MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76d05282f149a1db0581a16696d1a141d432b8f34437f2008591263ba5653cb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76d05282f149a1db0581a16696d1a141d432b8f34437f2008591263ba5653cb1
SHA3-384 hash: 4bea4795b1c5aa03948610d35da10e99ac63e93068c9a68582b541b515818b8063120bdd1f0806dde1c487f549a925cc
SHA1 hash: 7bf4cb3e360bdaef559b4c4512595631e6208f73
MD5 hash: 516b860f12adead40d62b51a139c3873
humanhash: purple-two-connecticut-fillet
File name:Win-malqla-x64.msi
Download: download sample
File size:78'918'144 bytes
First seen:2026-01-27 07:41:03 UTC
Last seen:2026-01-27 07:51:21 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:kCdPxPofx0hwEPuT6e2WJWq3rVCyGIM0DEFNTnN0cmk:kkyfx0hwE0/zrABIMiCN75mk
Threatray 989 similar samples on MalwareBazaar
TLSH T110083332B08B8635C11F5B7BE525AE1E88723C52B73B01ABB6957EB60175CC385B1D83
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter zhuzhu0009
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
32
Origin country :
SC SC
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/b6fbb262-8568-4e55-aa31-98c03b9e5e91/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69786c496fa3eed1652f656f
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug at base64 CAB cmd donut evasive expired-cert expired-cert fingerprint installer large-file lolbin miner packed wix
Link:
https://www.filescan.io/uploads/69786c3a4156786ccbd9a3c1/reports/519bfd0f-3308-4137-96b1-3206118bad17/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/76d05282f149a1db0581a16696d1a141d432b8f34437f2008591263ba5653cb1
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/76d05282f149a1db0581a16696d1a141d432b8f34437f2008591263ba5653cb1
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2026-01-27T04:06:00Z UTC
Last seen:
2026-01-28T04:09:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.DLLhijack.sb Trojan.Win32.Inject.sb Trojan.Win32.Autorun.gen Trojan.Win32.DLLhijack.adsp Trojan.Win32.DLLhijack.adsi Trojan.Win32.Shellcode.sb Trojan.Win32.Agent.xbzdml Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/76d05282f149a1db0581a16696d1a141d432b8f34437f2008591263ba5653cb1/results?tab=lookup
Score:
77%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/76d05282f149a1db0581a16696d1a141d432b8f34437f2008591263ba5653cb1
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Inject
Link:
https://tip.neiki.dev/file/76d05282f149a1db0581a16696d1a141d432b8f34437f2008591263ba5653cb1
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-27 07:42:52 UTC
File Type:
Binary (Archive)
Extracted files:
508
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3iffaxrjgq5wbmbuftjnunbihkdfohtiq37eaefsetdxjlfhsyq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
482f51e57f724cd6abd5d090608e47838c77f52f3e92a9051323132f5b81a319
6bfcf6de9b11a3e741c9dd1e9bec9bb129b123f204decb5f6bb227c6585ef1ed
76d05282f149a1db0581a16696d1a141d432b8f34437f2008591263ba5653cb1
7c2769b905c5142f6236c48b071aef3ed4ec9895e7c132a868c725bb43a064e7
8e21f3aeea96d71deb10108b8d030bb2e7ce2e0ce85a12e1855ff7c56ce83535
adbd29511f149301dbf97c6c6acb924e850c1a0383a7b4a391bf6b75ef979ffa
error
+ 979 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260127-jjh38af13a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/76d05282f149/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:Excel_Hidden_Macro_Sheet
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments