MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0855861fc39342ca8009838782c39351be5da43e60809aa13322f11cd95d59ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 32 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0855861fc39342ca8009838782c39351be5da43e60809aa13322f11cd95d59ad
SHA3-384 hash: 00e14fdbf1000ff1e92f5e6fc9e6d78316958a7fa6b9bedb4a38a534b0629153f0c982fe45c64c2c1e5ddc11a70836ce
SHA1 hash: cfc0552b45b3f66969aa1eaffceb4c12e7636323
MD5 hash: 28827bb745df0e8f5ab4d809eba41ac0
humanhash: burger-autumn-ohio-mirror
File name:F_Exe1
Download: download sample
Signature DonutLoader
Create hunting rule
File size:44'648'412 bytes
First seen:2026-05-11 22:00:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573bb7b41bc641bd95c0f5eec13c233b (39 x GuLoader, 25 x RemcosRAT, 16 x VIPKeylogger)
ssdeep 786432:W6q5OMGvRMbCubjuyCWwuMHIMtyOeZ4hYTpBrinrSER8e0TDGg8em:WjYMGvRM+YuyCWwuMHIMtyOeZ4hYTpBC
Threatray 7 similar samples on MalwareBazaar
TLSH T1BBA7AFF3B619C135F16D51B84D6457DB803D9C250BA121FBB2487BAA1A31ACB173AF83
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon c4ccb392f1f192cc (4 x LummaStealer, 2 x AsyncRAT, 1 x Formbook)
Reporter aachum
Tags:6hndc-com CHN donutloader exe


Avatar
iamaachum
https://teams-app.com.cn/ => https://553e33.huzero.com/Teams6.1.zip

C2: 6hndc.com (185.203.39.71:8853)

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
Link:
https://research.acce.ciphertechsolutions.com/results/63c5b2b5-25d7-42f4-a322-706ea2c3ff6f/
Malware family:
n/a
ID:
1
File name:
F_Exe1.exe
Verdict:
Malicious activity
Analysis date:
2026-05-11 21:57:27 UTC
Tags:
donutloader loader
Link:
https://app.any.run/tasks/03e34532-3f66-43b8-ae9d-621d3bcdd00b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0251cf059cfdadce20e338
Tags:
obfuscated cobalt shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 crypt datper fingerprint installer installer installer-heuristic microsoft_visual_cc nsis overlay packed packed reconnaissance smb
Link:
https://www.filescan.io/uploads/6a0251c02fcb905ec28ebffc/reports/57681c61-f7c7-4c4b-882c-6b03b41aa33a/overview
Verdict:
Malicious
Labled as:
Malware_
Link:
https://www.hybrid-analysis.com/sample/0855861fc39342ca8009838782c39351be5da43e60809aa13322f11cd95d59ad
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-11T19:08:00Z UTC
Last seen:
2026-05-13T15:31:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Rekvex.sb Trojan-Downloader.Agent.TCP.C&C PDM:Exploit.Win32.Generic PDM:Trojan.Win32.Generic HackTool.Multi.AmsiETWPatch.sb Trojan.Win32.Zenpak.sb Trojan.Win32.Shellcode.sb HEUR:Trojan.Win32.ShellEx.gen not-a-virus:AdWare.Win32.Agent.jxja Trojan.Win32.Shellcode.pkt Trojan-Dropper.Win64.Agent.sb not-a-virus:BSS:AdWare.Win32.Yzon.a
Link:
https://opentip.kaspersky.com/0855861fc39342ca8009838782c39351be5da43e60809aa13322f11cd95d59ad/results?tab=lookup
Result
Threat name:
DonutLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1911963
Signature
Adds a directory exclusion to Windows Defender
Creates files in the system32 config directory
Delayed program exit found
Found API chain indicative of debugger detection
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Unusual module load detection (module proxying)
Yara detected DonutLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1911963 Sample: F_Exe1.exe Startdate: 12/05/2026 Architecture: WINDOWS Score: 100 64 6hndc.com 2->64 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected DonutLoader 2->82 84 2 other signatures 2->84 10 F_Exe1.exe 2 190 2->10         started        14 rundll32.exe 2->14         started        signatures3 process4 file5 56 C:\Users\user\AppData\Roaming\...\ev2f79.exe, PE32 10->56 dropped 58 C:\Users\user\AppData\Roaming\...\ev2c34.exe, PE32 10->58 dropped 60 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->60 dropped 62 12 other files (none is malicious) 10->62 dropped 86 Adds a directory exclusion to Windows Defender 10->86 16 ev2f79.exe 7 10->16         started        19 ev2c34.exe 10->19         started        21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        25 ev2f79.exe 14->25         started        signatures6 process7 signatures8 68 Multi AV Scanner detection for dropped file 16->68 70 Found API chain indicative of debugger detection 16->70 72 Maps a DLL or memory area into another process 16->72 27 VSSVC.exe 33 16->27         started        74 Unusual module load detection (module proxying) 19->74 30 sihost.exe 19->30 injected 76 Adds a directory exclusion to Windows Defender 21->76 32 cmd.exe 1 21->32         started        34 conhost.exe 21->34         started        36 conhost.exe 23->36         started        38 tasklist.exe 1 23->38         started        40 findstr.exe 1 23->40         started        process9 signatures10 88 Creates files in the system32 config directory 27->88 90 Maps a DLL or memory area into another process 27->90 92 Unusual module load detection (module proxying) 27->92 96 3 other signatures 27->96 42 svchost.exe 27->42 injected 44 WmiPrvSE.exe 27->44         started        46 UserAccountBroker.exe 30->46         started        50 edpnotify.exe 30->50         started        94 Adds a directory exclusion to Windows Defender 32->94 52 powershell.exe 23 32->52         started        process11 dnsIp12 54 dllhost.exe 42->54         started        66 6hndc.com 185.203.39.71, 49691, 49692, 7070 BILLY-AS-APAntboxNetworkCN China 46->66 98 Query firmware table information (likely to detect VMs) 46->98 100 Unusual module load detection (module proxying) 46->100 102 Delayed program exit found 46->102 104 Loading BitLocker PowerShell Module 52->104 signatures13 process14
Score:
60%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/0855861fc39342ca8009838782c39351be5da43e60809aa13322f11cd95d59ad
Gathering data
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/0855861fc39342ca8009838782c39351be5da43e60809aa13322f11cd95d59ad
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-05-11 21:57:16 UTC
File Type:
PE (Exe)
Extracted files:
230
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bbkymh6dsnbmvaajqodyfq4tkg7f3jb6mcajvijtelyrzwk5lgwq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
0855861fc39342ca8009838782c39351be5da43e60809aa13322f11cd95d59ad
DonutLoader
2dfef0050dac212ceb9e8c91e31a7f6d229b2ccde1cf1d2eabc8d7d11d738324
DonutLoader
89e382df6016199cbee7bd8732b517b36e2e9b0d3efc54e766d3485b67a46646
DonutLoader
b0fb185461618e82915e7d701fc6dbe6164c45a7605f3110aff41ebc5c8447b1
DonutLoader
cda8b9c1cb730cc256b447fd3cdf6e8c0de981c1dec3e1d1fb372c645c28fb94
DonutLoader
error
DonutLoader
f36047d7ce108d834458cb5c21c26238f52883b8c56d7bfa7760cbd3bab7c4bf
DonutLoader
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution ransomware
Link:
https://tria.ge/reports/260511-1xhhaaex6m/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in System32 directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0855861fc393/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0855861fc39342ca8009838782c39351be5da43e60809aa13322f11cd95d59ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agent_BTZ
Create hunting rule
Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:mht_inside_word
Create hunting rule
Author:dPhish
Description:Detect embedded mht files inside microsfot word.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Rhadamanthys_Stealer_Payload
Create hunting rule
Author:ventdrop
Description:Detects Rhadamanthys infostealer final payload (unpacked)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Win_FakeInstaller_PythonShellcodeLoader_Crepectl_2026
Create hunting rule
Author:SixHands
Description:Detects the analyzed fake installer sample using .key config, XOR key, and Python/fiber shellcode loader traits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Microsoft Software Installer (MSI) msi f36047d7ce108d834458cb5c21c26238f52883b8c56d7bfa7760cbd3bab7c4bf

DonutLoader

Executable exe 0855861fc39342ca8009838782c39351be5da43e60809aa13322f11cd95d59ad

(this sample)

  
Link
https://tria.ge/260511-1qgx6sex4l/behavioral2
  
Dropped by
SHA256 f36047d7ce108d834458cb5c21c26238f52883b8c56d7bfa7760cbd3bab7c4bf
  
Delivery method
Distributed via web download
  
Dropped by
MD5 b848c1d883bc210453286fc3d967e745

Comments