MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70
SHA3-384 hash: 0777553110a16cc99e8daf3c51f6294186f9c0d491503bc5755caafb15233bdf61f277ff03fd510d90ebd2b0fc5cb6bd
SHA1 hash: 95d13e2e5719e9730f81da87a28d06fdc59d19cc
MD5 hash: 72887ddcc9bc29b8296072d6134f20a8
humanhash: freddie-vegan-purple-wyoming
File name:17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70 (2).ps1
Download: download sample
Signature DonutLoader
Create hunting rule
File size:672 bytes
First seen:2026-02-17 06:59:35 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:OyfBhPhbHEzh0JkLJX8WFiyTnISV7YsWN7Wo0UqymwCGE8WlAvEiR:75fTEuwR8WFiGIDHWoaF8WSR
Threatray 2'705 similar samples on MalwareBazaar
TLSH T1C4017825B2AC1E0308F63925F6097742D98116333302782171A1D6C63FBCDA7DD1B492
Magika powershell
Reporter JAMESWT_WT
Tags:178-16-53-70 donutloader ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Other.Malware-gen.86563827.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6994120c0d0369ff997a2123
Tags:
shell agent sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69941205981ff1d38a586164/reports/634699f3-87f7-4f08-a676-1e593ed331a1/overview
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70
Verdict:
Malicious
File Type:
unix shell
Detections:
Trojan-Downloader.Agent.HTTP.C&C PDM:Trojan.Win32.Generic Backdoor.Androm.HTTP.Download Trojan.Win32.Shellcode.sb HEUR:Trojan.Win64.Donut.a Trojan.Win64.Agentb.sb Trojan.Win64.Agent.sb HEUR:Trojan.PowerShell.Generic Trojan.Win32.Agent.sb HEUR:Trojan.Multi.Donut.b HEUR:Trojan.MSIL.Rozena.gen Trojan.Shellcode.TCP.C&C NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70/results?tab=lookup
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70
Threat name:
Script-PowerShell.Trojan.DonutLoader
Create hunting rule
Status:
Malicious
First seen:
2026-02-06 07:50:12 UTC
File Type:
Text (PowerShell)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7nlzgpo5tsecngddl6lxjwzh7w64yxqdhhv5lnsxfbywhsjdzya._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
29ffffb8bba66471daaab7684fbafe004fe92a7806785d117316b73d5695db00
DonutLoader
3e02008bba6f868cf0bbe58a5428362c5f963a1dcb8d8682b1777af925a07587
DonutLoader
3e081805b7db9aa700d3e96fe2212493e1d4704a43ec7b57459f7dd0eb33bbd3
DonutLoader
41e9c4a2e8d9fdf2f8853ab181f8333e0d83dcd728449cef5d4001eac8e50354
DonutLoader
5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a
DonutLoader
713fe892def917dd16fa304cf3719a22418c2b9db9d8e36cee27973f788236eb
DonutLoader
a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222
DonutLoader
be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109
DonutLoader
error
DonutLoader
fc791cea301af15a8c46dfd5ddf048fbc52cb694d5e9118c41363675823a328b
DonutLoader
fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7
DonutLoader
+ 2'695 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader execution loader
Link:
https://tria.ge/reports/260217-hst2eaaw3h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Badlisted process makes network request
Detects DonutLoader
DonutLoader
Donutloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments