MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 159ce7c134396ee8cc63bee79d4cad522a3eda047da9f339bbee2d7ace5b85f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OffLoader

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	159ce7c134396ee8cc63bee79d4cad522a3eda047da9f339bbee2d7ace5b85f1
SHA3-384 hash:	fe90b566de7c329eaa7cddadfa985fac42440865232ce890be14a4100725cceb2d530df2d18739f0732a411b9c20fc7d
SHA1 hash:	b087d663111eef9b98f31a7cfb87ccfd411e21cf
MD5 hash:	8b0bc313bca8d96a6fd30bb6a7ee14da
humanhash:	ceiling-table-steak-twenty
File name:	8b0bc313bca8d96a6fd30bb6a7ee14da.exe
Download:	download sample
Signature	OffLoader Create hunting rule
File size:	1'955'584 bytes
First seen:	2025-09-08 11:38:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd455830ba918de67076b7c65d86586 (75 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep	49152:OxXXm66OSWrWg9iKhbWS1ilCiYsCSqNledqF:OxHXSMWyySKGsCl0qF
TLSH	T18795CF23F2CBA13FF06A4A364A77D212553BBA6169128C6697EC389CCF251D01D3F647
TrID	49.8% (.EXE) Inno Setup installer (107240/4/30) 20.0% (.EXE) InstallShield setup (43053/19/16) 19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 4.8% (.EXE) Win64 Executable (generic) (10522/11/4) 2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	5050d270cccc82ae (112 x Adware.Generic, 70 x OffLoader, 43 x LummaStealer)
Reporter	abuse_ch
Tags:	exe OffLoader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8b0bc313bca8d96a6fd30bb6a7ee14da.exe

Verdict:

Malicious activity

Analysis date:

2025-09-08 11:42:19 UTC

Tags:

delphi inno installer adware

Link:

https://app.any.run/tasks/cd8bede3-cca2-41bd-8b68-512d566734a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/26248/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68bec07e6e66ba602d792a87

Tags:

downloader dropper virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context alien anti-debug embarcadero_delphi fingerprint installer overlay overlay packed threat zero

Link:

https://www.filescan.io/uploads/68bec07b8d5f72f2e3848eee/reports/c40f5f0d-f187-4858-8439-7859d72875e5/overview

Verdict:

Malicious

Labled as:

Win32_TrojanDownloader_Agent_HIO

Link:

https://www.hybrid-analysis.com/sample/159ce7c134396ee8cc63bee79d4cad522a3eda047da9f339bbee2d7ace5b85f1

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-04T11:30:00Z UTC

Last seen:

2025-09-04T11:30:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/159ce7c134396ee8cc63bee79d4cad522a3eda047da9f339bbee2d7ace5b85f1/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2f9c518d-89b5-4f50-8224-82349e456bdc

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1773064

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Behaviour

Behavior Graph:

Download SVG

Score:

82%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/159ce7c134396ee8cc63bee79d4cad522a3eda047da9f339bbee2d7ace5b85f1

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/159ce7c134396ee8cc63bee79d4cad522a3eda047da9f339bbee2d7ace5b85f1/

Threat name:

Win32.Trojan.Etset

Status:

Malicious

First seen:

2025-09-04 21:10:00 UTC

File Type:

PE (Exe)

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cwoopqjuhfxortddx3tz2tfnkivd5wqepwu7gon35ywxvts3qxyq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/250908-nslb6avkv3/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/39b23d8a-7a7b-47a5-94a8-15c0941e1a97

Unpacked files

SH256 hash:

159ce7c134396ee8cc63bee79d4cad522a3eda047da9f339bbee2d7ace5b85f1

MD5 hash:

8b0bc313bca8d96a6fd30bb6a7ee14da

SHA1 hash:

b087d663111eef9b98f31a7cfb87ccfd411e21cf

Link:

https://www.unpac.me/results/b243c27a-b40b-4763-821c-3990a0722866/

SH256 hash:

f4365d159f00bf20fab25d7a2d8684528f3ccbcf48f3bdb5a75fd6268a9cda11

MD5 hash:

c92977d52cc7dca405c311dcdee14def

SHA1 hash:

9dffb65b3f70071e62567cfd9d85020ab0cdb4f7

Link:

https://www.unpac.me/results/b243c27a-b40b-4763-821c-3990a0722866/

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/b243c27a-b40b-4763-821c-3990a0722866/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/159ce7c134396ee8cc63bee79d4cad522a3eda047da9f339bbee2d7ace5b85f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/26248/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample