MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OffLoader

Vendor detections: 8

Intelligence 8 IOCs YARA 15 File information Comments

SHA256 hash:	3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9
SHA3-384 hash:	163ae68013369dfa5559633c1894c2facce3bff3e7bc27c886a0f70fa3c3bc76f2440dd7c6cbdf4e7ba6c4c7900f882d
SHA1 hash:	5d6593e3efad0354c160f17a465c965e24a2c985
MD5 hash:	31c60946ccba73a9744543f9120dd9bb
humanhash:	wolfram-nine-north-minnesota
File name:	vlpafdf_325as3.exe
Download:	download sample
Signature	OffLoader Create hunting rule
File size:	4'210'987 bytes
First seen:	2025-12-01 21:41:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ac4ded70f85ef621e5f8917b250855be (7 x OffLoader, 2 x Tofsee)
ssdeep	49152:EN61T1mptmTM/cyM/QLzkHeIz2t7Ml++kzSL9sJYeX1nHPKxl1b8JmdGW3TpO:EN66psb/Scnz2MY5JYQnyxl1ddGSTM
TLSH	T137160123B34A673DF46E4A3B59B2D230593B7E21A80E8CD697E44C4CCF294601E7E657
TrID	60.0% (.EXE) Inno Setup installer (107240/4/30) 23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.8% (.EXE) Win64 Executable (generic) (10522/11/4) 3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	smica83
Tags:	exe OffLoader

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

No details

Malware family:

n/a

ID:

File name:

http://qtox-chat.com/vlpafdf_325as3.exe

Verdict:

Suspicious activity

Analysis date:

2025-12-01 21:08:38 UTC

Tags:

loader upx

Link:

https://app.any.run/tasks/7aa4d80e-e3c0-48c7-88d7-0ba105a19a24

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42079/

Gathering data

Verdict:

Clean

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692e0bb516e6db515e45af36

Tags:

n/a

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed

Link:

https://www.filescan.io/uploads/692e0bb6f0bf4cf3caae94ee/reports/f69b0239-1a55-4d73-b96d-59f790fbc6c9/overview

Verdict:

Malicious

Labled as:

Backdoor.Script.LodaRat.a

Link:

https://www.hybrid-analysis.com/sample/3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-01T16:32:00Z UTC

Last seen:

2025-12-01T17:16:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/422dd6ac-1ef5-4495-8008-a24a9b8ebf2c

Result

Threat name:

n/a

Detection:

clean

Classification:

evad

Score:

14 / 100

Link:

https://www.joesandbox.com/analysis/1823976

Behaviour

Behavior Graph:

n/a

Score:

77%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/31c60946ccba73a9744543f9120dd9bb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9/

Verdict:

Malicious

Threat:

Trojan.Win32.RokRat

Link:

https://tip.neiki.dev/file/3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h7q5soj4ztx5r6b2id6ekiv4h2myghvroxc32jqyuepkfbirwouq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer spyware stealer upx

Link:

https://tria.ge/reports/251201-1kekvscy5b/

Behaviour

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9

MD5 hash:

31c60946ccba73a9744543f9120dd9bb

SHA1 hash:

5d6593e3efad0354c160f17a465c965e24a2c985

Link:

https://www.unpac.me/results/f39d54ab-735a-4b74-9eab-65a2613d8621/

SH256 hash:

8fff851de58157b588c4e301d8d916f7673e5704df40a9761f6fcb32399f7f9c

MD5 hash:

4c5830e1705ad532ba8aa6ff2884d38c

SHA1 hash:

9ebddb1b07fa3a4e493991de07e5d65e3d53c5e8

Link:

https://www.unpac.me/results/f39d54ab-735a-4b74-9eab-65a2613d8621/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3fe1d9393ccc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MAL_packer_lb_was_detected Create hunting rule
Author:	0x0d4y
Description:	Detect the packer used by Lockbit4.0

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Rust Create hunting rule
Author:	albertzsigovits
Description:	Application written in Rust programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OffLoader

exe 3fe1d9393cccefd8f83a40fc4522bc3e99831eb175c5bd2618a11ea28511b3a9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3722510/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/42079/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample