MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0afd54e64d99cfa5e607f13576861b0e5f999953dcedc3fcdf26c08d12b2c4fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0afd54e64d99cfa5e607f13576861b0e5f999953dcedc3fcdf26c08d12b2c4fd
SHA3-384 hash: fbe46eb530fdd013b24ae47f2ad5f49e62bd52a9bdc94efc75fbece83f51d006a127a24d6975e862bfbba22f493abecd
SHA1 hash: 9624e6542e4d7f86c45a7269838708a06d9c4cc0
MD5 hash: 6dc9e60b6798d1ce192399005c790105
humanhash: xray-saturn-alanine-crazy
File name:SecuriteInfo.com.Trojan.Siggen32.10693.30768.5189
Download: download sample
Signature DonutLoader
Create hunting rule
File size:297'472 bytes
First seen:2025-12-08 17:46:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 53e19d5243b4f25d48df742c8d94ac9c (11 x DonutLoader)
ssdeep 3072:AfRbXxsn6slR57cZ6EhE4IQNv8kAeI2yEe28Plq9njUIg9P8W/mrakO+OlbCxFUC:AfRbGY6EDNNAuHe28Pl2ncxl2JR2O
Threatray 105 similar samples on MalwareBazaar
TLSH T1CA548D15BAA810FEE977C17CC9428906EB72BC464761E7CF13904AA62F277D09D3EB11
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:donutloader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
FR FR
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
FiVEMod.exe
Verdict:
Malicious activity
Analysis date:
2025-12-04 08:24:35 UTC
Tags:
loader stealc stealer
Link:
https://app.any.run/tasks/9a857a38-0696-4cdd-9560-0234dad8ed7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43903/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69370f1a881313558a2ba2d0
Tags:
phishing cobalt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 cmd fingerprint lolbin microsoft_visual_cc mikey
Link:
https://www.filescan.io/uploads/69370f1d6019bc7a8f82367b/reports/6e75e86e-b2a7-4b67-bb67-609b7ac4c855/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0afd54e64d99cfa5e607f13576861b0e5f999953dcedc3fcdf26c08d12b2c4fd
Result
Gathering data
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-03T16:10:00Z UTC
Last seen:
2025-12-08T14:37:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/0afd54e64d99cfa5e607f13576861b0e5f999953dcedc3fcdf26c08d12b2c4fd/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0afd54e64d99cfa5e607f13576861b0e5f999953dcedc3fcdf26c08d12b2c4fd
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/6dc9e60b6798d1ce192399005c790105
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0afd54e64d99cfa5e607f13576861b0e5f999953dcedc3fcdf26c08d12b2c4fd/
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2025-12-03 23:44:04 UTC
File Type:
PE+ (Exe)
AV detection:
27 of 36 (75.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bl6vjzsnthh2lzqh6e2xnbq3bzpztgkt3tw4h7g7e3ai2evsyt6q._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
shellcode_loader_007
Create hunting rule
Similar samples:
20291af59067a9886fa2c749d711adc8c2ecf687a48611cbdfefe6b5ca0f583f
DonutLoader
487b6acddac1739cc3a60cf049c4c33fc6b90df631f71b414775e3c83661afec
DonutLoader
598ffd82d04b569216f966118d2674619d220d5240b491180f0b883f352c3519
DonutLoader
98e4d266baaf84d76b0c152cba4f2c0e36c30a3de818f4efa86012da3601a4e1
DonutLoader
b95e69a846b41f56eb8e746b56dc85a98da5ed989411579bcda5af0b959f07e1
DonutLoader
bc64c13545032d1db5f783a9972eace89449a6c331ae86e45edf25f2c3e20ec3
DonutLoader
bf9bb4e96fcb905e1a90c89388bf931829282ec8dffab7f7adeaff850940eab0
DonutLoader
+ 95 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:stealc family:xmrig botnet:191k2f3o37kn23658n defense_evasion discovery execution miner persistence spyware stealer
Link:
https://tria.ge/reports/251208-wcxz1sgy3b/
Behaviour
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Hide Artifacts: Hidden Window
Checks computer location settings
Executes dropped EXE
Prevents Microsoft Defender from scanning certain paths by adding an exclusion.
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Stealc
Stealc family
XMRig Miner payload
Xmrig family
xmrig
Malware Config
C2 Extraction:
https://ggh5e4h54.cc
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f6a5fee8-92e1-4c9b-9574-d89c245b9aa2
Unpacked files
SH256 hash:
0afd54e64d99cfa5e607f13576861b0e5f999953dcedc3fcdf26c08d12b2c4fd
MD5 hash:
6dc9e60b6798d1ce192399005c790105
SHA1 hash:
9624e6542e4d7f86c45a7269838708a06d9c4cc0
Link:
https://www.unpac.me/results/5beaa83e-4a2c-403d-85c3-17356861697f/
Malware family:
Stealc.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0afd54e64d99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

Executable exe 0afd54e64d99cfa5e607f13576861b0e5f999953dcedc3fcdf26c08d12b2c4fd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3729342/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/43903/

Comments