Malicious
Signed Windows driver exhibiting process-injection behaviour; community YARA rules and signer history indicate rootkit malware.
4f412f9aa89994cda4…0e8725917eThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The file presents a complex profile: it carries a valid Microsoft Windows Hardware Compatibility Publisher signature and is silent across tier-1 antivirus engines, which would normally suggest legitimacy. However, the signer's history is damaging — the only prior sample we have with this signer was verdicted malicious (Rootkit.Agent.AJNQ, keylog.sys). Community YARA researchers have independently flagged this sample with 5 rules targeting rootkit and signed-driver injection patterns. The file exhibits T1055 (Process Injection) as its sole offensive MITRE technique, consistent with rootkit deployment. The combination of signer-history precedent, community rule convergence, and injection-focused behaviour outweighs the absence of tier-1 detections, which may reflect evasion or novelty rather than benignity.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=0; 17 tier-1 engines (Kaspersky, BitDefender, ESET, Fortinet, Avast, Ikarus, etc.) all report undetected — no tier-1 consensus on malware.
signing.verified=true, signer='Microsoft Windows Hardware Compatibility Publisher', trustedPublisher.matched=true — Microsoft-signed driver.
signerStats: 1/1 prior samples malicious (Rootkit.Agent.AJNQ); similarHashes[0] verdict='malicious' (score=12) for 'keylog.sys' signed by same publisher — signer history is malicious.
triggeredHeuristics: T1055 (Process Injection) + yaraify_rules_fired=5 including 'killer_rookit' and 'signed_drv_IoCreateDevice' — community researchers converged on rootkit/injection signatures.
behaviour: T1055 offensive technique present; no sandbox verdicts, no malicious contacted hosts, no dropped children — runtime behaviour is injection-focused but not conclusively malicious in isolation.
- Signed by Microsoft Windows Hardware Compatibility Publisher (verified)
- 17 tier-1 antivirus engines report undetected
- No malicious sandbox verdicts
- No malicious contacted hosts or dropped children
- Process injection (T1055) observed — rootkit deployment technique
- 5 community YARA rules converge on rootkit/driver-injection signatures
- Prior sample with same signer verdicted malicious (Rootkit.Agent.AJNQ)
- Signed driver — elevated privilege execution context
- Medium prevalence (53 submissions) — known malicious driver in circulation
Treat this file as malicious rootkit malware. The combination of signer-history precedent (prior Rootkit.Agent.AJNQ sample), community YARA rule convergence, and process-injection behaviour outweighs the absence of tier-1 detections. Isolate affected systems and perform forensic analysis; do not rely on the Microsoft signature as a safety indicator.
CP Script Inject Detector corroborated by 2 sources
- 6 YARA rulesCP_Script_Inject_Detector, DebuggerCheck__QueryInfo, killer_rookit
- MT AI EngineRootkit.Agent.AJNQ
1 corroborating signal from researcher-curated sources
- CP_Script_Inject_Detectorby DiegoAnalyticsDetects attempts to inject code into another process across PE, ELF, Mach-O binaries
- DebuggerCheck__QueryInfo
- killer_rookitby wtldetect killer rookit
- PE_Digital_Certificateby albertzsigovits
- signed_drv_IoCreateDeviceby wonderkunsigned_sys_with_vulnerablity
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
- CP_Script_Inject_Detector
- DebuggerCheck__QueryInfo
- killer_rookit
- PE_Digital_Certificate
- signed_drv_IoCreateDevice
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceT1055 (MITRE)
0 detections across 75 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- OceanGraper.sys
- Size
- 23.2 KB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 4f412f9aa89994cda45422d23d6d961809225de9a4f5a8bfbfb9ac0e8725917e
- MD5
- 3ee985c5fd1f5784e15a4d11b3ca70a1
- SHA-1
- 33148c93465908ddad71cf189e22091dc0058ac4
- PE imphash
- 07386745331387b83012a6786eacb5ac
- First seen (VT)
- 2/20/2026, 4:55:08 AM
- Last analysis (VT)
- 6/27/2026, 3:41:39 PM
- First scan (MalwareTips)
- 7/2/2026, 12:06:55 PM
- Last scan (MalwareTips)
- 7/2/2026, 12:06:55 PM
- Code signer
- Microsoft Windows Hardware Compatibility Publisherverified
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.