user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/OffLoader.POFF!MTB
Trojan:Win32/OffLoader.POFF!MTB - Windows Defender threat signature analysis

Trojan:Win32/OffLoader.POFF!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/OffLoader.POFF!MTB
Classification:
Type:Trojan
Platform:Win32
Family:OffLoader
Detection Type:Concrete
Known malware family with identified signatures
Variant:POFF
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family OffLoader

Summary:

Trojan:Win32/OffLoader.POFF!MTB is a sophisticated Trojan that uses various techniques for persistence and evasion, including abuse of LOLBINs (PowerShell, mshta, rundll32, regsvr32), BITS jobs, and scheduled tasks. It features API hooking, engages in command-and-control communication (C2) to likely download additional payloads or exfiltrate data, and possesses file manipulation capabilities such as deletion and remote copying.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win32_OffLoader_POFF_2147954587_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/OffLoader.POFF!MTB"
        threat_id = "2147954587"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "OffLoader"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "5"
        strings_accuracy = "Low"
    strings:
        $x_3_1 = {68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 [0-42] 2e 00 69 00 6e 00 66 00 6f 00 2f 00 [0-15] 2e 00 70 00 68 00 70 00 3f 00 [0-4] 3d 00 6e 00 26 00 6b 00 3d 00 ?? ?? ?? ?? ?? ?? ?? ?? 26 00 74 00 3d 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 26 00 [0-10] 3d 00 [0-255] 26 00 [0-10] 3d 00 00 00 2f 00 73 00 69 00 6c 00 65 00 6e 00 74 00 00 00 67 00 65 00 74 00 00 00 31 00 30 00 32 00 33 00 ?? ?? ?? ?? ?? ?? ?? ?? 35 00 30 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 [0-42] 2e 00 78 00 79 00 7a 00 2f 00 [0-15] 2e 00 70 00 68 00 70 00 3f 00 [0-4] 3d 00 6e 00 26 00 6b 00 3d 00 ?? ?? ?? ?? ?? ?? ?? ?? 26 00 74 00 3d 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 26 00 [0-10] 3d 00 [0-255] 26 00 [0-10] 3d 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2e 00 65 00 78 00 65 00}  //weight: 3, accuracy: Low
        $x_3_2 = {68 74 00 74 00 70 3a 2f 2f [0-42] 2e 69 6e 66 6f 2f [0-15] 2e 70 68 70 3f [0-4] 3d 6e 26 6b 3d ?? ?? ?? ?? ?? ?? ?? ?? 26 74 3d ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 26 [0-10] 3d [0-255] 26 [0-10] 3d 00 00 2f 73 69 6c 65 6e 74 00 00 67 65 74 00 00 31 30 32 33 ?? ?? ?? ?? ?? ?? ?? ?? 35 30 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 74 00 74 00 70 3a 2f 2f [0-42] 2e 78 79 7a 2f [0-15] 2e 70 68 70 3f [0-4] 3d 6e 26 6b 3d ?? ?? ?? ?? ?? ?? ?? ?? 26 74 3d ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 26 [0-10] 3d [0-255] 26 [0-10] 3d ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2e 65 78 65}  //weight: 3, accuracy: Low
        $x_2_3 = "Do you want to reboot now?" ascii //weight: 2
    condition:
        (filesize < 20MB) and
        (
            ((1 of ($x_3_*) and 1 of ($x_2_*))) or
            ((2 of ($x_3_*))) or
            (all of ($x*))
        )
}
Known malware which is associated with this threat:
Filename: KMSpico (2025) 12.2.4 FINAL (Office and Windows 10 Activator).exe
17015486a4e36b7b8e7c76fecec5964b0ad375403fc49566edad2ce7561d51ee
23/12/2025
VirusTotalDownload Sample
Filename: KMSpico 2024 18.6.10 Final [Windows And Office Activator].exe
3b2107d95c3261840a86ae3b07666326289e631cb04246a300699469766c3918
23/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected host from the network. Perform a full system scan with updated antivirus/anti-malware software and remove all detected malicious files. Investigate and remove any established persistence mechanisms (e.g., scheduled tasks, suspicious registry entries). Monitor network traffic for any attempts at C2 communication or lateral movement, and ensure all operating system and application security updates are applied to prevent re-infection.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 23/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$