MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 526acaf0b2536d05312c999ff4beb5bb2f2bcbfda4bf48fca2afd00ad4391b16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 526acaf0b2536d05312c999ff4beb5bb2f2bcbfda4bf48fca2afd00ad4391b16
SHA3-384 hash: 930c487db67be11db81343e2b50f0c9531d2ec4a685c85fafd35111a62363928e2265370100f92c1ad4a12eb16e72c97
SHA1 hash: 5dd1bafb503b2cb74a5f7bc5260cf281839bf3db
MD5 hash: a9cb4681a3a86d3a0ef536a6ab985b56
humanhash: minnesota-hotel-nitrogen-earth
File name:ZNQJNQSS.msi
Download: download sample
Signature DonutLoader
Create hunting rule
File size:4'960'256 bytes
First seen:2025-05-20 08:04:33 UTC
Last seen:2025-05-21 10:59:05 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:Te8Z7BI+5V+3IyslrniCTpmTz+kEfKzf77PlvMzLaf2gZHPj3OMEEKbgH:T37BIH3IH0OdKznPl2gZqSK
Threatray 4 similar samples on MalwareBazaar
TLSH T1ED36336A3F5C5E59F6231379125485185F2ADC3CCEFAC782266AB70E03387937A1E391
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:donutloader msi quickrack-sbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c37f4c28c67d666423a2c
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
crypto expired-cert fingerprint installer wix
Link:
https://www.filescan.io/uploads/682c37e9bff72ff46b66b3d5/reports/f7c5a685-1715-4c42-a23d-34ea846d8b39/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/526acaf0b2536d05312c999ff4beb5bb2f2bcbfda4bf48fca2afd00ad4391b16
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/526acaf0b2536d05312c999ff4beb5bb2f2bcbfda4bf48fca2afd00ad4391b16
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1694639
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses threadpools to delay analysis
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694639 Sample: ZNQJNQSS.msi Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 89 sync-9g.cfd 2->89 105 Suricata IDS alerts for network traffic 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 Multi AV Scanner detection for dropped file 2->109 111 2 other signatures 2->111 11 msiexec.exe 79 39 2->11         started        14 Hub_F.exe 5 2->14         started        17 msedge.exe 2->17         started        20 msiexec.exe 3 2->20         started        signatures3 process4 dnsIp5 77 C:\Users\user\AppData\Local\...\Hub_F.exe, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\...\msvcr80.dll, PE32 11->79 dropped 81 C:\Users\user\AppData\Local\...\msidcrl40.dll, PE32 11->81 dropped 22 Hub_F.exe 6 11->22         started        83 C:\Users\user\AppData\Local\Temp\810CE3.tmp, PE32+ 14->83 dropped 139 Modifies the context of a thread in another process (thread injection) 14->139 141 Maps a DLL or memory area into another process 14->141 26 tcpvcon.exe 14->26         started        28 DaemonUpdate_x64.exe 14->28         started        85 239.255.255.250 unknown Reserved 17->85 30 msedge.exe 17->30         started        33 msedge.exe 17->33         started        35 msedge.exe 17->35         started        file6 signatures7 process8 dnsIp9 71 C:\ProgramData\Zep_Client_test\Hub_F.exe, PE32 22->71 dropped 73 C:\ProgramData\Zep_Client_test\msvcr80.dll, PE32 22->73 dropped 75 C:\ProgramData\...\msidcrl40.dll, PE32 22->75 dropped 121 Uses threadpools to delay analysis 22->121 123 Switches to a custom stack to bypass stack traces 22->123 125 Found direct / indirect Syscall (likely to bypass EDR) 22->125 127 Contains functionality to detect sleep reduction / modifications 22->127 37 Hub_F.exe 7 22->37         started        41 conhost.exe 26->41         started        99 13.107.246.69, 443, 49764, 49770 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->99 101 13.91.96.185, 443, 49740 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->101 103 21 other IPs or domains 30->103 file10 signatures11 process12 file13 65 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 37->65 dropped 67 C:\Users\user\...\DaemonUpdate_x64.exe, PE32+ 37->67 dropped 69 C:\Users\user\AppData\Local\...\5B41574.tmp, PE32+ 37->69 dropped 113 Modifies the context of a thread in another process (thread injection) 37->113 115 Found hidden mapped module (file has been removed from disk) 37->115 117 Maps a DLL or memory area into another process 37->117 119 4 other signatures 37->119 43 DaemonUpdate_x64.exe 37->43         started        47 tcpvcon.exe 3 37->47         started        signatures14 process15 dnsIp16 97 sync-9g.cfd 172.67.130.81, 443, 49694, 49695 CLOUDFLARENETUS United States 43->97 129 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 43->129 131 Tries to harvest and steal browser information (history, passwords, etc) 43->131 133 Writes to foreign memory regions 43->133 137 5 other signatures 43->137 49 chrome.exe 7 43->49         started        52 msedge.exe 10 43->52         started        135 Switches to a custom stack to bypass stack traces 47->135 54 conhost.exe 47->54         started        signatures17 process18 dnsIp19 87 192.168.2.5, 138, 443, 49675 unknown unknown 49->87 56 chrome.exe 49->56         started        59 chrome.exe 49->59         started        61 chrome.exe 49->61         started        63 msedge.exe 52->63         started        process20 dnsIp21 91 www.google.com 142.250.217.132, 443, 49702, 49706 GOOGLEUS United States 56->91 93 plus.l.google.com 56->93 95 3 other IPs or domains 56->95
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/526acaf0b2536d05312c999ff4beb5bb2f2bcbfda4bf48fca2afd00ad4391b16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/526acaf0b2536d05312c999ff4beb5bb2f2bcbfda4bf48fca2afd00ad4391b16/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-20 02:58:51 UTC
File Type:
Binary (Archive)
Extracted files:
41
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjvmv4fsknwqkmjmtgp7jpvvxmxsxs75us7ur7fcv7iavvbzdmla._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
19f6b0cbf4d58ca4c4dda40eb41107ad5bdf05fb914dd3c5fdb101dbde4532e8
DonutLoader
2e8ac3980feb2ed56f39fac3763eed0fba77740a7b5cd74bccd8b7d59223c79d
DonutLoader
a5c2cd0db95e87a627f59f7c0b66753969a6a036744e21e437ead5074b9a30a3
DonutLoader
c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591
DonutLoader
error
DonutLoader
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery loader persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250520-jy5wjael3y/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects DonutLoader
DonutLoader
Donutloader family
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/526acaf0b253/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/526acaf0b2536d05312c999ff4beb5bb2f2bcbfda4bf48fca2afd00ad4391b16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

Microsoft Software Installer (MSI) msi 526acaf0b2536d05312c999ff4beb5bb2f2bcbfda4bf48fca2afd00ad4391b16

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3547682/
  
Delivery method
Distributed via web download

Comments