MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OffLoader

Vendor detections: 16

Intelligence 16 IOCs YARA 12 File information Comments

SHA256 hash:	1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc
SHA3-384 hash:	22fd3407a4c096fce816a65f6883cc9d8a5d0aa80e41b129ff9d575aa6579e51e135a085b0c65b0fcdd5a5379214f6e1
SHA1 hash:	d59d1a5b6a62fd8184af0f9735233013b05dec1f
MD5 hash:	87cd9e18c3f04e43f447e775d33e2153
humanhash:	three-ohio-georgia-california
File name:	Yunxuan SPA Therapy Center Project List.exe
Download:	download sample
Signature	OffLoader Create hunting rule
File size:	13'204'657 bytes
First seen:	2025-12-16 21:52:08 UTC
Last seen:	2025-12-17 09:47:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ac4ded70f85ef621e5f8917b250855be (51 x OffLoader, 3 x Tofsee, 3 x QuasarRAT)
ssdeep	393216:wK30zGgTu6iWUn8LW4aaEG7lIExT564Z7OHY:v30zdu1L86Re7556w7B
Threatray	556 similar samples on MalwareBazaar
TLSH	T157D62333B28A673EE47E1A3B55B696605D3B7621645B8C5296F00C8CCF2E0A01E7F753
TrID	60.0% (.EXE) Inno Setup installer (107240/4/30) 23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.8% (.EXE) Win64 Executable (generic) (10522/11/4) 3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	smica83
Tags:	exe OffLoader

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/bf9baa69-2bff-47e2-8569-6e775be1ba97/

Malware family:

n/a

ID:

File name:

_1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc.exe

Verdict:

Malicious activity

Analysis date:

2025-12-16 21:52:54 UTC

Tags:

purehvnc zgrat netreactor rust

Link:

https://app.any.run/tasks/7f2e3c4f-068e-4d34-b7ae-39bb71f9ad81

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45282/

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6941d4aec97f4a807a3b5a34

Tags:

shellcode asyncrat keylog word

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Moving a file to the %temp% subdirectory

Launching a process

Creating a process with a hidden window

Loading a suspicious library

Creating a file

Using the Windows Management Instrumentation requests

Connection attempt

Sending a custom TCP request

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed tofsee

Link:

https://www.filescan.io/uploads/6941d492e126b9ff43839301/reports/9469c876-9a6f-48af-a31c-903c1164e6ab/overview

Verdict:

Malicious

Labled as:

Backdoor.Script.LodaRat.a

Link:

https://www.hybrid-analysis.com/sample/1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-16T12:05:00Z UTC

Last seen:

2025-12-17T07:13:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan.MSIL.Agent.gen Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.jou Trojan.MSIL.Donut.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5ddbff00-8d7c-4f70-914a-183ce89dab33

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1834395

Signature

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal Bitcoin Wallet information

Unusual module load detection (module proxying)

Behaviour

Behavior Graph:

Download SVG

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/87cd9e18c3f04e43f447e775d33e2153

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc/

Verdict:

Malicious

Threat:

Family.ZGRAT

Link:

https://tip.neiki.dev/file/1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc

Threat name:

Win32.Backdoor.Asyncrat

Status:

Suspicious

First seen:

2025-12-16 17:40:07 UTC

File Type:

PE (Exe)

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=djndzi2wrwhvj2hbkfsfj7ydg3kk4s6asluuhgthy4zbw4gl2d6a._file

Verdict:

malicious

Label(s):

unc_loader_078

OffLoader

1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc

OffLoader

1c19ab0611daf084a84fdb7b472600e1b7c9e5885130a827c3e1111eab08931d

OffLoader

33fdb1d88108e070e964165d1ff0c2ca71625e30795d3af5b7d27d59339720bb

OffLoader

418252eb085798db438426ca8c3697584e5ae359692bf71ed6f71db93017d35b

OffLoader

5c2458ab58bb10c023e9f88ed69d94c046501fce9e4181ea4a2e68ba458f07e4

OffLoader

64b97d63af694192e4d6ba57c278ec324eaf6c8700c0f7cade06f5a08da81f5a

OffLoader

ce50b4d9c84e5d113361ed821f86fef6f509a04cfac76f003f25a2aaec49954f

OffLoader

error

OffLoader

+ 546 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer

Link:

https://tria.ge/reports/251216-1q7htswqem/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/476d7b32-8219-4fac-939a-8fa900b3c73e

Unpacked files

SH256 hash:

1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc

MD5 hash:

87cd9e18c3f04e43f447e775d33e2153

SHA1 hash:

d59d1a5b6a62fd8184af0f9735233013b05dec1f

Link:

https://www.unpac.me/results/c8e376a0-a424-4afe-85b2-3d5d2eeded4b/

SH256 hash:

3890c3a9285d0e28f3152840226979df0ec74aa591093fe7c6c1e55ad29ca0c3

MD5 hash:

eac168e7c54f477e13f4fe907271cb1d

SHA1 hash:

ba78787c3942d4508ccdae5900157a49ff4e864e

Link:

https://www.unpac.me/results/c8e376a0-a424-4afe-85b2-3d5d2eeded4b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1a5a3ca3568d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1a5a3ca3568d8f54e8e1516454ff0336d4ae4bc092e9439a67c7321b70cbd0fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Generic_Threat_c9003b7b Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45282/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample