MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f
SHA3-384 hash: 6c152229c7ac59d3f2114fd242f89b2a37208c35e75f460a9c9d37090f53667e3800d538bb5e0e1a72c365380693ff92
SHA1 hash: fd501ee783c5ed0c0631df7cc48a81288b688261
MD5 hash: 21272a4eab18b4ce018d66e846a594b3
humanhash: king-mexico-friend-nebraska
File name:02WLPQTDGE.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:9'990'144 bytes
First seen:2025-09-22 18:22:36 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:C1M+xD2nDDlujAodvecq0rJvmI6UemBlLyamWRORy:6PIPlujAImcqWtB19mE
Threatray 12 similar samples on MalwareBazaar
TLSH T171A6330FCCA213E7C0550174D615D36B4AAA9C233AD19A4E34CC73D5AEF43E9B725EA2
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:AcreedStealer dropped-by-ACRStealer HIjackLoader msi signed telemetryapi-live

Code Signing Certificate

Organisation:Dactyi
Issuer:Dactyi
Algorithm:sha1WithRSA
Valid from:2018-12-31T23:00:00Z
Valid to:2098-12-31T23:00:00Z
Serial number: -6bdcce764434475ab372acfc5d4915eb
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5cc212b15931daa65d2e810061f0a5380034b0b0ea6f3d294b61a7fefeac35c7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
iamaachum
https://mt.tiptopwashbowl.digital/02WLPQTDGE.msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28586/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d193d06c66b7ab69383e97
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer invalid-signature signed wix
Link:
https://www.filescan.io/uploads/68d194db73af424b47ea9bc3/reports/73477d95-1731-48ac-9f73-d339dc769419/overview
Verdict:
Suspicious
Labled as:
Malware.U.Generic
Link:
https://www.hybrid-analysis.com/sample/356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-21T09:57:00Z UTC
Last seen:
2025-09-21T09:57:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Coins.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb HEUR:Trojan-PSW.OLE2.Coins.gen
Link:
https://opentip.kaspersky.com/356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1782213
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to evade analysis by execution special instruction (VM detection)
Writes many files with high entropy
Yara detected HijackLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1782213 Sample: 02WLPQTDGE.msi Startdate: 22/09/2025 Architecture: WINDOWS Score: 100 70 telemetryapi.live 2->70 72 bsc-testnet-dataseed.bnbchain.org 2->72 74 ac4305617488db6f8.awsglobalaccelerator.com 2->74 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 3 other signatures 2->88 9 MatrixElect64.exe 5 2->9         started        13 msiexec.exe 79 39 2->13         started        15 MatrixElect64.exe 3 2->15         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 56 C:\Users\user\AppData\Local\...\8FD89A6.tmp, PE32 9->56 dropped 104 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->104 106 Query firmware table information (likely to detect VMs) 9->106 19 HyperHandle32.exe 986 9->19         started        23 Chime.exe 9->23         started        58 C:\Users\user\AppData\...\MatrixElect64.exe, PE32+ 13->58 dropped 60 C:\Users\user\AppData\...\git2-3f4182d.dll, PE32+ 13->60 dropped 62 C:\Users\user\AppData\...\dynsimpleipc.dll, PE32+ 13->62 dropped 25 MatrixElect64.exe 6 13->25         started        28 Chime.exe 15->28         started        signatures6 process7 dnsIp8 76 35.71.129.99, 443, 49732, 49733 MERIT-AS-14US United States 19->76 78 telemetryapi.live 172.67.183.86, 443, 49742, 49747 CLOUDFLARENETUS United States 19->78 42 C:\...\AeonikPro-Regular.f67c8799.woff2, Web 19->42 dropped 44 C:\...\AeonikPro-Regular.397ead0a.woff2, Web 19->44 dropped 46 C:\...\AeonikPro-Regular.2b6e2f45.woff, Web 19->46 dropped 54 47 other malicious files 19->54 dropped 48 C:\ProgramData\ClpHtt\MatrixElect64.exe, PE32+ 25->48 dropped 50 C:\ProgramData\ClpHtt\git2-3f4182d.dll, PE32+ 25->50 dropped 52 C:\ProgramData\ClpHtt\dynsimpleipc.dll, PE32+ 25->52 dropped 96 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->96 98 Query firmware table information (likely to detect VMs) 25->98 100 Tries to evade analysis by execution special instruction (VM detection) 25->100 102 Found direct / indirect Syscall (likely to bypass EDR) 25->102 30 MatrixElect64.exe 7 25->30         started        34 conhost.exe 25->34         started        file9 signatures10 process11 file12 64 C:\Users\user\AppData\...\HyperHandle32.exe, PE32 30->64 dropped 66 C:\Users\user\AppData\Local\...\747D5F6.tmp, PE32 30->66 dropped 68 C:\ProgramData\ClpHtt\Chime.exe, PE32 30->68 dropped 108 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->108 110 Query firmware table information (likely to detect VMs) 30->110 112 Found many strings related to Crypto-Wallets (likely being stolen) 30->112 114 3 other signatures 30->114 36 HyperHandle32.exe 2 30->36         started        40 Chime.exe 30->40         started        signatures13 process14 dnsIp15 80 ac4305617488db6f8.awsglobalaccelerator.com 52.223.48.152, 443, 49724, 49725 AMAZONEXPANSIONGB United States 36->80 90 Found many strings related to Crypto-Wallets (likely being stolen) 36->90 92 Writes many files with high entropy 36->92 94 Switches to a custom stack to bypass stack traces 36->94 signatures16
Score:
69%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/21272a4eab18b4ce018d66e846a594b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f/
Verdict:
Malicious
Threat:
Win64.Format.Malformed
Link:
https://tip.neiki.dev/file/356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gvwinv55ol5e7szd2itw4b5ikti3sksjwo3xkkw3sflsbipcm2hq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
admintool_netscan
Create hunting rule
Similar samples:
68423337cfd3e0f262e5b14fd462744952c9ae99909df3db11056b94b95eda2c
HijackLoader
8232a11066fe5a6f552302da37f9b4e42f313bbeaf51f86c61fbf84bd95b1ca9
HijackLoader
9481dca53c9aa408c8dce20731fe6497ff79eec1aa8d7be5fc01ef48b6dc84b9
HijackLoader
c1c042539d2ced89c1d9f6d5e59aa107074e4dec28326caff4ef105515850cfa
HijackLoader
d74e49dd237c22caf3dd5700bdca67bcc7d636e7f57ee32860c99b283b3a7ecb
HijackLoader
dfaee0f6f841357303789062c57c7f10858a838be939e93ce6855670cd7c16a7
HijackLoader
error
HijackLoader
+ 2 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/250922-w1xzxssrs8/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Badlisted process makes network request
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/37abf7f1-89dc-45d9-82a5-9e14a682db20
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/356c86d7bd72/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi 356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f

(this sample)

  
Link
https://tria.ge/250922-wwmndssqt3/behavioral2
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28586/

Comments