MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd965b80b962f0e1c8e95eac6060ce5aca5951c0e5b1f6b38afe4ee27884d9a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OffLoader

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	dd965b80b962f0e1c8e95eac6060ce5aca5951c0e5b1f6b38afe4ee27884d9a1
SHA3-384 hash:	e9ef94a8de427b1046341fc22882b49d843c80e22ecda86d1581d7576f82b34652db2851db32ebd3b79e94e6ce0b4285
SHA1 hash:	36c1ba73d620fa3908e812c9313a37e05d473895
MD5 hash:	c55bd85a5a28fe5e5a5fa6c15aa4628e
humanhash:	harry-five-beer-helium
File name:	UPDATEDSuperiorityRustHackv2580NON-Steam.exe
Download:	download sample
Signature	OffLoader Create hunting rule
File size:	2'048'678 bytes
First seen:	2025-11-19 19:01:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ac4ded70f85ef621e5f8917b250855be (12 x OffLoader, 2 x Tofsee)
ssdeep	24576:cX6N6JCGN33/T15ZWi7Knsz+6f+GqWU/Wr0VUw9jzy3+nILajv12fJO6xxvZSABa:/N61T1me7qWUWr0VZ9vFnIL4kOSxhpVi
TLSH	T13895CF33F28AA73EE06A1A3759F292505D3B7A21641E8C4296EC3C4CCF791601E7F657
TrID	49.8% (.EXE) Inno Setup installer (107240/4/30) 20.0% (.EXE) InstallShield setup (43053/19/16) 19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 4.8% (.EXE) Win64 Executable (generic) (10522/11/4) 2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe OffLoader

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

UPDATEDSuperiorityRustHackv2580NON-Steam.exe

Verdict:

Malicious activity

Analysis date:

2025-11-15 18:12:35 UTC

Tags:

delphi inno installer adware

Link:

https://app.any.run/tasks/d61d93dd-b4c2-4f1c-97e3-de3d6bc7ab2e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38717/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6918c293434cd67b17c1cb06

Tags:

shellcode dropper virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed zero

Link:

https://www.filescan.io/uploads/691e14050b3798286007ce67/reports/66de1a7c-45c6-4f3a-997f-6d7ecd56488c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/dd965b80b962f0e1c8e95eac6060ce5aca5951c0e5b1f6b38afe4ee27884d9a1

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-15T15:15:00Z UTC

Last seen:

2025-11-16T01:59:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Win32.OffLoader.gen

Link:

https://opentip.kaspersky.com/dd965b80b962f0e1c8e95eac6060ce5aca5951c0e5b1f6b38afe4ee27884d9a1/results?tab=lookup

Malware family:

Sunstream Labs

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a721d7d6-f784-43f6-af7e-3a63dd4d262c

Result

Threat name:

n/a

Detection:

suspicious

Classification:

troj

Score:

30 / 100

Link:

https://www.joesandbox.com/analysis/1817156

Signature

Performs DNS queries to domains with low reputation

Behaviour

Behavior Graph:

Download SVG

Score:

81%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/dd965b80b962f0e1c8e95eac6060ce5aca5951c0e5b1f6b38afe4ee27884d9a1

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/c55bd85a5a28fe5e5a5fa6c15aa4628e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dd965b80b962f0e1c8e95eac6060ce5aca5951c0e5b1f6b38afe4ee27884d9a1/

Verdict:

Malicious

Threat:

Trojan-Downloader.Win32.OffLoader

Link:

https://tip.neiki.dev/file/dd965b80b962f0e1c8e95eac6060ce5aca5951c0e5b1f6b38afe4ee27884d9a1

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3wlfxafzmlyodshjl2wgaygollffsuoa4wy7nm4k7zhoe6ee3gqq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/251119-xpff6symal/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/40145846-f98e-4cd5-881c-cda2eb3e4c0d

Unpacked files

SH256 hash:

dd965b80b962f0e1c8e95eac6060ce5aca5951c0e5b1f6b38afe4ee27884d9a1

MD5 hash:

c55bd85a5a28fe5e5a5fa6c15aa4628e

SHA1 hash:

36c1ba73d620fa3908e812c9313a37e05d473895

Link:

https://www.unpac.me/results/6fd28c35-1e08-4dd8-94a9-eb4c988f85b9/

SH256 hash:

eb498854a4e53198ce8e2d9d0a424e6ad5cb3024184834371577bb30da990cbf

MD5 hash:

e40d7a991de1ef178719ff113e0cedc3

SHA1 hash:

598862eb3b6e42124f063d46eb0248ab18c79b03

Link:

https://www.unpac.me/results/6fd28c35-1e08-4dd8-94a9-eb4c988f85b9/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/6fd28c35-1e08-4dd8-94a9-eb4c988f85b9/

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/6fd28c35-1e08-4dd8-94a9-eb4c988f85b9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dd965b80b962f0e1c8e95eac6060ce5aca5951c0e5b1f6b38afe4ee27884d9a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/38717/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample