MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SharkStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af
SHA3-384 hash: 79d5bbb35c6c51a094c9b6b8db318b7909aa317b02c9aff68afdd2d935b5acd3c6aa2e23a9988d72c928a558154f25ef
SHA1 hash: 861c3a0739d0d67c83b74a6ea55e09e2e1305aab
MD5 hash: dbd642943be9b856d809886a91e96a92
humanhash: quiet-seventeen-pip-mike
File name:01MHHVYFRM.msi
Download: download sample
Signature SharkStealer
Create hunting rule
File size:12'513'280 bytes
First seen:2025-09-17 18:20:06 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:iDr9qZg4sJKdsLBMRjxenL/YqmHZZEXERGtGMO8VZFBdm/nBPjW6:inkZ2JKdsLKtgLAqmHZZkE8tH5VZFybP
Threatray 44 similar samples on MalwareBazaar
TLSH T1A1C633A298624713EC8B17B2615BB09DA2014E10727C79519BCB7F0926F6F72EE3137D
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:91-242-163-152 dropped-by-ACRStealer HIjackLoader msi SharkStealer signed

Code Signing Certificate

Organisation:Gen Digital Inc
Issuer:Gen Digital Inc
Algorithm:sha1WithRSA
Valid from:2018-12-31T23:00:00Z
Valid to:2098-12-31T23:00:00Z
Serial number: 551dbfe32f39d5ae463d7dc84d0f3d78
Thumbprint Algorithm:SHA256
Thumbprint: 6b83edc21d9616f84282eb8bf9b385056ad2bcc1e934dad9de638ad66a900e96
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
iamaachum
http://mi.raisindispose.com/kaWt2QXfpPueNM/F.ct/01MHHVYFRM.msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27986/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cafc1888b9544392475b07
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto expired-cert fingerprint installer short-lived-cert signed wix
Link:
https://www.filescan.io/uploads/68cafc0f73287948292db3dc/reports/c1c4cad4-da7a-4fad-8d78-5d3ae49e8773/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-17T15:38:00Z UTC
Last seen:
2025-09-17T15:38:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Inject.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb HEUR:Trojan.OLE2.Alien.gen
Link:
https://opentip.kaspersky.com/aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1779497
Signature
Antivirus detection for dropped file
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779497 Sample: 01MHHVYFRM.msi Startdate: 17/09/2025 Architecture: WINDOWS Score: 88 38 x.ss2.us 2->38 40 data-seed-prebsc-2-s1.binance.org 2->40 42 2 other IPs or domains 2->42 58 Found malware configuration 2->58 60 Antivirus detection for dropped file 2->60 62 Yara detected HijackLoader 2->62 8 msiexec.exe 78 38 2->8         started        11 aq.exe 2->11         started        14 msiexec.exe 3 2->14         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\cmdres.dll, PE32+ 8->34 dropped 36 C:\Users\user\AppData\Local\...\aq.exe, PE32+ 8->36 dropped 16 aq.exe 12 8->16         started        68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->68 signatures6 process7 file8 26 C:\Users\user\...26ortonBrowserProtect.exe, PE32 16->26 dropped 28 C:\Users\user\AppData\Local\...\6DC5828.tmp, PE32 16->28 dropped 30 C:\ProgramData\ArmouryDevice\cmdres.DLL, PE32+ 16->30 dropped 32 C:\ProgramData\ArmouryDevice\Chime.exe, PE32 16->32 dropped 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->50 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->52 54 Found hidden mapped module (file has been removed from disk) 16->54 56 2 other signatures 16->56 20 NortonBrowserProtect.exe 1 5 16->20         started        24 Chime.exe 1 16->24         started        signatures9 process10 dnsIp11 44 91.242.163.152, 1477, 49698, 49700 OOO-SYSMEDIA-ASRU Russian Federation 20->44 46 a8a00b7a27dd309f6.awsglobalaccelerator.com 3.33.196.84, 49695, 8545 AMAZONEXPANSIONGB United States 20->46 48 2 other IPs or domains 20->48 64 Switches to a custom stack to bypass stack traces 20->64 66 Found direct / indirect Syscall (likely to bypass EDR) 20->66 signatures12
Score:
32%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/dbd642943be9b856d809886a91e96a92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkyzj4ilbpytq6ixpvbogu6u63uc3vq6kmfcnxm3g4t5ghacmoxq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f
SharkStealer
3306b32868590d80dfbcafaba3c6cbbf3514b7b6b4297c41561cec7d769d7b0f
SharkStealer
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
SharkStealer
7dfe8d25b80b42ba7834c671f91956652ba929a239056bfc4321622eab60de3e
SharkStealer
9e05baee59cd27a85f08cf2fa678f54c3bb639f29d4521bfa0319bf174c04dba
SharkStealer
bcc062030c3615d3f8e42e3a2a0b4410e07cf5c845c72c95b56d41d81bac5f46
SharkStealer
e6f4d4f68abd1d5ced36d1606d16c42b63a06c5c681d4662b00fb8683bf2a418
SharkStealer
error
SharkStealer
f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac
SharkStealer
+ 34 additional samples on MalwareBazaar
Result
Malware family:
shark_stealer
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:shark_stealer defense_evasion discovery loader persistence privilege_escalation ransomware spyware stealer trojan
Link:
https://tria.ge/reports/250917-wy8zeatzes/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Badlisted process makes network request
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects SharkStealer payload
HijackLoader
Hijackloader family
SharkStealer
Shark_stealer family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b5452d36-6438-4cdc-aa32-eae93c4b33bb
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aab194f10b0b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SharkStealer

Microsoft Software Installer (MSI) msi aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af

(this sample)

  
Link
https://tria.ge/250917-wwmndsar4t/behavioral1
  
Dropped by
ACRStealer
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/27986/

Comments