MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c68ede9934529477f86d80b5d02f5be7245ca6326cf0b02ac37516d6cfc8c2c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



HijackLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments

SHA256 hash: c68ede9934529477f86d80b5d02f5be7245ca6326cf0b02ac37516d6cfc8c2c4
SHA3-384 hash: fc7653b42a529089c1938eceee22f3618a18f0ac849870d6e94da602f490c5a2eafc9e73c3f007a5a6fea2ae8b26c541
SHA1 hash: bb8fc8538c6679aaea2d47ee213dac68afd19057
MD5 hash: 90701a6d19a9ba6b50475fade887c71e
humanhash: mike-twenty-vegan-lemon
File name:file
Download: download sample
Signature HijackLoader
File size:11'912'164 bytes
First seen:2026-07-01 17:57:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:or+8sguSswyNLNJQxLREeX5DTsuLiGQobB8RjO0eA0NxtbT1nPMmQ3UQFLuLZKuT:L+oaTBLbqRfetvU3UXL4G
TLSH T16CC6D02276C58071D56B13301A5DB32993BDBD704B3156D3B7D42FAE2EB00C2AA367A7
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter Bitsight
Tags:54e64e dropped-by-amadey HIjackLoader msi


Avatar
Bitsight
url: http://91.92.242.236/files-129312398/files/file_4c436927d72aed3f.msi

Intelligence


File Origin
# of uploads :
1
# of downloads :
77
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
Verdict:
Malicious
Score:
90.9%
Tags:
vmdetect
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm crypto expired-cert explorer fingerprint lolbin packed reconnaissance wix
Gathering data
Result
Malware family:
hijackloader
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
Family: HijackLoader, IDAT loader, Ghostulse,
Malware family:
IDATLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Author:malware-lu
Rule name:telebot_framework
Author:vietdx.mb
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi c68ede9934529477f86d80b5d02f5be7245ca6326cf0b02ac37516d6cfc8c2c4

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download

Comments