MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661
SHA3-384 hash: 6d8cb6f458f79b5eefb49d6aa3010dc9ec8624302b1efb2fed4c09f9196cac77151eb07742720888f74b74662427de24
SHA1 hash: 98d39d79f46d3c321b00628804b6623c8d02cdbb
MD5 hash: 859195d02b1b7dbe1ffbe32e2407b23d
humanhash: mirror-hotel-salami-floor
File name:677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661
Download: download sample
Signature DonutLoader
Create hunting rule
File size:22'016 bytes
First seen:2026-03-30 19:28:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash da653b036f3daaaed2f1c91cd466ba46 (1 x DonutLoader)
ssdeep 384:Y8M81ycmDlbwiBqZ0Gx2vUZWNFnnnFjtjacuVxM1e+:LMWycm94j88WNbjtjacu7MF
Threatray 955 similar samples on MalwareBazaar
TLSH T12AA2E80FA24394DCC81FC1789AE98277B5B1B91164A7671D27B0CA320F34DAA6F3CB55
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Anonymous
Tags:Donut donutloader dropper exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
DO DO
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661
Verdict:
Malicious activity
Analysis date:
2026-03-30 19:29:27 UTC
Tags:
generic
Link:
https://app.any.run/tasks/befd9085-a91f-4966-97f9-7812d6547722

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69caced23a18a6e1ddefd557
Tags:
emotet trojan virus hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-03-24T12:45:00Z UTC
Last seen:
2026-03-31T09:45:00Z UTC
Hits:
~100
Detections:
Backdoor.Androm.HTTP.Download Trojan.Win32.Shellcode.sb HEUR:Trojan.Win64.Donut.a HEUR:Trojan.Multi.Donut.b Backdoor.Win32.Androm.wbwc Trojan-PSW.PureLogs.TCP.C&C PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a99744f9-5e08-46c0-b2f5-c5f2e637e865
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/859195d02b1b7dbe1ffbe32e2407b23d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-03-24 19:12:08 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m55qyskypqw5yytlj2ncdkqwd6wxcwv4qb2n3lfvko6sn6hlizqq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
03e4185a6e817ffa0957b0a8091f328232bd0d5dab4246c892c344188997b888
DonutLoader
17827b50808e9db7bfa7e43f7d1ce10b7a5b0920c78bd21824615980b23c2f65
DonutLoader
182272eef867fc6f3bcb4dfd68e7e9d27098a68f8f05dd45c12bb000537ea2bd
DonutLoader
22fefa7177abe14024d8af87cc8cac2f3974a35a1ea2bf962a78206baa1cf535
DonutLoader
5dd9cbc64e7414cc479191cbef353c9456d75579d6453157b5f696edeba2d8b5
DonutLoader
658d3acfc7e71d6b3451973ab8c207dca57264f9b17fc9e37c8b7a1e46561489
DonutLoader
812d2d8436985fc8531315970b2af6bcdd697f9033bc12841ce467e6fda94408
DonutLoader
a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222
DonutLoader
e026b43e5a2b1ec0409e7dc3b60631146a0e68203780dd5b80e2b9673ab08f3c
DonutLoader
error
DonutLoader
+ 945 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader loader
Link:
https://tria.ge/reports/260330-x6q91ah171/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects DonutLoader
DonutLoader
Donutloader family
Unpacked files
SH256 hash:
677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661
MD5 hash:
859195d02b1b7dbe1ffbe32e2407b23d
SHA1 hash:
98d39d79f46d3c321b00628804b6623c8d02cdbb
Link:
https://www.unpac.me/results/077f902b-97a1-4c2b-b772-1a2ba59212fe/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/677b0c49587c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

Executable exe 677b0c49587c2ddc626b4e9a21aa161fad715abc8074ddacb553bd26f8eb4661

(this sample)

  
Dropped by
Donut Malware
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/59801/

Comments