MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1358a87d3ba43066bbbe4eb5e3a418fb6ee28fe40b832e6a0f2717205a484582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1358a87d3ba43066bbbe4eb5e3a418fb6ee28fe40b832e6a0f2717205a484582
SHA3-384 hash: b5b3d68f76da0cee4da10cf71f7e03a9e2304796f57175d197824c92975dbd9d9edd63d6d4eecaa47567036423383693
SHA1 hash: b83a0e3f7a31915c817d2008878ca3ac838eacd6
MD5 hash: 841f0eb77f0f74737eac0043ba6ed934
humanhash: grey-harry-comet-skylark
File name:PO-O6545-000.vbs
Download: download sample
Signature DonutLoader
Create hunting rule
File size:560'469 bytes
First seen:2025-11-04 08:38:36 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:+ojN3uIwV/csalQ/Y8JQMrj5AR0KfHf38CjmSZ:1ev9RRY8J6VMLQ
Threatray 161 similar samples on MalwareBazaar
TLSH T1F4C4BE39C760ACA86BB93193EF693505B397DE0363A42B9CF4C280D83D11559CFA716B
Magika vba
Reporter abuse_ch
Tags:donutloader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35250/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6909bcf59942f1282ecbe44e
Tags:
spawn sage
Verdict:
Suspicious
Labled as:
JS/Agent.DGI
Link:
https://www.hybrid-analysis.com/sample/1358a87d3ba43066bbbe4eb5e3a418fb6ee28fe40b832e6a0f2717205a484582
Verdict:
Malicious
File Type:
text
First seen:
2025-11-03T04:18:00Z UTC
Last seen:
2025-11-06T03:12:00Z UTC
Hits:
~100
Detections:
Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/1358a87d3ba43066bbbe4eb5e3a418fb6ee28fe40b832e6a0f2717205a484582/results?tab=lookup
Result
Threat name:
DonutLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1807536
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Creates processes via WMI
Drops script or batch files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected DonutLoader
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1807536 Sample: PO-O6545-000.vbs Startdate: 04/11/2025 Architecture: WINDOWS Score: 100 110 Malicious sample detected (through community Yara rule) 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 Yara detected DonutLoader 2->114 116 11 other signatures 2->116 10 wscript.exe 1 2->10         started        14 cmd.exe 1 2->14         started        16 cmd.exe 1 2->16         started        18 4 other processes 2->18 process3 file4 94 C:\Users\Public\PoultryHub.bat, ASCII 10->94 dropped 130 Wscript starts Powershell (via cmd or directly) 10->130 132 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->132 134 Suspicious execution chain found 10->134 136 Creates processes via WMI 10->136 20 cmd.exe 1 10->20         started        23 cmd.exe 1 14->23         started        25 conhost.exe 14->25         started        27 cmd.exe 1 16->27         started        29 conhost.exe 16->29         started        31 cmd.exe 18->31         started        33 cmd.exe 18->33         started        35 cmd.exe 18->35         started        37 5 other processes 18->37 signatures5 process6 signatures7 118 Suspicious powershell command line found 20->118 120 Wscript starts Powershell (via cmd or directly) 20->120 122 Bypasses PowerShell execution policy 20->122 39 cmd.exe 1 20->39         started        41 conhost.exe 20->41         started        43 cmd.exe 1 23->43         started        46 cmd.exe 1 27->46         started        48 cmd.exe 31->48         started        50 cmd.exe 33->50         started        52 cmd.exe 35->52         started        54 cmd.exe 37->54         started        process8 signatures9 56 cmd.exe 2 39->56         started        138 Suspicious powershell command line found 43->138 140 Wscript starts Powershell (via cmd or directly) 43->140 59 powershell.exe 43->59         started        62 conhost.exe 43->62         started        64 powershell.exe 46->64         started        66 conhost.exe 46->66         started        68 2 other processes 48->68 70 2 other processes 50->70 72 2 other processes 52->72 74 2 other processes 54->74 process10 file11 124 Suspicious powershell command line found 56->124 126 Wscript starts Powershell (via cmd or directly) 56->126 76 powershell.exe 1 28 56->76         started        80 conhost.exe 56->80         started        96 C:\Users\user\AppData\Roaming\...\fb29.bat, ASCII 59->96 dropped 128 Loading BitLocker PowerShell Module 59->128 98 C:\Users\user\AppData\Roaming\...\5fde.bat, ASCII 64->98 dropped 82 WerFault.exe 4 21 64->82         started        100 C:\Users\user\AppData\Roaming\...\a5ab.bat, ASCII 68->100 dropped 84 WerFault.exe 68->84         started        102 C:\Users\user\AppData\Roaming\...\8306.bat, ASCII 70->102 dropped 86 WerFault.exe 70->86         started        104 C:\Users\user\AppData\Roaming\...\ee4a.bat, ASCII 72->104 dropped 88 WerFault.exe 72->88         started        106 C:\Users\user\AppData\Roaming\...\89fb.bat, ASCII 74->106 dropped 90 WerFault.exe 74->90         started        signatures12 process13 file14 108 C:\Users\user\AppData\Roaming\...\f506.bat, ASCII 76->108 dropped 142 Drops script or batch files to the startup folder 76->142 144 Found suspicious powershell code related to unpacking or dynamic code loading 76->144 146 Loading BitLocker PowerShell Module 76->146 92 WerFault.exe 21 76->92         started        signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1358a87d3ba43066bbbe4eb5e3a418fb6ee28fe40b832e6a0f2717205a484582
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1358a87d3ba43066bbbe4eb5e3a418fb6ee28fe40b832e6a0f2717205a484582/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.Cryptoload
Link:
https://tip.neiki.dev/file/1358a87d3ba43066bbbe4eb5e3a418fb6ee28fe40b832e6a0f2717205a484582
Threat name:
Script.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-11-03 19:12:52 UTC
File Type:
Text
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnmkq7j3uqygno56j226hjay7nxofd7ebobs42qpe4lsawsiiwba._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
4ffb945bc637b8c2e1d287c1f6127121d967e1366f0a437f2b7f505fac391f5d
DonutLoader
54b32bcf49895b56cc5a2f15fbefd0ed30ee9aef1aafbcf4eaf2f288e8384617
DonutLoader
80943dad82a060b3506f2312c2d282f117e08a1b16cd9f1f6fcaf852be916407
DonutLoader
b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9
DonutLoader
cc2204af1024b7fc2c9c7e0132ce788518f3d835741d489886fbab703c08d400
DonutLoader
db893d34023865952c4ba57e6e3330c424c828bc6a42c9edb224a48cc53b3a30
DonutLoader
error
DonutLoader
+ 151 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution loader
Link:
https://tria.ge/reports/251104-k1c4zaaz4g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Drops startup file
Detects DonutLoader
DonutLoader
Donutloader family
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1358a87d3ba43066bbbe4eb5e3a418fb6ee28fe40b832e6a0f2717205a484582

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35250/

Comments