MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OffLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5
SHA3-384 hash: 01ed4ffb25b048da72d54c03fd52f9d0786b75cee344be5fb7c634100b437e0d104699cbfd886b98f0a8b76a99ee9824
SHA1 hash: 88e8f20e17635e57dc5097e8e30cbba2fadd00aa
MD5 hash: b503805d6285590035288d05a5b81ae0
humanhash: mike-utah-eleven-edward
File name:file
Download: download sample
Signature OffLoader
Create hunting rule
File size:4'871'684 bytes
First seen:2025-12-24 22:15:20 UTC
Last seen:2025-12-25 00:46:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ac4ded70f85ef621e5f8917b250855be (25 x OffLoader, 2 x Tofsee, 2 x CHStealer)
ssdeep 98304:HN66RVujSjRj7vznKTZ0dN3bC0PtygrfY+ogegOEAN3v5Ik:/TjBvz4sU0P8+ogedPN3ik
Threatray 405 similar samples on MalwareBazaar
TLSH T19F360123E2CB623DE36A5B37D5B2B130483B6E11A51B4C4696E4EC4CCF39CA01D7E656
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter Bitsight
Tags:b80777 dropped-by-amadey exe OffLoader


Avatar
Bitsight
url: http://62.60.226.159/geter/scalable_8599.9243.77_INSTALL.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
112
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/df413b48-28dc-45b8-8436-1926f459e85b/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-12-24 22:16:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d090f76f-389e-4992-8a56-b2a7b1497f7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46001/
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694c6601038f10550b555dcb
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed tofsee zero
Link:
https://www.filescan.io/uploads/694c65fb5ceddcfa3ff6aef5/reports/270d5b74-1f1c-4dd1-a019-7e7412a0ed71/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-24T17:19:00Z UTC
Last seen:
2025-12-24T18:45:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/627947d0-7930-489c-ad2d-d5d5dcc92487
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b503805d6285590035288d05a5b81ae0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5/
Verdict:
Malicious
Threat:
Family.OFFLOADER
Link:
https://tip.neiki.dev/file/c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yg5uw5cl5eueka4rtlqktn5hxar4mjs5k5ydtplxi634zeavkgsq._file
Verdict:
malicious
Label(s):
unc_loader_073
Create hunting rule
Similar samples:
2af5b20be78d166ff38cd23466548334f767fa22a58620dd049975ac1288caf6
OffLoader
312ff53f4264561e0c409d76e073835d9058c824736eb8b36545703a9181a1da
OffLoader
3232706a6824a99e09588cbd5b4528632c0d2f8cf905e92fc1dad9d57152d390
OffLoader
5b3df1928e2ac791a66f62eb0a4e77b11e86a5600d8d3fd599eb874b3d6ba9ee
OffLoader
811471a5b0b641fb1f8e9e077f54f9f631022cb1f8372f2daca3323c7e7128d6
OffLoader
aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb
OffLoader
bfb6c67ed33c29f4c37e8d749b73c88ea9469e22952d75d1cc9906054ac47773
OffLoader
dfa531e1ac9cb7c6ca7cd7cd052c5a33af615cc4f8b1a8cf8a0cc85a1064c3dd
OffLoader
error
OffLoader
f5a90a24084cad14af5df6aa3164edad769a26e3649c2b8243e2a404983e7b90
OffLoader
+ 395 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer persistence upx
Link:
https://tria.ge/reports/251224-16jrpsey7e/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ad600986-9bed-4ad9-ab67-fd2cf6427ae6
Unpacked files
SH256 hash:
c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5
MD5 hash:
b503805d6285590035288d05a5b81ae0
SHA1 hash:
88e8f20e17635e57dc5097e8e30cbba2fadd00aa
Link:
https://www.unpac.me/results/c10ef1bf-dcf1-4daf-b850-0d37fec4d56f/
SH256 hash:
d6c8b209ba1e70885f315d0691a01a9696e66e399925ca8b70e45392e3ce0b3d
MD5 hash:
3a30c6ae7d9553fdde4937cb99de4b57
SHA1 hash:
0463a35ff3c1945687cc7264f44aaf0bed9480c8
Link:
https://www.unpac.me/results/c10ef1bf-dcf1-4daf-b850-0d37fec4d56f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:bumblebee_win_generic
Create hunting rule
Author:_kphi
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OffLoader

Executable exe c1bb4b744be9284503919ae0a9b7a7b823c6265d577039bd7747b7cc901551a5

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/46001/
  
URLhaus
https://urlhaus.abuse.ch/url/3742812/
  
URLhaus
https://urlhaus.abuse.ch/url/3737969/

Comments