFault.exe 21 21->29         started        signatures8 process9 file10 58 C:\Users\user\XCompiler.exe, PE32+ 25->58 dropped 60 C:\ProgramData\KVH_Scan_v4_x64\Chime.exe, PE32 25->60 dropped 62 C:\Users\user\AppData\Local\...\134223E.tmp, PE32+ 25->62 dropped 64 C:\Users\user\AppData\Local\...\11314EF.tmp, DOS 25->64 dropped 72 Drops PE files to the user root directory 25->72 74 Modifies the context of a thread in another process (thread injection) 25->74 76 Found hidden mapped module (file has been removed from disk) 25->76 78 2 other signatures 25->78 31 XCompiler.exe 25->31         started        34 Chime.exe 25->34         started        signatures11 process12 signatures13 84 Found direct / indirect Syscall (likely to bypass EDR) 31->84 36 WerFault.exe 2 31->36         started        86 Switches to a custom stack to bypass stack traces 34->86 process14
Score:
1%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/a9fcc8c378891251435c8c26d2dc68c7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-11 14:32:44 UTC
File Type:
Binary (Archive)
Extracted files:
854
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=plomqrtnfydrzetpb7pzwwtadxrqj3ybpx35ltakcazlqv4dvlkq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b
HijackLoader
252918aaa98f25a1cc128e8eebb27905ded606d4eb04285abbf5344ff51947ba
HijackLoader
293ab68de0e343a7feb0cf35c7c266125e2f7bbafeed2849820da3ce51024d6b
HijackLoader
3f7c7193e4ad4b3aaf4b7092f3952664d554887f22843fb5eff74ef69bcb329a
HijackLoader
abf052189d7c4ecb828806ff3e559de0e4bd0ba5e69c01575a8f8217bf2868d6
HijackLoader
c3d9dd9bab61c9f89d63481bb2bb18083dfe6f6a661310ed428b9efa893b65e7
HijackLoader
c4957b3e8d09615172703a9349dcd8c88271ad3f1449154b188cb579a830ba71
HijackLoader
c695ac577e422db764fd4c1e815014f9bfb1bee7c1839148d4ebfdf835794242
HijackLoader
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
HijackLoader
error
HijackLoader
f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
HijackLoader
+ 226 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/250911-rywa4a1js5/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/600b22ea-30b3-4a6d-8604-c1da6ae3e914
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7adcc8466d2e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi 7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5

(this sample)

  
Link
https://tria.ge/250911-rs34raeq41/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26941/

Comments