MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08
SHA3-384 hash: b8759c706c42cef0e4c72c31e6a9fb787df59d1f9a526db5f63862ab5cc070d2367daae666f5c117788b07da61a2229e
SHA1 hash: 3ff29bcbd9d07a0f3778813b91b2757502533713
MD5 hash: 3d78cabf9f4e0e9f873763cbd89a7406
humanhash: fillet-nuts-mars-neptune
File name:53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08.ps1
Download: download sample
Signature DonutLoader
Create hunting rule
File size:1'340 bytes
First seen:2026-02-17 07:00:40 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24:QLZ0pa+eodNbNGshdD3rnf2ZkWJoSr6eNTsGhZkWo5oUCVJakWj2ZkWvkWfkkWf/:W0qodNbNBhdD3D2ZRoSr6eDhZNVkL2Za
Threatray 2'708 similar samples on MalwareBazaar
TLSH T162214F4262EA0248B5F31E6C593EA9350AB77829CD39C74C018C649D5FF3950E871FE3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika powershell
Reporter JAMESWT_WT
Tags:178-16-53-70 donutloader ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Other.Malware-gen.25587459.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699412462715406c647a6762
Tags:
shell agent sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69941243930564ff3ca517ee/reports/197eb357-2dcb-4693-ad7e-e8358ad3405f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08
Verdict:
Malicious
File Type:
unix shell
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb HEUR:Trojan.Multi.Donut.b Trojan-Downloader.Agent.HTTP.C&C Trojan.Win64.Agent.sb HEUR:Trojan.PowerShell.Generic Backdoor.Androm.HTTP.Download Trojan.Win32.Shellcode.sb HEUR:Trojan.Win64.Donut.a HEUR:Trojan.MSIL.Rozena.gen NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C Trojan.Win64.Agentb.sb Trojan.Shellcode.TCP.C&C
Link:
https://opentip.kaspersky.com/53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08/results?tab=lookup
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08
Threat name:
Script-PowerShell.Trojan.DonutLoader
Create hunting rule
Status:
Malicious
First seen:
2026-02-11 18:37:52 UTC
File Type:
Text (PowerShell)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kpokwf5sb6xwkpemxmy6nrf6ayq3hl4qa3kddsw2ilg6km6n3yea._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70
DonutLoader
283aef05e0d1fee9507b30bc62681ea3c66be52a80543f024b9500de541f24b0
DonutLoader
352002a140ad95183796c8744321f7a1888a9a012eba0962729d4a4d5f44c4c4
DonutLoader
3e02008bba6f868cf0bbe58a5428362c5f963a1dcb8d8682b1777af925a07587
DonutLoader
41e9c4a2e8d9fdf2f8853ab181f8333e0d83dcd728449cef5d4001eac8e50354
DonutLoader
5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a
DonutLoader
a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222
DonutLoader
be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109
DonutLoader
error
DonutLoader
fc791cea301af15a8c46dfd5ddf048fbc52cb694d5e9118c41363675823a328b
DonutLoader
fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7
DonutLoader
+ 2'698 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader execution loader
Link:
https://tria.ge/reports/260217-hteywaaw6b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Badlisted process makes network request
Detects DonutLoader
DonutLoader
Donutloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53dcab17b20faf653c8cbb31e6c4be0621b3af9006d431cada42cde533cdde08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments