MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OffLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961
SHA3-384 hash: b4ec5cc225e8f956e8aa0f558637bffc80cb5c1b7b2cf114d2fb4df64591215b5ed2d8a27b9ca039825567be7c982762
SHA1 hash: 5751f5b13bf89bbaac742ab7f071ba2327788d46
MD5 hash: 954b6a928bfecfb011f534f35a8ee415
humanhash: burger-lion-december-six
File name:Installer.exe
Download: download sample
Signature OffLoader
Create hunting rule
File size:1'806'180 bytes
First seen:2026-04-01 09:30:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (60 x ValleyRAT, 49 x Gh0stRAT, 42 x OffLoader)
ssdeep 24576:HawwKusHwEwSDMn6xcidUSeMITCqgcfyr4Py6K22i+i8rtVs1ZY7jQY71Z:XwREDDM4dHeMxWrP+beY7UY71Z
TLSH T1DD85CF23F2CBE03EE05E0B3B05B2A15494FB6A616522AD5796ECB4ECCF351601D3E647
TrID 50.8% (.EXE) Inno Setup installer (107240/4/30)
20.4% (.EXE) InstallShield setup (43053/19/16)
19.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.0% (.EXE) Win64 Executable (generic) (6522/11/2)
2.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (112 x Adware.Generic, 70 x OffLoader, 43 x LummaStealer)
Reporter aachum
Tags:dropped-by-OffLoader exe OffLoader pw-ebsqeobzwzorqapepmqadkhvxfpcwo


Avatar
iamaachum
https://watchadvance.com/Installer.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
Installer.exe
Verdict:
No threats detected
Analysis date:
2026-04-01 08:58:04 UTC
Tags:
delphi inno installer
Link:
https://app.any.run/tasks/720127e6-9818-4502-8ada-bf9bc2165330

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60023/
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.16298-2.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ccde1b3a18a6e1ddf041ea
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Malicious
Labled as:
VHO:TrojanDrop.Convagent.gen
Link:
https://www.hybrid-analysis.com/sample/3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961
Verdict:
Clean
File Type:
exe x32
First seen:
2026-03-24T14:34:00Z UTC
Last seen:
2026-04-03T07:19:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/61648ee0-9446-4b68-801e-aaffcfdf1f51
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
4 / 100
Link:
https://www.joesandbox.com/analysis/1891967
Behaviour
Behavior Graph:
n/a
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/954b6a928bfecfb011f534f35a8ee415
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gbjl2mqkgtqs5zuuqepnav4hs5dx37kibrtejepfbhwrltq2nfqq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer
Link:
https://tria.ge/reports/260401-lgpjbsay2n/
Behaviour
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961
MD5 hash:
954b6a928bfecfb011f534f35a8ee415
SHA1 hash:
5751f5b13bf89bbaac742ab7f071ba2327788d46
Link:
https://www.unpac.me/results/5cd1c15f-eba5-4978-a5b1-66ccc2fefb2b/
SH256 hash:
4503b159b6dc5367a5be5a190aad0d813f3963c7f17597944c01da2ff31d747b
MD5 hash:
26b02d16ec2da83483b7fa5e004bd54f
SHA1 hash:
6b673bf5e011017034d9e03a6ae57e8b8f011b97
Link:
https://www.unpac.me/results/5cd1c15f-eba5-4978-a5b1-66ccc2fefb2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OffLoader

Executable exe 3052bd320a34e12ee694811ed0578797477dfd480c664491e509ed15ce1a6961

(this sample)

cf184d04ca31fb2b6b7efd85399c29c1136b539153e137ceb3877b1b905791de

PowerShell (PS) ps1 ecf508d91f7e3b17a7211e5e8d48739158cd75844f2caaf9792f95ce7d17516f

  
Link
https://tria.ge/260401-kqxqmaat6l/behavioral2
  
Dropped by
OffLoader
  
Delivery method
Distributed via web download
  
Dropping
SHA256 ecf508d91f7e3b17a7211e5e8d48739158cd75844f2caaf9792f95ce7d17516f
  
Dropping
MD5 d3ae2d7f49d3235e67b2f15e7d97a0a4
Cape
Cape
https://www.capesandbox.com/analysis/60023/

Comments