MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39
SHA3-384 hash: aeddb400af8d36047beb428b65d4925ba3cb64e7d0054f13f750f1467b06d69d721f61077e0efb2b85a42f13f91f8e45
SHA1 hash: 793c8056c8a951c6b23b9f827590562746df23c8
MD5 hash: cd42bb49d88bb17316fd05909f1c7fa2
humanhash: item-coffee-golf-mars
File name:mapistub.payload
Download: download sample
File size:6'136'832 bytes
First seen:2026-06-26 14:48:42 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash a3979f3bea909dc8b2cd85c87303001a
ssdeep 98304:K361Z1oUscTBQpBUGcUnwbHmK9HLS2h45sARq8C0:K36SbUGcUwbLVSI4298C
TLSH T17756D013B285743ED42F1A790827A660A83B7A612556CC5FA7F41C4CCF3A7807F3A667
TrID 68.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
10.7% (.EXE) Win64 Executable (generic) (6522/11/2)
7.4% (.EXE) Win32 Executable (generic) (4504/4/1)
3.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
3.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:dll upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb
File size (compressed) :4'145'152 bytes
File size (de-compressed) :6'136'832 bytes
Format:win32/pe
Packed file: d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72137/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3e917c1548daf709fa03ea
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint keylogger packed reconnaissance
Link:
https://www.filescan.io/uploads/6a3e9174fe81d93d3f225b5d/reports/122ccfa1-0d4c-4638-892b-c4175d6ec9f6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/17244637-ffa3-4f23-b659-c9d54b4baafb
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1934265
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Creates an autostart registry key pointing to binary in C:\Windows
Found API chain indicative of debugger detection
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.Metamorfo
Link:
https://tip.neiki.dev/file/76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-06-26 14:49:34 UTC
File Type:
PE (Dll)
Extracted files:
164
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2rg6sxfcos4utdv6z74tlzp33fxz64f5jevwzed3nk26t4k3i4q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/260626-r67zvscs7z/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Program crash
Unpacked files
SH256 hash:
76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39
MD5 hash:
cd42bb49d88bb17316fd05909f1c7fa2
SHA1 hash:
793c8056c8a951c6b23b9f827590562746df23c8
Link:
https://www.unpac.me/results/18f06ae3-a135-4230-809c-fb47f72bc5a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Microsoft Software Installer (MSI) msi 810ed7d47bca28d6b94b86b53a66e866aaf99314458341eaf085f2b89f4db37c

DLL dll d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb

DLL dll 76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39

(this sample)

  
Dropped by
SHA256 d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb
Cape
Cape
https://www.capesandbox.com/analysis/72137/
  
Dropped by
MD5 e6906caeb0aac854905edc255fb7046b

Comments