MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ce9cc80d2795f1d40fcdedeffae79c69bbed62eb89ff3587d5a6a482f112e7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ce9cc80d2795f1d40fcdedeffae79c69bbed62eb89ff3587d5a6a482f112e7d
SHA3-384 hash: 475f8e9b4034335862037edf336c9272631c8983014b3aad3f056c6b3713bf3773dc3c604569d96ebbff67a2c61ad8b7
SHA1 hash: 6b1e09a7894dfaeb02993a553a205a44fcc4fbfb
MD5 hash: 188b1df9bc3e1dbef887112029f0acb4
humanhash: spaghetti-gee-fruit-item
File name:LabST64.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:3'825'664 bytes
First seen:2026-03-01 14:02:09 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:Rp1X9K0lzB2hEqg48bWkYKJOBe+aGp5VDOiDeTbfSQx:N00lzB2hZMbWRyOBe+x9oq
TLSH T1930633513AC5CA36E65E2877517AA766213ABE710B38C1CBB6503DAD8C347E2F934313
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:AdaptixC2 c-waltherwolf-com dropped-by-ACRStealer HIjackLoader msi


Avatar
iamaachum
http://91.92.243.200/tmp/LabST64.msi


AdaptixC2 C2:
https://c.waltherwolf.com/sysmon

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
ES ES
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5c15dbc9-03d6-438a-a5c8-bdc20d6409c3/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55114/
Detection(s):
SecuriteInfo.com.Trojan.Hulk.Gen.1.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a445418fffa866e3b3cc1d
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug CAB crypto expand expired-cert expired-cert explorer fingerprint fingerprint installer installer keylogger lolbin obfuscated packed wix
Link:
https://www.filescan.io/uploads/69a446f1cd25bfe1dfdd46ef/reports/651353e7-8ad1-427a-9e39-256d1b4ac8eb/overview
Verdict:
Malicious
Labled as:
TR/Malware
Link:
https://www.hybrid-analysis.com/sample/9ce9cc80d2795f1d40fcdedeffae79c69bbed62eb89ff3587d5a6a482f112e7d
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9ce9cc80d2795f1d40fcdedeffae79c69bbed62eb89ff3587d5a6a482f112e7d
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
Detections:
HEUR:Trojan.OLE2.Alien.gen Backdoor.Win64.AdaptixC2.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/9ce9cc80d2795f1d40fcdedeffae79c69bbed62eb89ff3587d5a6a482f112e7d/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876498
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Unusual module load detection (module proxying)
Yara detected HijackLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876498 Sample: LabST64.msi Startdate: 01/03/2026 Architecture: WINDOWS Score: 100 83 c.waltherwolf.com 2->83 93 Suricata IDS alerts for network traffic 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 4 other signatures 2->99 10 msiexec.exe 3 14 2->10         started        13 LabStellar32.exe 3 2->13         started        16 LabStellar32.exe 5 2->16         started        18 msiexec.exe 3 2->18         started        signatures3 process4 file5 61 C:\Windows\Installer\MSICC6B.tmp, PE32 10->61 dropped 63 C:\Windows\Installer\MSIA171.tmp, PE32 10->63 dropped 20 msiexec.exe 5 10->20         started        111 Maps a DLL or memory area into another process 13->111 113 Found direct / indirect Syscall (likely to bypass EDR) 13->113 22 XPFix.exe 13->22         started        65 C:\Users\user\AppData\Local\...\D3C1006.tmp, PE32+ 16->65 dropped 115 Modifies the context of a thread in another process (thread injection) 16->115 25 SpectrumForg.exe 16->25         started        27 XPFix.exe 16->27         started        signatures6 process7 signatures8 29 LabStellar32.exe 8 20->29         started        33 expand.exe 10 20->33         started        35 icacls.exe 1 20->35         started        37 icacls.exe 1 20->37         started        101 Found direct / indirect Syscall (likely to bypass EDR) 22->101 process9 file10 67 C:\ProgramData\SSLExplore\LabStellar32.exe, PE32 29->67 dropped 69 C:\ProgramData\SSLExplore\mfc110u.dll, PE32 29->69 dropped 71 C:\ProgramData\SSLExplore\MSVCR110.dll, PE32 29->71 dropped 79 2 other files (none is malicious) 29->79 dropped 117 Switches to a custom stack to bypass stack traces 29->117 119 Found direct / indirect Syscall (likely to bypass EDR) 29->119 39 LabStellar32.exe 7 29->39         started        73 C:\Users\user\AppData\...\mfc110u.dll (copy), PE32 33->73 dropped 75 C:\Users\user\AppData\...\MSVCR110.dll (copy), PE32 33->75 dropped 77 C:\Users\user\AppData\...\MSVCP110.dll (copy), PE32 33->77 dropped 81 7 other malicious files 33->81 dropped 43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        signatures11 process12 file13 55 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 39->55 dropped 57 C:\Users\user\AppData\Local\...\A82F222.tmp, PE32+ 39->57 dropped 59 C:\ProgramData\SpectrumForg.exe, PE32+ 39->59 dropped 103 Modifies the context of a thread in another process (thread injection) 39->103 105 Found hidden mapped module (file has been removed from disk) 39->105 107 Maps a DLL or memory area into another process 39->107 109 2 other signatures 39->109 49 XPFix.exe 2 39->49         started        52 SpectrumForg.exe 39->52         started        signatures14 process15 dnsIp16 87 Unusual module load detection (module proxying) 49->87 89 Switches to a custom stack to bypass stack traces 49->89 91 Found direct / indirect Syscall (likely to bypass EDR) 49->91 85 c.waltherwolf.com 172.67.187.137, 443, 49691, 49692 CLOUDFLARENETUS United States 52->85 signatures17
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ce9cc80d2795f1d40fcdedeffae79c69bbed62eb89ff3587d5a6a482f112e7d/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/9ce9cc80d2795f1d40fcdedeffae79c69bbed62eb89ff3587d5a6a482f112e7d
Threat name:
Win32.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2026-03-01 13:55:35 UTC
File Type:
Binary (Archive)
Extracted files:
866
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ttu4zagspfpr2qh433pp7ltzy2n35vroxcp7gwd5ljveqlyrfz6q._file
Verdict:
malicious
Label(s):
adaptixc2
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
error
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:adaptixc2 family:hijackloader RAT backdoor discovery loader persistence privilege_escalation ransomware trojan
Link:
https://tria.ge/reports/260301-rcbpkacv5a/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
AdaptixC2
Adaptixc2 family
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9ce9cc80d279/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ce9cc80d2795f1d40fcdedeffae79c69bbed62eb89ff3587d5a6a482f112e7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HijackLoader

Microsoft Software Installer (MSI) msi 9ce9cc80d2795f1d40fcdedeffae79c69bbed62eb89ff3587d5a6a482f112e7d

(this sample)

  
Link
https://tria.ge/260301-q6egwab13c/behavioral2
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55114/

Comments