MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
SHA3-384 hash: 0abf99360ceed4cf11ffc15a6e72de60723000258414d4088f080e92053fcac0d80a518f9e59d057b6d195b17c3054c1
SHA1 hash: 44be6cac388692cc057bf3ae9c3ed5512b002595
MD5 hash: 1e6c20b81eec31ef9abf8838b6c055a4
humanhash: april-kitten-north-glucose
File name:installer.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:2'764'800 bytes
First seen:2025-10-25 15:03:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:zpPqHgHhehWast/vY32cUiMTajH7RP3brTuZ1Dl+lRvxKm:zq2hJ+32UMOXR/b3urh+lZxf
TLSH T1D4D533A43F6D483AD09AB2BD9175D3C67713FF605F3BA64124C33A0A62F9AD00129ED5
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SquiblydooBlog
Tags:HIjackLoader msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34087/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fce6cf6c859164aa645f0c
Tags:
shellcode virus spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint installer wix
Link:
https://www.filescan.io/uploads/68fce6ca3a79800405f632cf/reports/07d89c1d-06c3-4918-bd0f-0de99650b846/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
Verdict:
Malicious
File Type:
msi
First seen:
2025-10-25T12:18:00Z UTC
Last seen:
2025-10-26T19:45:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Agent.sb HEUR:Trojan.OLE2.Alien.gen
Link:
https://opentip.kaspersky.com/df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7/results?tab=lookup
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/1e6c20b81eec31ef9abf8838b6c055a4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=35qfviqoniwqttxp27nwfz77etdesuah6xocurj6m2tnzaeqwhlq._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251025-sfclpsew7c/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Reads user/profile data of local email clients
Unsecured Credentials: Credentials In Files
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bba0a04d-dbd4-4f7a-8652-e44d4964d7cf
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df605aa20e6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34087/

Comments