MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OffLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7
SHA3-384 hash: 601c4df1c648c3d86b2c4bde561a5f95d5f67546f494fa9e8844d15fa9072700d64f4d54b77e66c2afa98d8d17e31d1a
SHA1 hash: 91fca0a9689ef9886e2aa001e2c0f36d08dc2b3e
MD5 hash: 699be1c9de4ea0bf8084221f63c4acfd
humanhash: grey-sweet-twenty-twelve
File name:file
Download: download sample
Signature OffLoader
Create hunting rule
File size:8'920'254 bytes
First seen:2026-03-12 18:39:59 UTC
Last seen:2026-03-12 19:34:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ac4ded70f85ef621e5f8917b250855be (54 x OffLoader, 3 x Tofsee, 3 x QuasarRAT)
ssdeep 98304:mN667eNjSbPP+0TF2/IdWewAnMGmz14lEbuzeLfX80C6Nsi+KUIk78O3mZZFdWb8:2AjIuaFHWmnM714ubuqDyUsY82ZYK2
TLSH T189961233B289A33DE06D5A379AB2D2605D3B6E11A51B8C0796E43C5DEF2D0601E7F643
TrID 63.8% (.EXE) Inno Setup installer (107240/4/30)
24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (6522/11/2)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 OffLoader


Avatar
Bitsight
url: http://158.94.208.7/files/8425384370/cpX8aAx.exe

Intelligence

File Origin
# of uploads :
13
# of downloads :
144
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/682963f1-9713-4a60-a1be-285ae9b4cf44/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2026-03-12 18:40:24 UTC
Tags:
anti-evasion inno installer delphi upx
Link:
https://app.any.run/tasks/b4fbd301-9140-4936-9bd8-f2900fcb93b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57244/
Detection(s):
SecuriteInfo.com.FileRepMalware.64353844.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b308a35a439615ccbfc884
Tags:
injection dropper virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404
Link:
https://www.filescan.io/uploads/69b3089c493cb7d62df99a02/reports/0030d525-86ef-4354-9674-9e983f1ac811/overview
Verdict:
Malicious
Labled as:
TrojanDldr.OffLoader.gen
Link:
https://www.hybrid-analysis.com/sample/3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7
Verdict:
Malicious
File Type:
exe x32
Detections:
UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/411d900b-968e-4277-8786-c4baa9a8a627
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7/
Verdict:
Malicious
Threat:
Family.OFFLOADER
Link:
https://tip.neiki.dev/file/3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-12 18:40:37 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkjojwgoqblnghufgab2vvghy25srmggpjlhewbjw2hae7xszk3q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery installer privilege_escalation spyware stealer upx
Link:
https://tria.ge/reports/260312-xbd17agy6s/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Access Token Manipulation: Create Process with Token
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7
MD5 hash:
699be1c9de4ea0bf8084221f63c4acfd
SHA1 hash:
91fca0a9689ef9886e2aa001e2c0f36d08dc2b3e
Link:
https://www.unpac.me/results/55e1698d-5a70-40cf-a7f1-2ee0777005cb/
SH256 hash:
a953e39c5840fb432d48a6b53d70a6db97db9b9a80506897b95336d3b28c2b92
MD5 hash:
8c92257a0fc93f71465c6d38f80f1f2e
SHA1 hash:
8f9fcfc4601b560b6c999e8d9dbf861eb62c64d3
Link:
https://www.unpac.me/results/55e1698d-5a70-40cf-a7f1-2ee0777005cb/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/55e1698d-5a70-40cf-a7f1-2ee0777005cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OffLoader

Executable exe 3292e4d8ce8056d31e853003aad4c7c6bb28b0c67a56725829b68e027ef2cab7

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57244/
  
URLhaus
https://urlhaus.abuse.ch/url/3794699/

Comments