MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1a75ee7daaa857fd7ad796ea1a4264440a17af178218c7bb6c7e8ebdf9340a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OffLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1a75ee7daaa857fd7ad796ea1a4264440a17af178218c7bb6c7e8ebdf9340a1
SHA3-384 hash: 6d54c7d25c98e3675c7cb333030b0457ade309d98000e308890a775faa0c89b08782b7611162cf3e3b5b49583b18bb8e
SHA1 hash: 8020fd84859d7e27d925347c14db0731c10f4410
MD5 hash: 4ba96692be4cf31708e1a6125b0bd31e
humanhash: charlie-artist-shade-three
File name:Ambient_Client.exe
Download: download sample
Signature OffLoader
Create hunting rule
File size:2'097'758 bytes
First seen:2026-03-16 12:51:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 88016fcdef7f227c62171d0afad9aae4 (5 x OffLoader, 3 x Gh0stRAT, 2 x ValleyRAT)
ssdeep 49152:duI5hRQks3WcUUMxuUO6QQNJ8cOxqDNrlHgVt:d5/u3OnuMNucySNrla
Threatray 304 similar samples on MalwareBazaar
TLSH T1D0A5C03FF28BA13EE06E1A367972A110553B7A61A4128C5296FCF88CCF255701D3E797
TrID 50.8% (.EXE) Inno Setup installer (107240/4/30)
20.4% (.EXE) InstallShield setup (43053/19/16)
19.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.0% (.EXE) Win64 Executable (generic) (6522/11/2)
2.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Giveup
Tags:Check_unhandledExceptionFiler_iat DebuggerPattern__CPUID DebuggerPattern__RDTSC DebuggerTiming__PerformanceCounter DebuggerTiming__Ticks exe OffLoader


Avatar
Giveup
Auto-submitted by RATScanner (score 49/100, MEDIUM)

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Ambient_Client.exe
Verdict:
Malicious activity
Analysis date:
2026-03-16 12:52:28 UTC
Tags:
adware innosetup
Link:
https://app.any.run/tasks/83a9c213-b25f-43da-9e51-ee68019ec97a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57638/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.22612875.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b7789493b644ca466a795d
Tags:
shellcode dropper delphi crypt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint infostealer inno installer installer installer-heuristic packed soft-404
Link:
https://www.filescan.io/uploads/69b7fcfb2000fc76c3e246a3/reports/ac12f542-59a5-426c-b352-b02fb68b8dcf/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_C_ml
Link:
https://www.hybrid-analysis.com/sample/b1a75ee7daaa857fd7ad796ea1a4264440a17af178218c7bb6c7e8ebdf9340a1
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan-Downloader.Win32.OffLoader.gen
Link:
https://opentip.kaspersky.com/b1a75ee7daaa857fd7ad796ea1a4264440a17af178218c7bb6c7e8ebdf9340a1/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e2342688-3d99-461f-aa22-2532bd23d973
Score:
80%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b1a75ee7daaa857fd7ad796ea1a4264440a17af178218c7bb6c7e8ebdf9340a1
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/4ba96692be4cf31708e1a6125b0bd31e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1a75ee7daaa857fd7ad796ea1a4264440a17af178218c7bb6c7e8ebdf9340a1/
Verdict:
Malicious
Threat:
Family.OFFLOADER
Link:
https://tip.neiki.dev/file/b1a75ee7daaa857fd7ad796ea1a4264440a17af178218c7bb6c7e8ebdf9340a1
Threat name:
Win32.Trojan.Alevaul
Create hunting rule
Status:
Malicious
First seen:
2026-03-15 22:21:53 UTC
File Type:
PE (Exe)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgtv5z62vkcx7v5npfxkdjbgirakc6xrpaqyy65wy7uoxx4ticqq._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
084c4628027cd8896bc9144f36388739f98577f38f0bace678dc03a6d3db75b1
OffLoader
092fb803ea1777965f61e4e60a8ba0a1c5b1eb688ce3554ddbaf0bf28f6bb254
OffLoader
16711abff41ad69c4e2eaec323fe4037dddb072d6028628dee85d2c37ac5ab94
OffLoader
1755169c2eb55a83e75e30f4420f76456c28cd3af64ff2532b030cf5195843ce
OffLoader
18535509a6d259487b6b06edf2f1b2df3c4890fe16d630c8a2ec6af32cbe8b32
OffLoader
6064742f07e20c04ba5944cb8c3998779f8fe8d138f918040401386d78c49771
OffLoader
63bd2535fa047323b76cb578c8d57b16d568bc5aa3c39249ef7fde2448b336ce
OffLoader
adbe2e211ee1636d1e6d6a547cb7a84a977417794668ea5e9cca3bf859d0f8a6
OffLoader
e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd
OffLoader
+ 294 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer
Link:
https://tria.ge/reports/260316-p35dfsfw2w/
Behaviour
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Unpacked files
SH256 hash:
b1a75ee7daaa857fd7ad796ea1a4264440a17af178218c7bb6c7e8ebdf9340a1
MD5 hash:
4ba96692be4cf31708e1a6125b0bd31e
SHA1 hash:
8020fd84859d7e27d925347c14db0731c10f4410
Link:
https://www.unpac.me/results/ea16fd4e-f374-4281-aa3c-3ac5c4467771/
SH256 hash:
270e4502522ebf3834d266fb650c1ee8bdb39c12fcb21add23906831c42b51d7
MD5 hash:
26dc6a20671352a6200d0d388f7db2b8
SHA1 hash:
e0f1a3c8b401fc1a0c6f6e637b865776f4312210
Link:
https://www.unpac.me/results/ea16fd4e-f374-4281-aa3c-3ac5c4467771/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/ea16fd4e-f374-4281-aa3c-3ac5c4467771/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1a75ee7daaa857fd7ad796ea1a4264440a17af178218c7bb6c7e8ebdf9340a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57638/

Comments