MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65de4ef064eba4afe141fd4226cd7cd96a1eaf9a6f2e47d3d9ed2aa4e257396e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GhostPulse


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65de4ef064eba4afe141fd4226cd7cd96a1eaf9a6f2e47d3d9ed2aa4e257396e
SHA3-384 hash: 6b34a701b6fbb7c4b98d682b04c239faa5a680fb6f2cdaa66f5e0314536aa506643d6095aadb833e2d9d4cf597e87dda
SHA1 hash: 7cd75a50bcc9b1983204000e5b52e40eb01b9c98
MD5 hash: 494e57200976472ecc98a6f65432ee51
humanhash: maine-fruit-mountain-hamper
File name:SCCZRIQP.msi
Download: download sample
Signature GhostPulse
Create hunting rule
File size:4'411'392 bytes
First seen:2026-05-11 19:46:06 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:xxakH5oGqKAAOD5CMqjCz6vuTXbCtfgy5rkO4VAynV:rDaChOD5CNCuvGbCqgrkO4VAyn
Threatray 239 similar samples on MalwareBazaar
TLSH T1AB16334D32C15957C2DECBB40999B273C1E4CC43958AC96F406DB8984ABEBF42CA47E7
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:GhostPulse HUN msi ShadowLadder

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
HijackLoader MSI
Details
HijackLoader
an XOR key and XOR-decrypted/LZNT1 decompressed component
HijackLoader
embedded components, an injection process, and filepaths
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/e45d6b33-66bf-4b90-b085-1a27a35f9cec/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/65648/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a023217059cfdadce20e198
Tags:
n/a
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/65de4ef064eba4afe141fd4226cd7cd96a1eaf9a6f2e47d3d9ed2aa4e257396e
Verdict:
Clean
File Type:
msi
Link:
https://opentip.kaspersky.com/65de4ef064eba4afe141fd4226cd7cd96a1eaf9a6f2e47d3d9ed2aa4e257396e/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1911889
Signature
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Unusual module load detection (module proxying)
Yara detected HijackLoader
Yara detected MSIL Injector
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1911889 Sample: SCCZRIQP.msi Startdate: 11/05/2026 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 6 other signatures 2->60 9 msiexec.exe 88 48 2->9         started        12 msiexec.exe 3 2->12         started        process3 file4 36 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 9->36 dropped 38 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 9->38 dropped 40 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->40 dropped 42 9 other files (none is malicious) 9->42 dropped 14 Dock-Advanced64.exe 15 9->14         started        process5 file6 44 C:\ProgramData\...\Dock-Advanced64.exe, PE32+ 14->44 dropped 46 C:\ProgramData\...\vcruntime140_1.dll, PE32+ 14->46 dropped 48 C:\ProgramData\...\vcruntime140.dll, PE32+ 14->48 dropped 50 9 other files (none is malicious) 14->50 dropped 80 Found many strings related to Crypto-Wallets (likely being stolen) 14->80 18 Dock-Advanced64.exe 7 14->18         started        signatures7 process8 file9 30 C:\Users\user\AppData\Roaming\...\Crisp.exe, PE32 18->30 dropped 32 C:\Users\user\AppData\Local\CoreMe.exe, PE32 18->32 dropped 34 C:\Users\user\AppData\Local\...\B45CF94.tmp, PE32 18->34 dropped 62 Found hidden mapped module (file has been removed from disk) 18->62 64 Maps a DLL or memory area into another process 18->64 66 Switches to a custom stack to bypass stack traces 18->66 22 CoreMe.exe 3 18->22         started        26 Crisp.exe 1 18->26         started        signatures10 process11 dnsIp12 52 5.252.155.27, 49700, 56001 WORLDSTREAMNL Russian Federation 22->52 68 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 22->68 70 Found many strings related to Crypto-Wallets (likely being stolen) 22->70 72 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->72 78 4 other signatures 22->78 28 conhost.exe 22->28         started        74 Unusual module load detection (module proxying) 26->74 76 Switches to a custom stack to bypass stack traces 26->76 signatures13 process14
Score:
1%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/65de4ef064eba4afe141fd4226cd7cd96a1eaf9a6f2e47d3d9ed2aa4e257396e
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/494e57200976472ecc98a6f65432ee51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65de4ef064eba4afe141fd4226cd7cd96a1eaf9a6f2e47d3d9ed2aa4e257396e/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/65de4ef064eba4afe141fd4226cd7cd96a1eaf9a6f2e47d3d9ed2aa4e257396e
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxpe54de5osk7ykb7vbcntl43fvb5l42n4xepu6z5uvkjysxhfxa._file
Verdict:
malicious
Label(s):
tinyutility
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
0f5a104c946ec323909661abb8cdd7709e2e36c4d16672194c898c486fece462
GhostPulse
154e3276f14bf8136526e320c6062f76feeb17a3988803a30aaa077a7ffa6b22
GhostPulse
356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f
GhostPulse
396619b3f50f9f0de1a6ddcf012729e02939927c2234a56c8509e659e3f92b7a
GhostPulse
3bdb6d2cc2125ca6b5c61dbbee32b5b625d96378064df19c506ec04487834a96
GhostPulse
65a44df3f521f11fef1138c8fb32ad16749f12830025eeea925f9fb19f32edf1
GhostPulse
7f92ce6ddf632dd49b6052f77857bd03e7e00f89965d9d6648c60773847ba6df
GhostPulse
8986d305ceed84c8dbc430ae7caf31b645f22fe5c4c29bca869eaee9abc46585
GhostPulse
c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728
GhostPulse
error
GhostPulse
+ 229 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/260511-yg5a1aht4v/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects HijackLoader (aka IDAT Loader)
Family: HijackLoader, IDAT loader, Ghostulse,
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65de4ef064eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65de4ef064eba4afe141fd4226cd7cd96a1eaf9a6f2e47d3d9ed2aa4e257396e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/65648/

Comments