MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9
SHA3-384 hash: 12c10d88fc951a5571b72e7acbcd766ea6336214613186d20ceb700c69cddec663f705a232612c03ab9e75f83c3b475c
SHA1 hash: 1eac64699086b8f146626d0291c41dcdf376316f
MD5 hash: 55b6a68958ce593e8d3fc7420e234886
humanhash: sixteen-alanine-lima-paris
File name:WZOVINHP.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:12'017'664 bytes
First seen:2026-02-03 19:11:29 UTC
Last seen:2026-02-03 19:33:48 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:iQeJKrv8vgWATQgs9xGrxB0bWt9rZ874T4LeyIil++FqlzMM:iQ1rkoWEixGlaG/1yxl
TLSH T1EAC633323BD00342D26FBA3A5E2BD0B5D6231C4AB7EE1E952576F1D92C3562712423E7
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:91-84-123-231 ClickFix HIjackLoader msi


Avatar
iamaachum
https://pub-50a54badab6f4f408cd8e6c0a3dbfa4f.r2.dev/WZOVINHP.msi

IOC: 91.84.123.231:3333
softwareprocessca.com

Downloads http://84.21.173.142/delivery/sup.msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
44
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
HijackLoader
an XOR key and XOR-decrypted/LZNT1 decompressed component
HijackLoader
embedded components, an injection process, and filepaths
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/6934a08c-490c-48bb-bf8b-7757072947bd/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51560/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698248919a60ec70d92c8417
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug crypto expired-cert installer installer wix
Link:
https://www.filescan.io/uploads/6982488e552d46acbff0867f/reports/38cbba3b-b173-4d01-87fe-bd892fa98d92/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2026-02-03T16:19:00Z UTC
Last seen:
2026-02-04T05:21:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Penguish.sb Trojan.Win32.Strab.sb HEUR:Trojan.Win32.Agentb.gen HEUR:Trojan.OLE2.Alien.gen
Link:
https://opentip.kaspersky.com/10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862761
Signature
Contains VNC / remote desktop functionality (version string found)
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Unusual module load detection (module proxying)
Yara detected HijackLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862761 Sample: WZOVINHP.msi Startdate: 03/02/2026 Architecture: WINDOWS Score: 100 48 example.com 2->48 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected HijackLoader 2->58 60 Yara detected UAC Bypass using CMSTP 2->60 9 msiexec.exe 89 49 2->9         started        12 msiexec.exe 3 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\S_Circuitr.exe, PE32 9->32 dropped 34 C:\Users\user\AppData\Local\...\zpsres.US.dll, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\zcl.dll, PE32 9->36 dropped 38 10 other files (none is malicious) 9->38 dropped 14 S_Circuitr.exe 16 9->14         started        process6 file7 40 C:\ProgramData\superhost_v8\S_Circuitr.exe, PE32 14->40 dropped 42 C:\ProgramData\superhost_v8\zpsres.US.dll, PE32 14->42 dropped 44 C:\ProgramData\superhost_v8\zcl.dll, PE32 14->44 dropped 46 10 other files (none is malicious) 14->46 dropped 78 Found API chain indicative of debugger detection 14->78 80 Switches to a custom stack to bypass stack traces 14->80 18 S_Circuitr.exe 5 14->18         started        signatures8 process9 file10 28 C:\Users\user\AppData\Roaming\...\Crisp.exe, PE32 18->28 dropped 30 C:\Users\user\AppData\Local\...\PlaneV128.exe, PE32 18->30 dropped 62 Maps a DLL or memory area into another process 18->62 64 Switches to a custom stack to bypass stack traces 18->64 66 Found direct / indirect Syscall (likely to bypass EDR) 18->66 22 PlaneV128.exe 5 18->22         started        26 Crisp.exe 3 18->26         started        signatures11 process12 dnsIp13 50 91.84.123.231, 3333, 49695, 49697 ECLIPSEGB United Kingdom 22->50 52 example.com 104.18.26.120, 49696, 49698, 49700 CLOUDFLARENETUS United States 22->52 68 Query firmware table information (likely to detect VMs) 22->68 70 Contains VNC / remote desktop functionality (version string found) 22->70 72 Unusual module load detection (module proxying) 22->72 74 Found direct / indirect Syscall (likely to bypass EDR) 22->74 76 Switches to a custom stack to bypass stack traces 26->76 signatures14
Score:
4%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cddlqex5k43sruwy55wtwur73qzzhejpfyknjclf3gv7kijprheq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/260203-xwla1aew7g/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Drops file in Drivers directory
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10c6b812fd57/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

PowerShell (PS) ps1 642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092

HijackLoader

Microsoft Software Installer (MSI) msi 10c6b812fd573728d2d8ef6d3b523fdc3393912f2e14d48965d9abf5212f89c9

(this sample)

  
Link
https://tria.ge/260203-xnjgfaet6f/behavioral2
  
Dropped by
SHA256 642993f67f16b6c920ce88c59f2fe596495ebe76973766a81998139fcad4d092
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/51560/
  
Dropped by
MD5 7b5f3973a2d479d674baa51ab400e01d

Comments