MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578
SHA3-384 hash: a25cce0c747065d2f3b9fd517f1d6482c8209bd06c996aafaba6579661f27309d26ee04a6065f88a7f5bddd61544e370
SHA1 hash: e58dd9f45f78d5af0670784105e91db9dc79af81
MD5 hash: 3428e376fc56f0ccdab410a7101c01a3
humanhash: mars-sink-potato-magnesium
File name:KeePass_2.60_x86_x64.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:4'136'960 bytes
First seen:2026-01-12 11:15:10 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:j43ukWzGl/ZrKPpE7x0SCGIMYQOSemKSLKGA:UtxZ/IMYQOSJ+G
Threatray 44 similar samples on MalwareBazaar
TLSH T1FD1633812DBE4AA3E71A28781019E3C903DAFFE57F9AF28E218637014CFC759257556C
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SquiblydooBlog
Tags:HIjackLoader msi signed

Code Signing Certificate

Organisation:FOCUS DIGITAL AGENCY SP Z O O
Issuer:Microsoft ID Verified CS AOC CA 02
Algorithm:sha384WithRSAEncryption
Valid from:2026-01-06T15:20:41Z
Valid to:2026-01-09T15:20:41Z
Serial number: 330006ce519e7f692cf18f808100000006ce51
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 39df378ce61479d3db955d3023d91e06669224dd9f28ab4afda9926b9765a71c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/1ce7acfe-8be3-4d9c-9917-2834f5a2c301/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48598/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6964d7e8a3ed2a87ae3e8064
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expired-cert expired-cert fingerprint installer installer short-lived-cert signed wix
Link:
https://www.filescan.io/uploads/6964d7e11a20a4c87b1b4a05/reports/904bfa9a-11e4-4748-86f5-16fb5d3209bf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2026-01-12T08:28:00Z UTC
Last seen:
2026-01-14T00:38:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.DLLhijack.bsv Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb
Link:
https://opentip.kaspersky.com/94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578/results?tab=lookup
Score:
8%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/3428e376fc56f0ccdab410a7101c01a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578
Threat name:
Win64.Trojan.Hijackloader
Create hunting rule
Status:
Suspicious
First seen:
2026-01-11 22:14:34 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqyhdeo3uolc4xobeh5cvgckpbfjkgxqyd6jekkxdcmgm7rsav4a._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
02a9692c6ae6cb862657390e9d1adc6ea21ba810e73831ef3dc973b40f8d8966
HijackLoader
057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6
HijackLoader
10e74c75502512da56a2717c50f815d749607f76df45a9a0f9eecb8ee60f66b8
HijackLoader
643fe4bf793c941d42c14c59d85fa033381652fafbd4122792c04cc0316c2d68
HijackLoader
8b4a40d5bf036b2193ffe08ec01f8d5e5eebbd63ba793bea714965ba216362ff
HijackLoader
a78ffd85baef5049b36b9e694d41509aa3c9308a1ec5294c0ab5ae97eb95b18d
HijackLoader
aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf
HijackLoader
d7e5be8aa67b33d9cd681c126c5523c919692ef44af69b470def0863d2f28120
HijackLoader
error
HijackLoader
+ 34 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260112-ncybsadx4c/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Badlisted process makes network request
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/99227a2e-533d-4729-8f8d-333f46a9b593
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94307191dba3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48598/

Comments