MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6
SHA3-384 hash: 894ad669beec2272d9dc86bf1fd81a06039b525ac0d8aaaba5c92840577dbe0ed78da6025989c156159e77fec3a90181
SHA1 hash: 4910f730e915ff0e179ede1a6fbe5614f29d4569
MD5 hash: ca63888b5c001ce8d6c8e4f22c12a21f
humanhash: quebec-orange-wisconsin-nineteen
File name:FYWNWPDI.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:5'554'176 bytes
First seen:2025-10-10 07:02:51 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:mq/Bcc3ljub350/DSBk1O6JC1naEWVEuxC8duXUcMHHnp3Eo1dOu1J:mqCc3a07Gk3JAadm8dynEhdv1J
Threatray 20 similar samples on MalwareBazaar
TLSH T1AF46334CF596C52AEA8B023899318B1724943D8B339F5C4A149BF58F5B3096367F53CD
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter juroots
Tags:HIjackLoader msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32232/
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e8b01d777ae46bec40f188
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/68e8bc4bfe81c560ba566fb8/reports/4eba5274-2cd6-48f5-8ef9-1db0b05434a3/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6
Verdict:
Unknown
File Type:
msi
First seen:
2025-10-11T03:15:00Z UTC
Last seen:
2025-10-11T10:25:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6/results?tab=lookup
Score:
5%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3iwxakldm3an4odqd24ejz52kk3op57ooagjqvfpavbb7j2zopta._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f
HijackLoader
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
HijackLoader
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
HijackLoader
aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af
HijackLoader
ad81b2f47eefcdce16dfa85d8d04f5f8b3b619ca31a14273da6773847347bec8
HijackLoader
bcc062030c3615d3f8e42e3a2a0b4410e07cf5c845c72c95b56d41d81bac5f46
HijackLoader
c8251d1aba99075ce6f8f735b72015c2589e936bcdf544f87c5947324ec8b056
HijackLoader
e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
HijackLoader
error
HijackLoader
f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac
HijackLoader
+ 10 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery execution loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251010-jq8bpaskz5/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/647ce1df-ac96-4faa-83b2-654edc22cb9b
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da2d70296366/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3666947/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32232/

Comments