MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903
SHA3-384 hash: 20dfdf674608baca848141d81cbe1c7ebec5a716e326fb7364a1bb5734a01987c0b5d8204fb2a3e76fde0779c5221441
SHA1 hash: 77ef22bc9e4e150267e6d1dee8383ddd72519f09
MD5 hash: 280034b24e5e5cdb23c4443cf83daa11
humanhash: white-cold-three-potato
File name:bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903
Download: download sample
Signature HijackLoader
Create hunting rule
File size:6'422'528 bytes
First seen:2025-09-25 17:44:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:2Sx5GIQpbd/QpaZA8ulVKx3+K5cAmd72XXQa2ge6WE:H5GNd/Qpx8hbxQCXXRJZN
Threatray 24 similar samples on MalwareBazaar
TLSH T1F7563321DACADF3AE48DC57369962B01DC00DD8617EC5C6E391CF96808F2FA267F0959
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:94-124-160-119 HIjackLoader msi Raastuff-Holding-ApS

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29075/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d57f8fcc9425144151eec1
Tags:
extens spawn hype
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer invalid-signature revoked-cert signed threat
Link:
https://www.filescan.io/uploads/68d57f9374e5a289899362aa/reports/37c1b467-9131-45e6-a5bf-2e6097e42ed1/overview
Verdict:
Suspicious
Labled as:
TrojanDownloader.Rugmi
Link:
https://www.hybrid-analysis.com/sample/bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-25T15:48:00Z UTC
Last seen:
2025-09-25T15:48:00Z UTC
Hits:
~10
Detections:
Trojan.BitCoinMiner.HTTP.C&C HEUR:Trojan.OLE2.Alien.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903/results?tab=lookup
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/280034b24e5e5cdb23c4443cf83daa11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmmf2vhf7zzdp6xvufsn5n42cakosfzgxpxeycxfzpqmxq36bebq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
230f4de7b92166c695ad4f8bc469e2a39a31d0640ceb994d4f46f1afdabea90b
HijackLoader
5955c621a801b3e3eb1cae8bbbbfa9c271ce90a66ba4da7f076274a49222273b
HijackLoader
5fe9e516f35fff47564762f9bcb9804f73df817ebe12f8fc4d85e586f4542b6b
HijackLoader
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
HijackLoader
bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903
HijackLoader
bcc062030c3615d3f8e42e3a2a0b4410e07cf5c845c72c95b56d41d81bac5f46
HijackLoader
error
HijackLoader
f1051b842f6ba781236e736bcb3a1ed9c10bc2036b6f9d2c43062e0bf7b25bba
HijackLoader
f2b307c985cd781039b54ce7fd7ec58b14f2cb8b55cacd6fa987a291c4082b4f
HijackLoader
+ 14 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access defense_evasion discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/250925-wbhhya1lv8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Badlisted process makes network request
Enumerates connected drives
Drops startup file
Uses browser remote debugging
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f6136343-57a4-4efa-bd86-cbebcc52a9f6
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb185d54e5fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb185d54e5fe7237faf5a164deb79a1014e91726bbee4c0ae5cbe0cbc37e0903

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29075/

Comments