MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b
SHA3-384 hash: 5e3dddb2ce91b5085cc51ea3d68b1b1172def383f81927b86a2b41c73f9a710d413aa52d0f16bf9d9034688167b1716b
SHA1 hash: 51ca5babd3fc1d041694207ac24dd9d733aa79f3
MD5 hash: 4494bfdb290b6b1738c501fd06832376
humanhash: jig-orange-sink-finch
File name:Setup.exe
Download: download sample
File size:1'645'056 bytes
First seen:2025-12-24 19:53:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:15k7Q4akrcsB3eUAp0IrRDRtK/W+Z29LyicqNSQDVvL45rIZK:jrBkQs1eUAvpK/j29HNpVvL4xO
Threatray 93 similar samples on MalwareBazaar
TLSH T1AF753572A2987ED6F07716B5C461BA7085B5EC516C23750A63C4728CC6B03A8DB8DECF
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter burger
Tags:donutloader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-12-24 19:53:11 UTC
Tags:
donutloader loader crypto-regex
Link:
https://app.any.run/tasks/8bf776d9-024f-425c-a97d-79f316f1c799

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45991/
Detection(s):
Win.Packed.Rozena-10029918-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694c44ca01c7b4a8fe556570
Tags:
shellcode autorun sage remo
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer installer-heuristic lolbin packed
Link:
https://www.filescan.io/uploads/694c44e784afa5547b5d9814/reports/9bfd2bb2-3935-4a2f-9d91-592eb829cd1f/overview
Verdict:
Malicious
Labled as:
Trojan[Backdoor]/MSIL.PulsarRAT
Link:
https://www.hybrid-analysis.com/sample/696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-24T16:54:00Z UTC
Last seen:
2025-12-24T16:59:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Agent.sb HEUR:Backdoor.MSIL.PulsarRAT.gen Backdoor.MSIL.PulsarRAT.sb Backdoor.MSIL.Agent.sb Trojan-PSW.MSIL.Agent.sb Trojan.Win32.Shellcode.sb
Link:
https://opentip.kaspersky.com/696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19b44889-e581-4501-889a-f1634d936ec9
Result
Threat name:
DonutLoader, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1839074
Signature
.NET source code contains process injector
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DonutLoader
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1839074 Sample: Setup.exe Startdate: 24/12/2025 Architecture: WINDOWS Score: 100 59 xyxy3595-34063.portmap.host 2->59 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected DonutLoader 2->73 75 4 other signatures 2->75 9 Setup.exe 16 2->9         started        13 office.exe 12 2->13         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\...\office.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\...\lcwp1mrn.cmdline, Unicode 9->53 dropped 55 C:\Users\user\AppData\Local\...\Setup.exe.log, ASCII 9->55 dropped 77 Uses schtasks.exe or at.exe to add and modify task schedules 9->77 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->79 81 Unusual module load detection (module proxying) 9->81 15 office.exe 11 9->15         started        19 csc.exe 3 9->19         started        22 schtasks.exe 1 9->22         started        24 csc.exe 13->24         started        signatures6 process7 dnsIp8 61 xyxy3595-34063.portmap.host 193.161.193.99, 34063 BITREE-ASRU Russian Federation 15->61 63 Multi AV Scanner detection for dropped file 15->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->65 67 Unusual module load detection (module proxying) 15->67 26 csc.exe 3 15->26         started        29 schtasks.exe 15->29         started        47 C:\Users\user\AppData\Local\...\lcwp1mrn.dll, PE32 19->47 dropped 31 conhost.exe 19->31         started        33 cvtres.exe 1 19->33         started        35 conhost.exe 22->35         started        49 C:\Users\user\AppData\Local\...\oi3fr2m0.dll, PE32 24->49 dropped 37 conhost.exe 24->37         started        39 cvtres.exe 24->39         started        file9 signatures10 process11 file12 57 C:\Users\user\AppData\Local\...\pbajrshj.dll, PE32 26->57 dropped 41 conhost.exe 26->41         started        43 cvtres.exe 1 26->43         started        45 conhost.exe 29->45         started        process13
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.26 Win 32 Exe x86
Link:
https://app.malva.re/file/4494bfdb290b6b1738c501fd06832376
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b/
Verdict:
Malicious
Threat:
Family.PULSAR
Link:
https://tip.neiki.dev/file/696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfrvfnvxykbhg3fsibsrnavqpjp6vjukybs6seupsrtxtwyawavq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
quasarrat
Create hunting rule
Similar samples:
15119331f58db1c391df927fa73723c1d7ba66d46fe2aecf1526a117c5b59d05
696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b
6eeb5788ce02a71cee8cad314c4f1c467ac0dc77b23cbbef4f3a38bdfbd75f46
b0455309a1405bee110cf310c555a615dea5644c96812770c80afde298e9d066
error
f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860
+ 83 additional samples on MalwareBazaar
Gathering data
Verdict:
Malicious
Tags:
loader Win.Packed.Rozena-10029918-0
YARA:
Windows_Trojan_Donutloader_f40e3759
Link:
https://app.threat.zone/submission/331303d0-0e66-4f26-b6d5-c5ee37ca064e
Unpacked files
SH256 hash:
696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b
MD5 hash:
4494bfdb290b6b1738c501fd06832376
SHA1 hash:
51ca5babd3fc1d041694207ac24dd9d733aa79f3
Link:
https://www.unpac.me/results/96138325-a657-4078-8700-59d8b2a0b113/
SH256 hash:
f8539492f598700636e26b87fba6fc37ad8268d33146f30f0b5c3f4e38cbcc1e
MD5 hash:
d1f7b9f0371f2f6e72737e718950d31e
SHA1 hash:
3416776ecb9edef1964065caa5679b959d51b9d4
Link:
https://www.unpac.me/results/96138325-a657-4078-8700-59d8b2a0b113/
SH256 hash:
2f810da956fed7faf74c8ce2cf65638ccdaa92b282dc7492592d7aedce280c44
MD5 hash:
0020b06dc2018cc2b5bf98945a39cbd3
SHA1 hash:
71ad34cd9f4f3ee2328ca1c7a64a576499208f43
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
HKTL_NET_GUID_Quasar
Create hunting rule
Link:
https://www.unpac.me/results/96138325-a657-4078-8700-59d8b2a0b113/
Parent samples :
506a965b3ff38511a183d9c2fb9a404e54e211ab42acf9293696bcb142bbd3e3
696352b6b7c282736cb240651682b07a5feaa68ac065e9128f946779db00b02b
SH256 hash:
1d8b5956c4fff4507fe8330fb1d58851268097cc607cf4b90badd88a7315c3bb
MD5 hash:
7e98e4e26acb2c641eca8a4993789964
SHA1 hash:
8acfd7bf55579203b445cf1631c45d80977cd810
Detections:
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/96138325-a657-4078-8700-59d8b2a0b113/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/696352b6b7c2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45991/

Comments