MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4156e2eee44ca9dcc857741f3944991cf5fa38a5ef0c575e153a3f13c2748fca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4156e2eee44ca9dcc857741f3944991cf5fa38a5ef0c575e153a3f13c2748fca
SHA3-384 hash: 10fbdec75b525dc8963cbf6a7bace5be6d22f905763a61070ca8db278d8e27e1e733363f65ce2c08a3a43d973043b6ca
SHA1 hash: c9b28ecf1a00807d16934ff622ed2554d71f829f
MD5 hash: bcb7963e24ba4775c54b79f2172ad723
humanhash: single-aspen-leopard-virginia
File name:InstallerApp_ver12.02.zip
Download: download sample
Signature DonutLoader
Create hunting rule
File size:61'660'223 bytes
First seen:2025-05-07 19:55:55 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 1572864:MtmKLQHvRdV7WKY9Jc82p0oxcTYM8P7fuQvLW:7KMP9WV9yj0Lm7f5q
TLSH T107D7334E46DAFE84C31774D19F14FAED202ACE3F2586F38AC41653AAB415913934AED3
Magika zip
Reporter aachum
Tags:donutloader HIjackLoader IDATLoader zip


Avatar
iamaachum
https://github.com/legendary99999/officialapp2025/releases/download/quideme/InstallerApp_ver12.02.zip

C2:
https://sciecdn.cfd/David_Hilton?hxkb5zprsuk=xd4miEwra%2BhUx85OZ%2BguG9IwpgSiH1hHaIcw%2BgRF2rg4GgkI5dHKAAVcm3Vc8VNvU%2BOJbEXIFdq6%2FG%2F2xGiVkw%3D%3D

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
ES ES
File Archive Information

This file archive contains 7 file(s), sorted by their relevance:

File name:InstallerApp_ver12.02.exe
File size:7'602'752 bytes
SHA256 hash: 55ea17a44d7a9882236b5cda25fa844e62cb1a4fe8d5cdc17b3591f4f98aa802
MD5 hash: fa122de570f5f04feb13ded859bfa96c
MIME type:application/x-dosexec
Signature DonutLoader
File name:Zoogbaertdend.pgym
File size:4'531'078 bytes
SHA256 hash: 9e212ce72d0a71ffaa1180022839a63ed07e517e127236230c5e8ce2e523bd21
MD5 hash: 6fe91898f293f5516a24720ab7e552d6
MIME type:application/octet-stream
Signature DonutLoader
File name:Jiekeeddait.czqk
File size:55'375 bytes
SHA256 hash: f7ab4efbff4604ef22672b24d4d6b45227d0dca7f4ef72eed63379b45ac382c2
MD5 hash: c7d2a0efe08cdc69341c60f755928d8a
MIME type:application/octet-stream
Signature DonutLoader
File name:sqlite3.dll
File size:699'048 bytes
SHA256 hash: 506999fc82648367840915f93daab55d9c2efddd1759047d383f3a151a31c300
MD5 hash: 1527dc19adb673f07c9884c279159691
MIME type:application/x-dosexec
Signature DonutLoader
File name:tsetup-x64.5.13.1.exe
File size:47'500'544 bytes
SHA256 hash: 315da519075103c99f59f5b7de2ca412818d75c316838452a6ebeaaf3a4ead89
MD5 hash: 171c6c02334b6a433ae545c9fa07749a
MIME type:application/x-dosexec
Signature DonutLoader
File name:npp.8.7.9.Installer.x64.exe
File size:6'703'352 bytes
SHA256 hash: d3ced3c33d91bc8f09f9dbd315867b09158fa907fdd7454eaea15e933a32cada
MD5 hash: 22fe54746f6c4d6e5a7986296ec5e931
MIME type:application/x-dosexec
Signature DonutLoader
File name:datastate.dll
File size:60'928 bytes
SHA256 hash: a1546cc127038b0ee28e11fbc74e5da52b69178c16d09b2d9cf6a5a746f52ab5
MD5 hash: a10ca73417b0059f3a0c266bfe581b6a
MIME type:application/x-dosexec
Signature DonutLoader
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681bbb7791991ead82b5f215
Tags:
infosteal
Verdict:
Unknown
Threat level:
n/a  -.1/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint installer overlay packed powershell signed
Link:
https://www.filescan.io/uploads/681bbaed0b64e174c41c89a2/reports/c094ebb1-15c5-4227-a562-139f358dd524/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4156e2eee44ca9dcc857741f3944991cf5fa38a5ef0c575e153a3f13c2748fca
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4156e2eee44ca9dcc857741f3944991cf5fa38a5ef0c575e153a3f13c2748fca
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
46%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/4156e2eee44ca9dcc857741f3944991cf5fa38a5ef0c575e153a3f13c2748fca
Gathering data
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-05-03 07:17:24 UTC
File Type:
Binary (Archive)
Extracted files:
2618
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iflof3xejsu5zscxoqptsrezdt27uoff54gfoxqvhi7rhqtur7fa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_sysscan_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

zip 4156e2eee44ca9dcc857741f3944991cf5fa38a5ef0c575e153a3f13c2748fca

(this sample)

Microsoft Software Installer (MSI) msi dbb8323b67e456a39df69d6de430c66654f6ca05fd104afb70be3a46def254de

  
Link
https://tria.ge/250507-x7e85avyby/behavioral1
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3533529/
  
Dropping
SHA256 dbb8323b67e456a39df69d6de430c66654f6ca05fd104afb70be3a46def254de
  
Dropping
MD5 a96d1359d3bdb0dfee9492e8eb295323
  
Dropping
SHA256 a1546cc127038b0ee28e11fbc74e5da52b69178c16d09b2d9cf6a5a746f52ab5
  
Dropping
MD5 a10ca73417b0059f3a0c266bfe581b6a

Comments