MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e902a2bb0bd1822e604ebd7486b145635c1116e5f62b6573a691267dc4db192. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e902a2bb0bd1822e604ebd7486b145635c1116e5f62b6573a691267dc4db192
SHA3-384 hash: 19b65dad1687c5536f633b5df99bf82c37d3485b13ae28908faf681b69876cb54752ecb7b716fb5b39904638d0c82038
SHA1 hash: 0bccdafc685ea856da3f274d05d695776f6a985d
MD5 hash: 70cc51705c86831a7d888b64d945f208
humanhash: cola-salami-grey-mountain
File name:jzQILRF.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:6'139'904 bytes
First seen:2025-06-09 09:58:40 UTC
Last seen:2025-08-29 06:51:38 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:MGFfA8kzI71BTihgkTgVrZNheIwAYPqFVPKyH/u1wPkhfBm6l3Kit4k2cDP:VF48kG1ghpTgZhehSFVC+/iBm6FdK
Threatray 3 similar samples on MalwareBazaar
TLSH T17556336E77A23D97C98101BF5E1AB2F94699FCAB0E6F98159440700E07F4AD827DF0B4
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:anodes-pro HIjackLoader msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
36
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8021/
Detection(s):
SecuriteInfo.com.W32.Patched.NLW.tr.29495.21731.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6846b2e107b5e8c1cfe5d242
Tags:
n/a
Verdict:
Malicious
Labled as:
Win64/TrojanDownloader.Rugmi
Link:
https://www.hybrid-analysis.com/sample/8e902a2bb0bd1822e604ebd7486b145635c1116e5f62b6573a691267dc4db192
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8e902a2bb0bd1822e604ebd7486b145635c1116e5f62b6573a691267dc4db192
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1709707
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Behaviour
Behavior Graph:
Download SVG
Score:
12%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/8e902a2bb0bd1822e604ebd7486b145635c1116e5f62b6573a691267dc4db192
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e902a2bb0bd1822e604ebd7486b145635c1116e5f62b6573a691267dc4db192/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2icuk5qxumcfzqe5pluq2yuky24celol5rlmvz2nejgpxcnwgja._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
39679ee4de6993c82b73bcf8ab58d86b9551da860ef242f5d3c8ebf577bfbd77
HijackLoader
e375feaacbfedab9d42574f2ac47160ca4a0cdac2e72d0d4855628d7888f3683
HijackLoader
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:hijackloader discovery loader persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250609-lzyjysdm7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Enumerates system info in registry
Browser Information Discovery
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/016b9a8b-bfb7-4165-b988-cbbd644570ac
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e902a2bb0bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e902a2bb0bd1822e604ebd7486b145635c1116e5f62b6573a691267dc4db192

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi 8e902a2bb0bd1822e604ebd7486b145635c1116e5f62b6573a691267dc4db192

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3559248/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/8021/

Comments