MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb
SHA3-384 hash: a21b574bead3c1dd7f69ef0c3c1123e6196a612408c57c4458cb714133308792c8cb710339d1f73e77ea62dc501c1b45
SHA1 hash: a41d420a413620b92d75cc157c0002f163783009
MD5 hash: e6906caeb0aac854905edc255fb7046b
humanhash: pasta-pip-freddie-wolfram
File name:mapistub.payload
Download: download sample
File size:4'145'152 bytes
First seen:2026-06-26 14:47:59 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 82b064beaf47c47d8f53a822526299b5
ssdeep 98304:FZ6wktoeYfV5uEfneq9DiT5vGUyLNevO3pPCP+sHnH5xI52+ULMgN3mxiMM:FZomx77fneYDiTEUyIG54+sHnfIU+UMk
TLSH T10016336E81012C74F5821CB8936DB9E0A006347B5C9A34754C0BCBAFA576AE7D6F5B0F
TrID 58.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
14.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
4.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter johnk3r
Tags:Bahamut banker dll dservices-space UPX


Avatar
johnk3r
Targets:
"name": "Banco do Brasil",
"name": "Banco Bradesco",
"name": "Banco Caixa Economica",
"name": "Banco Itau",
"name": "Banco Santander",
"name": "Banco Sicoob",
"name": "Banco Sicredi",
"name": "Mercado Pago - BR",
"name": "Banco Safra",
"name": "Banco BTG Pactual",
"name": "Banco Inter",
"name": "Banco Stone",
"name": "Banco C6 Bank",
"name": "Banco InfinitePay",
"name": "Banco BS2",
"name": "Banco ASSAS",
"name": "Banco Cora",
"name": "Banco BRB",
"name": "Banco Banese",
"name": "Banco Banestes",
"name": "Banco da Amazonia",
"name": "Banco do Nordeste",
"name": "Banco Banpara",
"name": "Banco Banrisul",
"name": "Banco Cresol",
"name": "Banco Ailos Cooperativas",
"name": "Banco Unicred do Brasil",
"name": "Banco Semear",
"name": "Banco ABC Brasil",
"name": "Banco Credisis",
"name": "Banco Efi Bank",
"name": "Banco Daycoval",
"name": "Banco Topázio",
"name": "Banco Rendimento",
"name": "Banco Sisprime",
"name": "Banco Sofisa",
"name": "Banco Credisan",
"name": "Banco Fibra",
"name": "Banco Conta Simples",
"name": "Banco Senff",
"name": "Banco BMG",
"name": "Banco BV",
"name": "Banco PicPay",
"name": "Banco BBC Digital",
"name": "Banco SumUp",
"name": "Banco Clara",
"name": "Conta PJ – Conta Azul",
"name": "Banco Grafeno Digital",
"name": "Banco XP Investimentos",
"name": "Banco Tribanco",
"name": "Banco Industrial do Brasil",
"name": "Banco Pine",
"name": "Banco NBC Bank S.A",
"name": "Banco Servicoop",
"name": "Banco PagBank",
"name": "Banco Rico Investimentos",
"name": "Banco Mercantil",
"name": "Banco Original",
"name": "Exchange Binance",
"name": "Exchange Mercado Bitcoin",
"name": "Exchange NovaDAX",
"name": "Exchange Bitso",
"name": "Exchange OKX",
"name": "Exchange Bybit",
"name": "Exchange Foxbit",
"name": "Exchange Ripio"
File size (compressed) :4'145'152 bytes
File size (de-compressed) :6'136'832 bytes
Format:win32/pe
Unpacked file: 76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
Link:
https://research.acce.ciphertechsolutions.com/results/2bb050db-b195-40b4-a980-22ed63a0c86d/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72136/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3e91431548daf709fa0393
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug bankingtrojan borland_delphi fingerprint keylogger overlay packed packed packed reconnaissance upx
Link:
https://www.filescan.io/uploads/6a3e913d42d5f38065f40291/reports/c47d2d47-12ab-4955-9105-039ecb256fca/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb
Verdict:
Malicious
File Type:
dll x32
First seen:
2026-06-23T16:31:00Z UTC
Last seen:
2026-06-23T16:39:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Banker.Win32.Metamorfo.gen
Link:
https://opentip.kaspersky.com/d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fa77696e-2578-4d3d-a51a-3345c94aa069
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1934266
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Creates an autostart registry key pointing to binary in C:\Windows
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
47%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.Metamorfo
Link:
https://tip.neiki.dev/file/d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-25 20:07:15 UTC
File Type:
PE (Dll)
Extracted files:
172
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vi35bz6lphlxqnc6c5ph3sszgg337vuqo2g63jl5azt353dlp5q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery persistence ransomware spyware upx
Link:
https://tria.ge/reports/260626-r6lfvscz6n/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Program crash
System Location Discovery: System Language Discovery
UPX packed file
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Unpacked files
SH256 hash:
d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb
MD5 hash:
e6906caeb0aac854905edc255fb7046b
SHA1 hash:
a41d420a413620b92d75cc157c0002f163783009
Link:
https://www.unpac.me/results/9fc27af3-3604-4196-af14-d35431f53014/
SH256 hash:
76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39
MD5 hash:
cd42bb49d88bb17316fd05909f1c7fa2
SHA1 hash:
793c8056c8a951c6b23b9f827590562746df23c8
Link:
https://www.unpac.me/results/9fc27af3-3604-4196-af14-d35431f53014/
SH256 hash:
ed6efd51a6e5e69b26bc58f41a12c05fcf4b5e14645ecb26b86dcc34aedd0c4b
MD5 hash:
0b98f051d34c0531b868ef45b768dcdd
SHA1 hash:
66146a4982aec2127cb51089565a5f6781043346
Link:
https://www.unpac.me/results/9fc27af3-3604-4196-af14-d35431f53014/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Microsoft Software Installer (MSI) msi 810ed7d47bca28d6b94b86b53a66e866aaf99314458341eaf085f2b89f4db37c

DLL dll d551be873e5bcebbc1a2f0baf3ee52c98dbdfeb483b46f6d2be8333df7635bfb

(this sample)

DLL dll 76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39

  
Dropped by
SHA256 810ed7d47bca28d6b94b86b53a66e866aaf99314458341eaf085f2b89f4db37c
Cape
Cape
https://www.capesandbox.com/analysis/72136/
  
Dropping
SHA256 76a26f4ae513a5ca4c75f67fc9af2fdecb7cfb85ea495b6483db55af4f8ada39
  
Dropping
MD5 cd42bb49d88bb17316fd05909f1c7fa2
  
Dropped by
MD5 579e5b488d4853ec4091bc3dc95434f1

Comments