MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa3ff71da7f2a7fbbde0d2dd75273ba8b50917c7bcf9561958114aa1f992c987. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OffLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 14 File information Comments

SHA256 hash:	fa3ff71da7f2a7fbbde0d2dd75273ba8b50917c7bcf9561958114aa1f992c987
SHA3-384 hash:	390ce0788fa0e5ec81b3bc989b37a3b2157666c52c4f687f0173d804596479199798333ebf1f38f7db823ea335c141c5
SHA1 hash:	887fc89018934d12db829ba2d08dec882e240fcb
MD5 hash:	7012db2af28822106d740770767c47b4
humanhash:	chicken-moon-iowa-may
File name:	Pdf reader.zip
Download:	download sample
Signature	OffLoader Create hunting rule
File size:	5'677'285 bytes
First seen:	2026-04-16 20:16:05 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	98304:o5OQX/gL7kBO5WIw0XDR6PktRwBOBfKt5yLFxNTZB7ktTq8K+ly8DfIbhGSqzxE:MlXI3kG9t6PktRw/tyd3w++lz0byE
TLSH	T18A46023BF28B647DE06A56357AB29114953B7D216A128C4797ECF48CCF261B01E3E393
TrID	46.6% (.SH3D) Sweet Home 3D Design (generic) (10500/1/3) 35.5% (.XPI) Mozilla Firefox browser extension (8000/1/1) 17.7% (.ZIP) ZIP compressed archive (4000/1)
Magika	zip
Reporter	smica83
Tags:	baskethumor-xyz HUN OffLoader zip

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Pdf reader.exe
File size:	2'097'087 bytes
SHA256 hash:	73da5ee5043095605f2349bc44befbf5bfa8013647af2a7d5915d48e8fe55a7c
MD5 hash:	b969c1287fba482783c39bb672b1702f
MIME type:	application/x-dosexec
Signature	OffLoader

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/518c4b5e-cb1d-4761-ac8a-05e5dadc0db5/

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6988f8b342fd65534ccd9e16

Tags:

dropper virus blic

Result

Verdict:

Malicious

File Type:

PE File

Link:

https://app.docguard.net/fa3ff71da7f2a7fbbde0d2dd75273ba8b50917c7bcf9561958114aa1f992c987/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug embarcadero_delphi fingerprint infostealer inno installer installer installer-heuristic packed soft-404

Link:

https://www.filescan.io/uploads/69e143a09124ebc0875460a6/reports/d41f3fe4-f223-40e6-b736-b6c1b640fcf0/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/fa3ff71da7f2a7fbbde0d2dd75273ba8b50917c7bcf9561958114aa1f992c987

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/fa3ff71da7f2a7fbbde0d2dd75273ba8b50917c7bcf9561958114aa1f992c987

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

File Type:

zip

Link:

https://opentip.kaspersky.com/fa3ff71da7f2a7fbbde0d2dd75273ba8b50917c7bcf9561958114aa1f992c987/results?tab=lookup

Score:

79%

Verdict:

Malware

File Type:

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	ZIP_PowerShell_Susp_Obf Create hunting rule
Author:	ventdrop
Description:	Detect .zip files containing susp and obf embedded PS command

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample