MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e3f15ee4076709de42b4c1f135e82448a365dbf6aa89425cf40fea55fd2910f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e3f15ee4076709de42b4c1f135e82448a365dbf6aa89425cf40fea55fd2910f
SHA3-384 hash: b8c7d9640a8bd989fc70502f088af67e0306df4299659219d44951865d7f875d79f1e916c5cf7d222a750fdd595d9b82
SHA1 hash: f4f33779bfcdf0f5f2dacae25c988f8dac414a9c
MD5 hash: 7df9ceceab746389a3697e5be6bed2e6
humanhash: fruit-blossom-crazy-sink
File name:CPCUKHLQ.msi
Download: download sample
Signature DonutLoader
Create hunting rule
File size:4'657'152 bytes
First seen:2025-05-11 18:35:32 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:9hr+o5VqS73hmXmsVhvHQafXlx6VD88f4aZx3um/o+:Oo57kX1DHQadg8M4aZ/r
Threatray 17 similar samples on MalwareBazaar
TLSH T11626337060E3E7D2E2F36B7A5A4ADAC51839CF00C213F59765CDB9390F356A708698C6
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter skocherhan
Tags:donutloader msi


Avatar
skocherhan
https://battlegridx.cfd/CPCUKHLQ.msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.10484.4296.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6820ef5d4a59e5a2ce03b414
Tags:
virus spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expired-cert installer wix
Link:
https://www.filescan.io/uploads/6820ee160b64e174c421dfc4/reports/a13d76c5-bed4-44b9-9e39-30e06dd31d59/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4e3f15ee4076709de42b4c1f135e82448a365dbf6aa89425cf40fea55fd2910f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4e3f15ee4076709de42b4c1f135e82448a365dbf6aa89425cf40fea55fd2910f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1687291
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1687291 Sample: CPCUKHLQ.msi Startdate: 11/05/2025 Architecture: WINDOWS Score: 100 99 up1-c-dn.cfd 2->99 111 Suricata IDS alerts for network traffic 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Multi AV Scanner detection for dropped file 2->115 117 2 other signatures 2->117 11 msiexec.exe 80 40 2->11         started        14 Runner_Bina.exe 2->14         started        17 msedge.exe 107 757 2->17         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 77 C:\Users\user\AppData\Local\...\msvcr80.dll, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\...\msvcp80.dll, PE32 11->79 dropped 81 C:\Users\user\AppData\...\Runner_Bina.exe, PE32 11->81 dropped 83 C:\Users\user\...\DivXDownloadManager.dll, PE32 11->83 dropped 22 Runner_Bina.exe 7 11->22         started        85 C:\Users\user\AppData\Local\...\D47A246.tmp, PE32+ 14->85 dropped 147 Modifies the context of a thread in another process (thread injection) 14->147 149 Maps a DLL or memory area into another process 14->149 26 Png_Tool_alpha.exe 14->26         started        28 cmd.exe 14->28         started        97 239.255.255.250 unknown Reserved 17->97 30 msedge.exe 17->30         started        33 msedge.exe 17->33         started        35 msedge.exe 17->35         started        41 3 other processes 17->41 37 msedge.exe 20->37         started        39 msedge.exe 20->39         started        file6 signatures7 process8 dnsIp9 69 C:\ProgramData\backupWordpad\msvcr80.dll, PE32 22->69 dropped 71 C:\ProgramData\backupWordpad\msvcp80.dll, PE32 22->71 dropped 73 C:\ProgramData\...\Runner_Bina.exe, PE32 22->73 dropped 75 C:\ProgramData\...\DivXDownloadManager.dll, PE32 22->75 dropped 129 Switches to a custom stack to bypass stack traces 22->129 131 Found direct / indirect Syscall (likely to bypass EDR) 22->131 43 Runner_Bina.exe 5 22->43         started        133 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->133 135 Tries to harvest and steal browser information (history, passwords, etc) 26->135 137 Tries to harvest and steal Bitcoin Wallet information 26->137 47 chrome.exe 26->47         started        49 conhost.exe 28->49         started        105 s-part-0043.t-0009.t-msedge.net 13.107.246.71, 443, 49722, 49742 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->105 107 onedscolprdcus03.centralus.cloudapp.azure.com 13.89.178.27, 443, 49772 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->107 109 32 other IPs or domains 30->109 file10 signatures11 process12 file13 87 C:\Users\user\AppData\...\Png_Tool_alpha.exe, PE32+ 43->87 dropped 89 C:\Users\user\AppData\Local\...\B51D457.tmp, PE32+ 43->89 dropped 139 Modifies the context of a thread in another process (thread injection) 43->139 141 Found hidden mapped module (file has been removed from disk) 43->141 143 Maps a DLL or memory area into another process 43->143 145 2 other signatures 43->145 51 Png_Tool_alpha.exe 43->51         started        55 cmd.exe 3 43->55         started        signatures14 process15 dnsIp16 101 up1-c-dn.cfd 172.67.221.21, 443, 49723, 49799 CLOUDFLARENETUS United States 51->101 119 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 51->119 121 Writes to foreign memory regions 51->121 123 Allocates memory in foreign processes 51->123 127 3 other signatures 51->127 57 chrome.exe 2 51->57         started        60 msedge.exe 16 51->60         started        125 Switches to a custom stack to bypass stack traces 55->125 62 conhost.exe 55->62         started        signatures17 process18 dnsIp19 103 192.168.2.4, 138, 443, 49517 unknown unknown 57->103 64 chrome.exe 57->64         started        67 msedge.exe 60->67         started        process20 dnsIp21 91 www.google.com 192.178.49.164, 443, 49733, 49734 GOOGLEUS United States 64->91 93 plus.l.google.com 64->93 95 3 other IPs or domains 64->95
Score:
1%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/4e3f15ee4076709de42b4c1f135e82448a365dbf6aa89425cf40fea55fd2910f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e3f15ee4076709de42b4c1f135e82448a365dbf6aa89425cf40fea55fd2910f/
Threat name:
Win32.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-04-21 10:54:13 UTC
File Type:
Binary (Archive)
Extracted files:
8
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jy7rl3saozyj3zbljqprgxucisfdmxn7nkujijopid7kkx6ssehq._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
002c9d6070fe8ba48e26cde3161c24c745534b732e4b2748c8198d65b3da1aa4
DonutLoader
1a4a1fc4c3ddccb8efcaaab7fa0ba3965e2244fa0733100e56122354e7bb721a
DonutLoader
71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5
DonutLoader
8419a4f16ab7b36d22e0292825ff441e5a27b51ac2fc4dea99d96e26858de310
DonutLoader
8daa2f6bfe2c616af887f5068fe916d4312e385196ec9808b48abf81073f3be6
DonutLoader
a5c2cd0db95e87a627f59f7c0b66753969a6a036744e21e437ead5074b9a30a3
DonutLoader
c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591
DonutLoader
d40773790dc2818eedcaf20bb2831d11f1d24a76839bd90efba1229e55ad6d75
DonutLoader
d4c7a4729719f8d24ce40793d4f23abb629101920775bc5106486b59835d1ee4
DonutLoader
dd8db8db97b2347fb5d250abec7ef56b87ac635f2e93546c2b6fabc2e4203e7e
DonutLoader
error
DonutLoader
+ 7 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery loader persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250511-w8ylesfp2y/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6e01b0ad-df6b-4920-903a-531721cc5932
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e3f15ee4076709de42b4c1f135e82448a365dbf6aa89425cf40fea55fd2910f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

PowerShell (PS) ps1 d40773790dc2818eedcaf20bb2831d11f1d24a76839bd90efba1229e55ad6d75

DonutLoader

Microsoft Software Installer (MSI) msi 4e3f15ee4076709de42b4c1f135e82448a365dbf6aa89425cf40fea55fd2910f

(this sample)

  
Dropped by
MD5 eaa9920fa3a8b10ae96b56564462284f

Comments