MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda
SHA3-384 hash: fd8fcb97ec2fa72412fccaf5fc98fa4afae46de774eb344b840c06e8cd6a6e5bb7de8cd66b49312713c19a37aab1ee26
SHA1 hash: 24cfac5e5c61411984a61f57c36f32c0b7b8355e
MD5 hash: f6635370c0a061fac52195483429c315
humanhash: north-idaho-nineteen-eighteen
File name:file
Download: download sample
Signature HijackLoader
Create hunting rule
File size:3'943'538 bytes
First seen:2026-01-22 13:11:49 UTC
Last seen:2026-01-22 14:03:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 13 x HijackLoader, 5 x Adware.IObit)
ssdeep 98304:vV69/ws8OWsNwP4UJe9jcRAaYbsrnJwTMkw0zjd6A4d:vAz8rwUyjcKaYbsWwkw0z56Td
Threatray 175 similar samples on MalwareBazaar
TLSH T1B9063313D3D31539F5A125328D729C05ED9AF6B80DEA40482EB4E90F1DB2B86C9F7792
TrID 70.9% (.EXE) Inno Setup installer (107240/4/30)
9.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 HIjackLoader


Avatar
Bitsight
url: http://130.12.180.43/files/6021162326/TC9VOYs.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
148
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/0d017246-6f55-43db-9a92-35d98eb98e6a/
Malware family:
n/a
ID:
1
File name:
_f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda.exe
Verdict:
No threats detected
Analysis date:
2026-01-22 13:12:47 UTC
Tags:
delphi inno installer
Link:
https://app.any.run/tasks/4efa9dc0-409b-4af0-85a3-cbd8eb14486e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49733/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69722249f3cf908ba5075410
Tags:
shellcode injection dropper emotet
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404
Link:
https://www.filescan.io/uploads/69722244f3c1b7b1fbda251a/reports/1b700b2b-2fb6-4c9d-9204-8788b5df0a81/overview
Verdict:
Malicious
Labled as:
Malware_51.0
Link:
https://www.hybrid-analysis.com/sample/f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-22T10:50:00Z UTC
Last seen:
2026-01-24T02:21:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a01c9503-60dd-4798-9d05-545ab93977f6
Score:
40%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/f6635370c0a061fac52195483429c315
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Suspicious
First seen:
2026-01-22 13:12:52 UTC
File Type:
PE (Exe)
Extracted files:
68
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6abi56vanwme2kipnnxvxwr67rv6nlb2q3i2c4nwdpdnt3ct5pna._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
643fe4bf793c941d42c14c59d85fa033381652fafbd4122792c04cc0316c2d68
HijackLoader
8b4a40d5bf036b2193ffe08ec01f8d5e5eebbd63ba793bea714965ba216362ff
HijackLoader
94307191dba3962e5dc121fa2a984a784a951af0c0fc9229571898667e320578
HijackLoader
9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02
HijackLoader
c3e984ae59b1fa59e9c97c775b69014e63d37558bda0ea61451597a788116b24
HijackLoader
ea623740c81d566c3ad240c8b7c481a3ff5e5e0dd34c5e24e28204727c0e75cc
HijackLoader
error
HijackLoader
+ 165 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery installer loader
Link:
https://tria.ge/reports/260122-qfs8caht7g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Unpacked files
SH256 hash:
f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda
MD5 hash:
f6635370c0a061fac52195483429c315
SHA1 hash:
24cfac5e5c61411984a61f57c36f32c0b7b8355e
Link:
https://www.unpac.me/results/7d9a6902-7df6-4714-be22-82807d0a1e38/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/7d9a6902-7df6-4714-be22-82807d0a1e38/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/7d9a6902-7df6-4714-be22-82807d0a1e38/
SH256 hash:
8f0beb5863d190b7b2cfe7f506f3b721ab6b9e892337a133364f2ba710931b25
MD5 hash:
be3cc5717f5951662adb399d613f20cc
SHA1 hash:
f776bc4344ad59fbd6950d24d3aa6dddb3df215a
Link:
https://www.unpac.me/results/7d9a6902-7df6-4714-be22-82807d0a1e38/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0028efaa06d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Executable exe f0028efaa06d984d290f6b6f5bda3efc6be6ac3a86d1a171b61bc6d9ec53ebda

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3762002/
Cape
Cape
https://www.capesandbox.com/analysis/49733/

Comments