MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c
SHA3-384 hash: 5f72b1670d4caf377f258717fc0a7926b0f7f0a9e9c52e3de0ce57ada2566059ab3899b4a720cbdbf647fed0f058b2e9
SHA1 hash: 2d64516a90a14f4b506abf51fb47964605c605ca
MD5 hash: 68fab3883cc29fbaaad774f3c5a32bf5
humanhash: bravo-hamper-alanine-wisconsin
File name:WHKHPGPL.msi
Download: download sample
Signature HijackLoader
Create hunting rule
File size:9'314'304 bytes
First seen:2026-04-01 08:20:44 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:D5kHTrm2infg+xeczdTJIDdy686HARLDCTMU7yN2m8uGhrcrKv10OtXDXtmh6tHB:lqEJJDySjPgJuzmtXhYgwdy
Threatray 4 similar samples on MalwareBazaar
TLSH T13396337E6A6A8723C12F4CB814530D56B93C8C05237BC9EBC265700B2B7B5E69F9570E
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:DeerStealer HIjackLoader msi


Avatar
iamaachum
cdn.discordapp.com/attachments/912255872850346027/1488542586292666470/WHKHPGPL.msi?ex=69cd28d0&is=69cbd750&hm=6aacab5b8ebdc6079f18ab5a2a99b5ae812f959a391fea40f7831fad9f5d0456&=

DeerStealer C2: mulcaireldritchnaileir.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Gathering data
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ccd5d66363ca5d27f06d6b
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug fingerprint installer keylogger packed wix
Link:
https://www.filescan.io/uploads/69ccd5812346b9da57b6197c/reports/da3be9a3-c761-4b7d-a62f-ff9228393c01/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
Detections:
Trojan.Win32.Penguish.sb Trojan.Win32.Strab.sb
Link:
https://opentip.kaspersky.com/ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c/results?tab=lookup
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1891914
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sample is not signed and drops a device driver
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1891914 Sample: WHKHPGPL.msi Startdate: 01/04/2026 Architecture: WINDOWS Score: 100 64 mulcaireldritchnaileir.com 2->64 66 beacons.gcp.gvt2.com 2->66 68 beacons-handoff.gcp.gvt2.com 2->68 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Yara detected HijackLoader 2->78 80 Joe Sandbox ML detected suspicious sample 2->80 11 msiexec.exe 82 42 2->11         started        15 msiexec.exe 3 2->15         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 11->50 dropped 52 C:\Users\user\AppData\Local\...\sciter-x.dll, PE32+ 11->52 dropped 54 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 11->54 dropped 56 4 other malicious files 11->56 dropped 104 Sample is not signed and drops a device driver 11->104 17 M_Framework.exe 9 11->17         started        signatures6 process7 file8 36 C:\ProgramData\...\vcruntime140_1.dll, PE32+ 17->36 dropped 38 C:\ProgramData\...\sciter-x.dll, PE32+ 17->38 dropped 40 C:\ProgramData\...\M_Framework.exe, PE32+ 17->40 dropped 42 4 other files (1 malicious) 17->42 dropped 72 Sample is not signed and drops a device driver 17->72 21 M_Framework.exe 7 17->21         started        signatures9 process10 file11 44 C:\Users\user\AppData\...\VSLauncher.exe, PE32 21->44 dropped 46 C:\Users\user\AppData\Local\TurboD.exe, PE32+ 21->46 dropped 48 C:\Users\user\AppData\Local\...\6D25402.tmp, PE32+ 21->48 dropped 82 Modifies the context of a thread in another process (thread injection) 21->82 84 Found hidden mapped module (file has been removed from disk) 21->84 86 Maps a DLL or memory area into another process 21->86 88 Switches to a custom stack to bypass stack traces 21->88 25 TurboD.exe 21->25         started        29 VSLauncher.exe 21->29         started        signatures12 process13 dnsIp14 70 mulcaireldritchnaileir.com 172.67.162.86, 443, 49723, 49725 CLOUDFLARENETUS United States 25->70 90 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->90 92 Tries to harvest and steal browser information (history, passwords, etc) 25->92 94 Writes to foreign memory regions 25->94 102 3 other signatures 25->102 31 chrome.exe 1 25->31         started        96 Unusual module load detection (module proxying) 29->96 98 Switches to a custom stack to bypass stack traces 29->98 100 Found direct / indirect Syscall (likely to bypass EDR) 29->100 signatures15 process16 process17 33 chrome.exe 31->33         started        dnsIp18 58 www.google.com 142.251.157.119, 443, 49738, 49741 GOOGLEUS United States 33->58 60 192.178.50.67, 443, 49734, 49742 GOOGLEUS United States 33->60 62 2 other IPs or domains 33->62
Score:
4%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c/
Verdict:
Malicious
Threat:
Family.HIJACKLOADER
Link:
https://tip.neiki.dev/file/ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vtrdguldj6nyc2ymplvm5wved7aorun5264yzjeda6bekp7tjm6a._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
deerstealer
Create hunting rule
Similar samples:
c6da7a605f7544315134dd1fcaf85dfb15652b98ae1b458eb0138dd98c8f6b9f
HijackLoader
error
HijackLoader
f9716ee5dd7c68f16b578817d60d1baeff9502e339322eca4a78873e9e528c04
HijackLoader
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:deerstealer family:donutloader family:hijackloader discovery loader persistence privilege_escalation ransomware spyware stealer upx
Link:
https://tria.ge/reports/260401-j842zsh13n/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
System Time Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
UPX packed file
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DeerStealer
Deerstealer family
Detects DeerStealer
Detects DonutLoader
Detects HijackLoader (aka IDAT Loader)
DonutLoader
Donutloader family
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ace23351634f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DeerStealer

Microsoft Software Installer (MSI) msi c6da7a605f7544315134dd1fcaf85dfb15652b98ae1b458eb0138dd98c8f6b9f

HijackLoader

Microsoft Software Installer (MSI) msi ace23351634f9b816b0c7aeacedaa41fc0e8d1bdd7b98ca4830782453ff34b3c

(this sample)

  
Link
https://tria.ge/260401-j4hceshz5p/behavioral1
  
Dropped by
SHA256 c6da7a605f7544315134dd1fcaf85dfb15652b98ae1b458eb0138dd98c8f6b9f
  
Delivery method
Distributed via web download
  
Dropped by
MD5 566ed2b1d948f1648adc8fa29cd889f9
Cape
Cape
https://www.capesandbox.com/analysis/60016/

Comments