MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0faf08ea3b166be17695d6d0de80018bad7509dc3afe8ac4318d5159dd77e4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0faf08ea3b166be17695d6d0de80018bad7509dc3afe8ac4318d5159dd77e4e
SHA3-384 hash: 70ea5e535eb6aac90a23fd602813c55f7b261db91c62314963f4e54269069e59de0f8f7e65b91a0f32209a03900fab45
SHA1 hash: 30a5e9bbf3067e1126b77f5fe9346f0a95284239
MD5 hash: 627b9e77d72a873845f01b728555a878
humanhash: pennsylvania-princess-mexico-triple
File name:index.html
Download: download sample
Signature HijackLoader
Create hunting rule
File size:4'534'272 bytes
First seen:2025-11-30 08:30:09 UTC
Last seen:2025-11-30 15:22:50 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:05lvGU2NMr71jbbpSVmKkfuBWVhdc/T9u+wfZ/:0rhjHfi4Z
Threatray 76 similar samples on MalwareBazaar
TLSH T1972633813C764FC3DDF65176CA7E0B8AA916DDACDB57E2666C8433DB21307A112AF042
TrID 68.9% (.MST) Windows SDK Setup Transform script (61000/1/5)
22.0% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
9.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter juroots
Tags:HIjackLoader msi

Intelligence

File Origin
# of uploads :
4
# of downloads :
30
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
HijackLoader
embedded components, an injection process, and filepaths
HijackLoader
an XOR key and XOR-decrypted/LZNT1 decompressed component
MSI
an embedded setup program or component
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41903/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692c00a45546d77c091f2df2
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint installer installer keylogger masquerade packed wix
Link:
https://www.filescan.io/uploads/692c009ed0d5e7288b513871/reports/8b1a995c-c05a-4d28-8ed4-43c4f115d95d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e0faf08ea3b166be17695d6d0de80018bad7509dc3afe8ac4318d5159dd77e4e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e0faf08ea3b166be17695d6d0de80018bad7509dc3afe8ac4318d5159dd77e4e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-11-27T22:40:00Z UTC
Last seen:
2025-11-28T02:20:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e0faf08ea3b166be17695d6d0de80018bad7509dc3afe8ac4318d5159dd77e4e/results?tab=lookup
Score:
11%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/e0faf08ea3b166be17695d6d0de80018bad7509dc3afe8ac4318d5159dd77e4e
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/627b9e77d72a873845f01b728555a878
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0faf08ea3b166be17695d6d0de80018bad7509dc3afe8ac4318d5159dd77e4e/
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Suspicious
First seen:
2025-11-27 17:52:30 UTC
File Type:
Binary (Archive)
Extracted files:
22
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4d5pbdvdwftl4f3jlvwq32aadc5noue5yox6rlcdddkrlhoxpzha._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
deerstealer
Create hunting rule
Similar samples:
0852ae81624c390a57e57d930e86b8c1bc080813481ee5bd505f81352c7e6fe6
HijackLoader
25b34f7a1aa68458a150182a2a292ea61bc3a45a72782839fdc0be58b90bd655
HijackLoader
36ed257f720670415af0fbd4c06f9a115572d63e9183f2d142beae47b74cc5ed
HijackLoader
82a6ebc4ce6cc397cbcc8c7002901a83a2568beec4fa88e279a5f0512fdf5085
HijackLoader
9705b02f24c62bc938211d125bfeb3c4fc842b2cd74f05df36cfb3a23c7bbcec
HijackLoader
ab1adb55d3c57eae4734a43e86212f367c1ac3563702c2bd0678242a726c6c23
HijackLoader
bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
HijackLoader
bfc96abe978e154086f793062458b43ca9d570fd8c62c47c0d4ad0d3e1edbbaf
HijackLoader
c15948678da6fa539c4a81e4686054b51e1f99365d05eb022005fe703e93dfbd
HijackLoader
error
HijackLoader
+ 66 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251130-kebzsafy7b/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a9f22998-f53c-4215-84df-6543853fd1bc
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0faf08ea3b1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi e0faf08ea3b166be17695d6d0de80018bad7509dc3afe8ac4318d5159dd77e4e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/41903/
  
URLhaus
https://urlhaus.abuse.ch/url/3721490/
  
Delivery method
Distributed via web download

Comments