MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c0a88ea53c4e0324157542385a1d342101feb51cf7b8cf76e9441376f1f522a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



HijackLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments

SHA256 hash: 9c0a88ea53c4e0324157542385a1d342101feb51cf7b8cf76e9441376f1f522a
SHA3-384 hash: bc6343f01d759829e273b7de8a7454771d35435f851cde3596372ca74e932fa5f8b740bd4109034041a7e5d1d2f8ab72
SHA1 hash: 36852534338ae1d12fee8567c96636bbe1fe6d38
MD5 hash: c31217109ba50059d7c081a7e832d0cf
humanhash: pluto-steak-lion-mars
File name:SDK_Driver.exe
Download: download sample
Signature HijackLoader
File size:82'406'088 bytes
First seen:2026-07-01 10:50:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 88016fcdef7f227c62171d0afad9aae4 (15 x OffLoader, 10 x ValleyRAT, 4 x Gh0stRAT)
ssdeep 1572864:PSyoUioZrM9ABcshf7MCQXuaKA+EHdggi2YAbERHWhywkJqIXpsc:PLMias1TYKIHdggi2YAbpAJqwps
TLSH T1DD083337B157713CE02A8B357576A6209C3BAE519403092BDBE4C99CDF392703A3E697
TrID 63.8% (.EXE) Inno Setup installer (107240/4/30)
24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (6522/11/2)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon f2b9719083d96ab4 (1 x HijackLoader)
Reporter SquiblydooBlog
Tags:exe HIjackLoader signed

Code Signing Certificate

Organisation:ELH Palkehituse OÜ
Issuer:Microsoft ID Verified CS EOC CA 04
Algorithm:sha384WithRSAEncryption
Valid from:2026-05-20T14:29:39Z
Valid to:2026-05-23T14:29:39Z
Serial number: 330001385332ba26bc619362ab000000013853
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 2d9ed14afac841c5461b58fb6325a2f00833a6716823a5a8b7ba231dc3d8f110
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
206
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SDK_Driver.exe
Verdict:
Malicious activity
Analysis date:
2026-07-01 10:36:25 UTC
Tags:
inno installer delphi phishing telegram auto-reg

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Tags:
dropper delphi sage blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Deleting a recently created file
Creating a file in the %AppData% directory
DNS request
Unauthorized injection to a recently created process
Loading a suspicious library
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto embarcadero_delphi evasive expired-cert fingerprint inno installer installer installer-heuristic packed reconnaissance short-lived-cert signed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-01T08:14:00Z UTC
Last seen:
2026-07-02T08:29:00Z UTC
Hits:
~10
Detections:
Trojan-Dropper.Win32.Injector.sb HEUR:Trojan.Script.Agent.gen
Gathering data
Threat name:
Win32.Trojan.HijackLoader
Status:
Malicious
First seen:
2026-06-19 17:53:51 UTC
File Type:
PE (Exe)
Extracted files:
18673
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Result
Malware family:
hijackloader
Score:
  10/10
Tags:
family:hijackloader credential_access discovery installer loader persistence spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Browser Information Discovery
Program crash
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Unsecured Credentials: Credentials In Files
Detects HijackLoader (aka IDAT Loader)
Family: HijackLoader, IDAT loader, Ghostulse,
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments