MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b7b8cc135740cbe6384b6b1bae5f3be0b1d6718e73cafbb12491b61d5882597. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DonutLoader

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	3b7b8cc135740cbe6384b6b1bae5f3be0b1d6718e73cafbb12491b61d5882597
SHA3-384 hash:	29d268ccb2ced8725560c3528768c0bd1af31b3eddb8e5d08cac657a0025bb06f7930177c6708f9aa9d40fd9a7343553
SHA1 hash:	ea2c43a948745edd6dc2a9d58296a056eeed4dde
MD5 hash:	76a21e3556b251bbd34d05905c332431
humanhash:	zebra-west-oranges-solar
File name:	tgxHia7.exe
Download:	download sample
Signature	DonutLoader Create hunting rule
File size:	2'416'128 bytes
First seen:	2025-05-25 15:21:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5aa6204d725c68b3459f36adc7b4216a (1 x DonutLoader)
ssdeep	49152:rTlx31tp5+Ill/MKVyl0pUQ8YGMMWRZzopFnjxB5SW1Knczgj7SzJmJ2VFIoxL3W:ryCqSeHVSox
TLSH	T100B55A2B55A9609AE3E7C07CF1165752FC3076480E39A7B724B683923770A2C9B7D372
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	donutloader exe

Intelligence

File Origin

# of uploads :

# of downloads :

430

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

tgxHia7.exe

Verdict:

Malicious activity

Analysis date:

2025-05-25 15:24:58 UTC

Tags:

stealer ultravnc rmm-tool

Link:

https://app.any.run/tasks/6740b768-725c-44e4-9170-0d6a54867186

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.5757.4648.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683336494912a6b9dd4d5618

Tags:

spoof virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug packed packed packer_detected

Link:

https://www.filescan.io/uploads/68333590fd02ed5e0587057b/reports/2eeb2c90-c4c3-4120-9b99-584ff2b1a439/overview

Verdict:

Malicious

Labled as:

Ulise.Generic

Link:

https://www.hybrid-analysis.com/sample/3b7b8cc135740cbe6384b6b1bae5f3be0b1d6718e73cafbb12491b61d5882597

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/78e57a94-c2b2-4ed8-80d6-1127a47d11b0

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1698798

Signature

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3b7b8cc135740cbe6384b6b1bae5f3be0b1d6718e73cafbb12491b61d5882597

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b7b8cc135740cbe6384b6b1bae5f3be0b1d6718e73cafbb12491b61d5882597/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/3b7b8cc135740cbe6384b6b1bae5f3be0b1d6718e73cafbb12491b61d5882597

Threat name:

Win64.Trojan.Ulise

Status:

Malicious

First seen:

2025-05-25 15:21:55 UTC

File Type:

PE+ (Exe)

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hn5yzqjvoqgl4y4ew2y3vzptxyfr2zyy446k7oysjenwdvmiewlq._file

Result

Malware family:

donutloader

Score:

10/10

Tags:

family:donutloader discovery loader spyware stealer

Link:

https://tria.ge/reports/250525-srs3tstlx9/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Browser Information Discovery

Drops file in Windows directory

Reads user/profile data of web browsers

Detects DonutLoader

DonutLoader

Donutloader family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/167afe92-b368-4277-9ae9-d7fc90178d80

Unpacked files

SH256 hash:

3b7b8cc135740cbe6384b6b1bae5f3be0b1d6718e73cafbb12491b61d5882597

MD5 hash:

76a21e3556b251bbd34d05905c332431

SHA1 hash:

ea2c43a948745edd6dc2a9d58296a056eeed4dde

Link:

https://www.unpac.me/results/f568af27-786c-4182-acf2-4eaf8aadad0f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3b7b8cc13574/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3b7b8cc135740cbe6384b6b1bae5f3be0b1d6718e73cafbb12491b61d5882597

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

exe 3b7b8cc135740cbe6384b6b1bae5f3be0b1d6718e73cafbb12491b61d5882597

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3552380/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample