MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7abb1a1a22b2ac76eedac8d92435e1adddf895c93bcc9a3484c0f0a629a97cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HijackLoader

Vendor detections: 12

Intelligence 12 IOCs YARA 23 File information Comments

SHA256 hash:	f7abb1a1a22b2ac76eedac8d92435e1adddf895c93bcc9a3484c0f0a629a97cd
SHA3-384 hash:	521feee4a31781147443b9cb5153c6b4abf033116081d10744bada78fc478b52050409fcdd522ef2d8d5edb462253380
SHA1 hash:	f0607465178372d745248a684d83fe00e2a4f0d4
MD5 hash:	32b054758d81d9aa400e4edf14e0a145
humanhash:	cola-earth-montana-oklahoma
File name:	SecuriteInfo.com.Other.Malware-gen.71537516
Download:	download sample
Signature	HijackLoader Create hunting rule
File size:	32'909'356 bytes
First seen:	2025-10-28 13:37:58 UTC
Last seen:	2025-10-28 15:20:43 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	393216:uLCYhEzQ4AowYgIQ4AowFoyJsv6tWKFdu9CzPr7HfiFJ4JoN340APTHKk0MaAmEq:uEsJSvb
Threatray	129 similar samples on MalwareBazaar
TLSH	T13C77AE97B3AA51A0C177C13CCA9B422BF5B2780587228BCB56959B191F337E15B3FB01
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	SecuriteInfoCom
Tags:	HIjackLoader msi

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6900c76a9942f1282ec9aaad

Tags:

virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

action anti-debug anti-vm expired-cert fingerprint keylogger overlay packed wix

Link:

https://www.filescan.io/uploads/6900c76d3a79800405faca8d/reports/0dcde184-bedc-429a-85f1-1c783da2f92f/overview

Verdict:

Suspicious

Labled as:

Malware.U.Generic

Link:

https://www.hybrid-analysis.com/sample/f7abb1a1a22b2ac76eedac8d92435e1adddf895c93bcc9a3484c0f0a629a97cd

Verdict:

Malicious

File Type:

msi

First seen:

2025-10-28T08:50:00Z UTC

Last seen:

2025-10-29T03:04:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb HEUR:Trojan.OLE2.Alien.gen

Link:

https://opentip.kaspersky.com/f7abb1a1a22b2ac76eedac8d92435e1adddf895c93bcc9a3484c0f0a629a97cd/results?tab=lookup

Gathering data

Verdict:

Malicious

Threat:

Family.HIJACKLOADER

Link:

https://tip.neiki.dev/file/f7abb1a1a22b2ac76eedac8d92435e1adddf895c93bcc9a3484c0f0a629a97cd

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=66v3dincfmvmo3xnvsgzeq26dlo57ck4so6mti2ijqhquyu2s7gq._file

Verdict:

malicious

Label(s):

hijackloader

HijackLoader

70a1c2bc6c70934cd9359c40bb89ea394e233f091753dbbc7ce8791af4d45ed8

HijackLoader

7a2f79417a831fdb83ba97fff320e4af5fd0070afe13b7f4566ac6c6ea02117d

HijackLoader

925806855df0ca1baaa169c65d9a3f237b3088fc48fd19ce602bc46d1f61d7f8

HijackLoader

e48a405905bafb86371ca77c72e15be99d1d62b941ddd1ff50f33b6944bcb8c2

HijackLoader

e9d69675ec56f72930a0a7bc9f43a7cb36231d67ad1e71278943fd3426ae51a6

HijackLoader

error

HijackLoader

+ 119 additional samples on MalwareBazaar

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:hijackloader discovery loader persistence privilege_escalation

Link:

https://tria.ge/reports/251028-qxqhsayqez/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Hijackloader family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/86daa96f-500a-4db6-9dbc-57f3447d3b2f

Malware family:

IDATLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f7abb1a1a22b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f7abb1a1a22b2ac76eedac8d92435e1adddf895c93bcc9a3484c0f0a629a97cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CarbonOrchestrator_v3_77_ Create hunting rule

Rule name:	CarbonOrchestrator_v3_79_ Create hunting rule

Rule name:	CarbonOrchestrator_v3_81_ Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	SUSP_Websites Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference of suspicious sites that might be used to download further malware

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample