MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0
SHA3-384 hash: e2492b9f423563cd385b7105bfe1ce7f2c0dd01fa62f1c32c3613d253bfbdad9e61068403c805acede5c4576c49d8f8b
SHA1 hash: 2c46e74921b48f736e010a65304b777bcddf7f7a
MD5 hash: ae78acb8120592579e12fb2ec7604ea9
humanhash: avocado-illinois-sixteen-violet
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:3'677'900 bytes
First seen:2025-11-02 17:37:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:+pICnuAiATB3RvSjg7+uR95uQigaUCPE8Y8XSZoKqn0:+pLZT/qkCuR95xiACPEUSPqn0
Threatray 18 similar samples on MalwareBazaar
TLSH T1140633003744A8B6E16ACA338F98D7651573D7E523427E4B29C92E6B9EE3032D3871DC
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 HIjackLoader


Avatar
Bitsight
url: http://178.16.55.189/files/5638395652/xAQW9xU.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-11-02 17:37:58 UTC
Tags:
auto generic python
Link:
https://app.any.run/tasks/d9360361-9af4-41a6-a9be-fd6b13e06923

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35023/
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690796e69942f1282ecb7ab2
Tags:
injection dropper obfusc
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connection attempt
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-02T14:42:00Z UTC
Last seen:
2025-11-03T10:28:00Z UTC
Hits:
~10
Detections:
Trojan-Dropper.Win32.Agent.tkddvb
Link:
https://opentip.kaspersky.com/9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/75a44e13-d4c4-4c2c-a2ad-0d14d103a592
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/ae78acb8120592579e12fb2ec7604ea9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-02 17:38:00 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=twwxp64gcpc6hjgxpccoxb5ge47lusf4khk3fd4b4pagyzihupqa._file
Verdict:
malicious
Label(s):
deerstealer
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6
HijackLoader
4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd
HijackLoader
6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134
HijackLoader
a78ffd85baef5049b36b9e694d41509aa3c9308a1ec5294c0ab5ae97eb95b18d
HijackLoader
aee7978dc8889e53d9cbd36ff78c5c26d92e52365591accc0a7ba2afbcc40dbf
HijackLoader
df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
HijackLoader
e61a0c457a57eb941199d4461934f73a88db58ee64b74a28373f28c85d757c84
HijackLoader
error
HijackLoader
f1dc9b92cd5cfdbdd5eb21e0f8ae15e1bc3b92d8ca630fa66f9cc2babac81c3e
HijackLoader
+ 8 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader spyware stealer
Link:
https://tria.ge/reports/251102-v7e71sct8f/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8f07936c-70de-4b92-9134-cafcd8e78be8
Unpacked files
SH256 hash:
9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0
MD5 hash:
ae78acb8120592579e12fb2ec7604ea9
SHA1 hash:
2c46e74921b48f736e010a65304b777bcddf7f7a
Link:
https://www.unpac.me/results/808fb953-4f0c-4c90-b392-b70d36c43ab4/
SH256 hash:
1856e8897d370a620d631896945ab400dc3f1bbed9c1829aa72427d1447fa5c7
MD5 hash:
d093784348e80480ba416a5b2cdfc926
SHA1 hash:
a71b253e4f0b83a0b06276e4216b5f5ff9b6c489
Link:
https://www.unpac.me/results/808fb953-4f0c-4c90-b392-b70d36c43ab4/
SH256 hash:
d79395b8ce6976513a030504db0f60330363f5f16bbc4bd9972e5904d5bef89d
MD5 hash:
99ba64fe06c6d91c7f5324d7e1d15b15
SHA1 hash:
bf96bc6f46dd73b5f521c0ab2273e5b48049bd7f
Link:
https://www.unpac.me/results/808fb953-4f0c-4c90-b392-b70d36c43ab4/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9dad77fb8613/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe 9dad77fb8613c5e3a4d77884eb87a6273eba48bc51d5b28f81e3c06c6507a3e0

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3694279/
Cape
Cape
https://www.capesandbox.com/analysis/35023/

Comments