MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 175f203940f1cf367829cdb3ecdb402ad4de7bc02847c7b7bc819a016701d5bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DonutLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	175f203940f1cf367829cdb3ecdb402ad4de7bc02847c7b7bc819a016701d5bc
SHA3-384 hash:	db7d273dfa0b98c7c9b6c7500fbe7676500ec3a719066c2186e9898b08346e838549bc2f3502ac716caa737fff429223
SHA1 hash:	0a87e5aaae2055beda3407430522df5bb25acf4b
MD5 hash:	518d700cee46d88cc822637fe02dd25c
humanhash:	bluebird-king-pennsylvania-oven
File name:	Diptyque Paris Plan ADS.js
Download:	download sample
Signature	DonutLoader Create hunting rule
File size:	536'415 bytes
First seen:	2025-06-02 21:00:42 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	384:R44444444444E44444444444z44444444444a944444444444744444444444E4q:8+
Threatray	271 similar samples on MalwareBazaar
TLSH	T157B4AE36BEC3AC994D085CB60E7A077CADF41B6B7AD0947B4C9792801DC249DBEC45B2
Magika	txt
Reporter	smica83
Tags:	donutloader js

Intelligence

File Origin

# of uploads :

# of downloads :

431

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683e11bd8bd5d68a12e3f340

Tags:

autorun overt spawn sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated powershell

Link:

https://www.filescan.io/uploads/683e1114fd02ed5e059447cd/reports/b2cdc54e-2733-44b3-8574-6881bf6cb0d3/overview

Verdict:

Malicious

Labled as:

SVM:TrojanDownloader/JS.Nemucod

Link:

https://www.hybrid-analysis.com/sample/175f203940f1cf367829cdb3ecdb402ad4de7bc02847c7b7bc819a016701d5bc

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1704357

Signature

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

JScript performs obfuscated calls to suspicious functions

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/175f203940f1cf367829cdb3ecdb402ad4de7bc02847c7b7bc819a016701d5bc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/175f203940f1cf367829cdb3ecdb402ad4de7bc02847c7b7bc819a016701d5bc/

Threat name:

Script-JS.Downloader.Nemucod

Status:

Malicious

First seen:

2025-06-02 17:39:08 UTC

File Type:

Text (JavaScript)

AV detection:

6 of 24 (25.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c5psaoka6hhtm6bjzwz6zw2aflkn466afbd4pn54qgnaczyb2w6a._file

Verdict:

malicious

Label(s):

resolverrat

DonutLoader

16980ea9727fbd47cd544af3adb1750a6fd4e607b7f7de9e97d136f00835d0b0

DonutLoader

1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f

DonutLoader

4373ec87c988abcb11a483bc9b6225760464b1929a0e1dee1ffcbdd76c1b242c

DonutLoader

47245d2a1c869294356a5fad2cc24bdc89a75799563b7ef81b4b933c6f8a644c

DonutLoader

9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59

DonutLoader

b52b2eddde8a80f4c2704382446b169e1f684e0561c1aa880631af22d3d6a3f0

DonutLoader

error

DonutLoader

+ 261 additional samples on MalwareBazaar

Result

Malware family:

donutloader

Score:

10/10

Tags:

family:donutloader agilenet discovery execution loader

Link:

https://tria.ge/reports/250602-ztxmcsdr3z/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Detects DonutLoader

DonutLoader

Donutloader family

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample