MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f
SHA3-384 hash: 75fd4f469d11890a72d206f702fe751a0f2978e3572d564e0dde9449358005d8cd9f6c7118227ca8cbaad570ba4fd423
SHA1 hash: 59eeade79a72ad473a55b8ccec83dcd3657f3006
MD5 hash: fe0480f9a6c01a44d869da88724021d7
humanhash: august-quebec-hawaii-oregon
File name:LOOLCNMK.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:7'020'544 bytes
First seen:2025-09-10 18:45:20 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:VhNPN0Mo63S7hkzo4brYelL24H066tXy7:B7i9Z21lrHh
Threatray 10 similar samples on MalwareBazaar
TLSH T17966334EFDC0B788F9F317342513CD29116D5F758A4190BBA352B3E51EB1A88B04EADA
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:bestsecuredwnld-pro DeerStealer donutloader HIjackLoader msi


Avatar
iamaachum
https://bestsecuredwnld.pro/LOOLCNMK.msi

DeerStealer C2: https://eudaimoniahorizon.com/ALBRIGHT

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26781/
Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c1c77bb200525988798cee
Tags:
shellcode backdoor spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint installer keylogger packed wix
Link:
https://www.filescan.io/uploads/68c1c78c732879482925df82/reports/93c63a5c-2178-456f-9bef-463a9913e2bd/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-10T16:06:00Z UTC
Last seen:
2025-09-10T16:06:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Delf.sb HEUR:Trojan.Win64.Agent.gen
Link:
https://opentip.kaspersky.com/c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1775078
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
Score:
15%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f/
Verdict:
Malicious
Threat:
Family.DEERSTEALER
Link:
https://tip.neiki.dev/file/c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-09 17:00:13 UTC
File Type:
Binary (Archive)
Extracted files:
39
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ypd7fbabhyvgurbppsuz4264elfm4fnpf2xtiucg7bidikn6uvhq._file
Verdict:
malicious
Label(s):
deerstealer
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
183430aed8e7e63cfb4065fe272bf7e47f72509c7d581be0b3f0b341e0409e15
HijackLoader
46c80b2fe7a12d2dbf777f908398e998c2903a98ef3d3fca52c3a25686981dc0
HijackLoader
7a8b766d272b76315356d0757f76cfa1f152f6aa27e9f58c4c2dc204d0054d39
HijackLoader
d33a0e71a626c6de7f74e7801c207128f1fece031051273ae16d55dbb18831c2
HijackLoader
error
HijackLoader
ffac9a6097dc14484a3624655d8e1dad38521e6a33bbb139e6da0b94704410a9
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/250910-xev4wasye1/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/74ccecf8-209a-426b-9cbf-a4be826bfdb8
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3c7f284013e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DeerStealer

Executable exe d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745

HijackLoader

Microsoft Software Installer (MSI) msi c3c7f284013e2a6a442f7ca99e6bdc22cace15af2eaf345046f8503429bea54f

(this sample)

  
Link
https://tria.ge/250910-xav83ssycy/behavioral2
  
Dropped by
SHA256 d8b805089d2e3a320747f39785258f9db4fffc4e69f3f6b614b411f68b0d8745
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26781/
  
Dropped by
MD5 1579e6dafdc1c614c17d0a570bcd3abd

Comments