MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bfcf6de9b11a3e741c9dd1e9bec9bb129b123f204decb5f6bb227c6585ef1ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bfcf6de9b11a3e741c9dd1e9bec9bb129b123f204decb5f6bb227c6585ef1ed
SHA3-384 hash: f3d343ef78a743dc93a78321b48c723b3725c2f40475c979ea26e4a0b41a7d86aecea843678f14faec5ad4f6933d970c
SHA1 hash: 15a13ae74aceccce2bc3017351cbb9aca345adfa
MD5 hash: 2da6be3647f1eb6a5ca2554264a5da4e
humanhash: kilo-black-april-carpet
File name:letsvpn-latest.msi
Download: download sample
File size:87'764'480 bytes
First seen:2026-01-27 07:47:36 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:UA0wMuSt2arHMX2FNgZALw9pIcBbo2oO8cyh5gN8qvgE4lxZZMhMZZ:3CuOw2FNgZ8wzIWoO8LhaB2xZ2hMZZ
Threatray 987 similar samples on MalwareBazaar
TLSH T1BB183322B09ACA30C15F1B37EA66FD1E09743E533B2344D7E6B9BE7B05B18D24271652
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter zhuzhu0009
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
SC SC
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/090efa09-2a7b-4029-9843-69ce9ee81049/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69786de1bec9764f452f3afc
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm at base64 CAB cmd donut evasive expired-cert expired-cert fingerprint fingerprint fingerprint installer large-file lolbin packed wix
Link:
https://www.filescan.io/uploads/69786dc69bb2c4044ae8ce1d/reports/180f535d-17c6-4023-953b-5b9f01d6770e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6bfcf6de9b11a3e741c9dd1e9bec9bb129b123f204decb5f6bb227c6585ef1ed
Verdict:
Malicious
File Type:
msi
First seen:
2026-01-27T04:29:00Z UTC
Last seen:
2026-01-28T12:46:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sb Trojan.Win32.DLLhijack.sb Trojan.Win32.DLLhijack.adsn Trojan.Win32.AutoRun.gen Trojan.Win32.Shellcode.sb Trojan.Win32.Inject.sb Trojan.Win32.DLLhijack.adpr
Link:
https://opentip.kaspersky.com/6bfcf6de9b11a3e741c9dd1e9bec9bb129b123f204decb5f6bb227c6585ef1ed/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/6bfcf6de9b11a3e741c9dd1e9bec9bb129b123f204decb5f6bb227c6585ef1ed
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.DLLhijack
Link:
https://tip.neiki.dev/file/6bfcf6de9b11a3e741c9dd1e9bec9bb129b123f204decb5f6bb227c6585ef1ed
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-27 07:49:29 UTC
File Type:
Binary (Archive)
Extracted files:
3879
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=np6pnxu3cgr6oqoj3upjx3e3weu3ci7satpmwx3lwit4mwc66hwq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
482f51e57f724cd6abd5d090608e47838c77f52f3e92a9051323132f5b81a319
6bfcf6de9b11a3e741c9dd1e9bec9bb129b123f204decb5f6bb227c6585ef1ed
76d05282f149a1db0581a16696d1a141d432b8f34437f2008591263ba5653cb1
7c2769b905c5142f6236c48b071aef3ed4ec9895e7c132a868c725bb43a064e7
8e21f3aeea96d71deb10108b8d030bb2e7ce2e0ce85a12e1855ff7c56ce83535
9315d5eedd07e2b078b39d1dc04ae604b1468e1918f897477b3a77c728aa1f22
adbd29511f149301dbf97c6c6acb924e850c1a0383a7b4a391bf6b75ef979ffa
error
+ 977 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260127-jnbvpsgs6h/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6bfcf6de9b11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments