MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
SHA3-384 hash: 23359aa39f259271f37bbd2505c45e5793705a6d4f2bee941f4f57e3d175c20cec1648d0c7d1fd0dc2c2d716156dfddb
SHA1 hash: 2956d509a8e84925631e3f71859d6bce474c7bc9
MD5 hash: f3cb0006c1b895b4dbf91edfa0df2cdc
humanhash: fish-zebra-ohio-bravo
File name:QTEKXZWS.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:5'500'928 bytes
First seen:2025-09-16 19:20:20 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:JvwFnJKE7MAc8dNzpdZEQlzNKcZDmq3wl74q4urmB/OtTT9UROAjutECKD0:hYJKETvhzN/vu74POYR5jKTKD
Threatray 13 similar samples on MalwareBazaar
TLSH T196463301F576F122E9464E701E8B96D0ED9ECD69D50A4C8FEA9DF98E3EBC3E11113806
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:ClickFix DeerStealer FakeCaptcha HIjackLoader msi


Avatar
iamaachum
https://bestsecuredwnld.pro/QTEKXZWS.msi

DeerStealer C2: https://maenadkiln.com/william-devry?

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27795/
Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c9b9fdd49ea3f1e4b695db
Tags:
backdoor
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug installer wix
Link:
https://www.filescan.io/uploads/68c9b903b29d966a312c363f/reports/026da362-dee4-4db5-beb7-954a58f18adb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-16T18:45:00Z UTC
Last seen:
2025-09-16T18:45:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778793
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1778793 Sample: QTEKXZWS.msi Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 69 maenadkiln.com 2->69 71 beacons.gcp.gvt2.com 2->71 73 beacons-handoff.gcp.gvt2.com 2->73 99 Suricata IDS alerts for network traffic 2->99 101 Found malware configuration 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 2 other signatures 2->105 11 msiexec.exe 82 42 2->11         started        14 Sync-Station.exe 5 2->14         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 53 C:\Users\user\AppData\Local\...\mfc140u.dll, PE32 11->53 dropped 55 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32 11->55 dropped 57 C:\Users\user\AppData\Local\Temp\...\Up.dll, PE32 11->57 dropped 61 2 other malicious files 11->61 dropped 19 Sync-Station.exe 9 11->19         started        59 C:\Users\user\AppData\Local\...\AFF977C.tmp, PE32+ 14->59 dropped 119 Modifies the context of a thread in another process (thread injection) 14->119 121 Maps a DLL or memory area into another process 14->121 23 VirtualDi.exe 14->23         started        25 XPFix.exe 14->25         started        signatures6 process7 file8 45 C:\ProgramData\...\mfc140u.dll, PE32 19->45 dropped 47 C:\ProgramData\...\VCRUNTIME140.dll, PE32 19->47 dropped 49 C:\ProgramData\channelService_test\Up.dll, PE32 19->49 dropped 51 2 other files (1 malicious) 19->51 dropped 107 Switches to a custom stack to bypass stack traces 19->107 109 Found direct / indirect Syscall (likely to bypass EDR) 19->109 27 Sync-Station.exe 7 19->27         started        signatures9 process10 file11 63 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 27->63 dropped 65 C:\Users\user\AppData\Local\...\9D31CBE.tmp, PE32+ 27->65 dropped 67 C:\ProgramData\VirtualDi.exe, PE32+ 27->67 dropped 111 Modifies the context of a thread in another process (thread injection) 27->111 113 Found hidden mapped module (file has been removed from disk) 27->113 115 Maps a DLL or memory area into another process 27->115 117 2 other signatures 27->117 31 VirtualDi.exe 27->31         started        35 XPFix.exe 27->35         started        signatures12 process13 dnsIp14 85 maenadkiln.com 172.67.206.203, 443, 49692, 49711 CLOUDFLARENETUS United States 31->85 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->87 89 Tries to harvest and steal browser information (history, passwords, etc) 31->89 91 Writes to foreign memory regions 31->91 97 3 other signatures 31->97 37 chrome.exe 2 31->37         started        93 Switches to a custom stack to bypass stack traces 35->93 95 Found direct / indirect Syscall (likely to bypass EDR) 35->95 signatures15 process16 dnsIp17 75 192.168.2.5, 138, 443, 49675 unknown unknown 37->75 77 192.168.2.6 unknown unknown 37->77 40 chrome.exe 37->40         started        43 chrome.exe 37->43         started        process18 dnsIp19 79 play.google.com 142.250.189.14, 443, 49705 GOOGLEUS United States 40->79 81 www.google.com 142.250.68.68, 443, 49697, 49698 GOOGLEUS United States 40->81 83 6 other IPs or domains 40->83
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418/
Threat name:
Win32.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 19:27:48 UTC
File Type:
Binary (Archive)
Extracted files:
891
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=432nj5ukxuovz3jw2fqg2fwefnr2a3c4naoumyvqb64gqo7suqma._file
Verdict:
malicious
Label(s):
deerstealer
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
230f4de7b92166c695ad4f8bc469e2a39a31d0640ceb994d4f46f1afdabea90b
HijackLoader
5955c621a801b3e3eb1cae8bbbbfa9c271ce90a66ba4da7f076274a49222273b
HijackLoader
5d3e68d15490e52e3cb5d386658ab60d13af3459aa1286e46000a5cea8dcec88
HijackLoader
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
HijackLoader
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
HijackLoader
bcc062030c3615d3f8e42e3a2a0b4410e07cf5c845c72c95b56d41d81bac5f46
HijackLoader
error
HijackLoader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/250916-x3c8zahl6w/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader
Hijackloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/858c331d-9c9c-4750-a8d3-c64d3e0a9ece
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6f4d4f68abd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:sus_pe_free_without_allocation
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Batch (bat) bat f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac

HijackLoader

Microsoft Software Installer (MSI) msi ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151

HijackLoader

Microsoft Software Installer (MSI) msi e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418

(this sample)

  
Link
https://tria.ge/250916-xw9nlaxny2/behavioral2
  
Dropped by
SHA256 ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151
  
Delivery method
Distributed via web download
  
Dropped by
MD5 a0f4dd0e9ac7e37fe5b7e3e01f3752a1
Cape
Cape
https://www.capesandbox.com/analysis/27795/

Comments