MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d799858922bd94541ded89edc69bde83fc8782d4a0bfb3cb10e50754d2ce6c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DonutLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash: 6d799858922bd94541ded89edc69bde83fc8782d4a0bfb3cb10e50754d2ce6c3
SHA3-384 hash: b91eacb2a210a19cf28297ad54c1ac692678b2ab2b96862f5ed1ae228680a4354b68273047968929d65f763f1a0f9b82
SHA1 hash: bdc146a6fe4991e40286657af4eeedebe1cbdd69
MD5 hash: 09123808505e68eb9c8e8d0d2dfe36e7
humanhash: washington-echo-ceiling-thirteen
File name:09123808505e68eb9c8e8d0d2dfe36e7.exe
Download: download sample
Signature DonutLoader
File size:4'019'712 bytes
First seen:2026-06-15 16:33:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 635121680589a94eb9283ca58d1b2dcb (1 x DonutLoader)
ssdeep 98304:zq8uqyEAn8LxQCtJb3hnxicHMIPni363VnFPQHADzHjHeHy3pC0iXHHbinSXN:u8LyEAn8LxQihnxicHMIPni363VnFPQ3
Threatray 133 similar samples on MalwareBazaar
TLSH T1AB166D9CE3282978DC14A0B95D6D1CEE1D1E1434668F88F347CAA89B0133FBB5DB4667
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter abuse_ch
Tags:donutloader exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
191
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_6d799858922bd94541ded89edc69bde83fc8782d4a0bfb3cb10e50754d2ce6c3.exe
Verdict:
No threats detected
Analysis date:
2026-06-15 16:35:42 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Tags:
keylog virus word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Setting a keyboard event handler
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug evasive microsoft_visual_cc packed
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-12T17:05:00Z UTC
Last seen:
2026-06-17T00:44:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.HTA.awv
Result
Threat name:
DonutLoader
Detection:
malicious
Classification:
spyw.evad.troj
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1928179 Sample: deaGN25QFQ.exe Startdate: 15/06/2026 Architecture: WINDOWS Score: 100 32 relay.greenwichcore.com 2->32 36 Suricata IDS alerts for network traffic 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Joe Sandbox ML detected suspicious sample 2->42 8 deaGN25QFQ.exe 5 5 2->8         started        signatures3 process4 dnsIp5 34 relay.greenwichcore.com 2.58.56.164, 49697, 49699, 49701 028f45e8dd4f225cb46a7d8003745a3a7f55d3a0DE Netherlands 8->34 30 C:\Users\user\AppData\...\deaGN25QFQ.exe.log, ASCII 8->30 dropped 44 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->44 46 Suspicious powershell command line found 8->46 48 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->48 50 6 other signatures 8->50 13 powershell.exe 37 8->13         started        16 cmd.exe 1 8->16         started        18 cvtres.exe 8->18         started        20 9 other processes 8->20 file6 signatures7 process8 signatures9 52 Loading BitLocker PowerShell Module 13->52 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 timeout.exe 1 16->26         started        28 chcp.com 1 16->28         started        process10
Gathering data
Threat name:
Win32.Malware.Heuristic
Status:
Malicious
First seen:
2026-06-12 23:58:46 UTC
File Type:
PE (Exe)
AV detection:
21 of 36 (58.33%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution spyware stealer
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6d799858922bd94541ded89edc69bde83fc8782d4a0bfb3cb10e50754d2ce6c3
MD5 hash:
09123808505e68eb9c8e8d0d2dfe36e7
SHA1 hash:
bdc146a6fe4991e40286657af4eeedebe1cbdd69
SH256 hash:
6bd3db335802629d696092291f133b21972f756ea0f4b668112e0de9e6008484
MD5 hash:
0f0603966c13e7bb5597387136cae0fe
SHA1 hash:
13d40cec226de50b37e4c4e667e6f025a335e822
SH256 hash:
b3a0d97855418520c840a764fb82b9afed0ef5077535f6361835d4c4a45aa33c
MD5 hash:
6110b2ef8ca3f94ec7788b1c421829f6
SHA1 hash:
8b908843ecebafd2905d6fbf69a0703f67a86083
SH256 hash:
6a52ae2756f9498f5c0bde2314a07d418621e29a2f2062636406821a82826e7f
MD5 hash:
e0a8e642ffbae181083b4ef9dced6c13
SHA1 hash:
d20c391be55c76943e23ff8f132b050d7ee4d442
SH256 hash:
c950eafd03f3a594edb3e8cd326bcb79c688e0b446a9b6ce8b16a1b3cce9cc36
MD5 hash:
7d7a843ff497084e34bc6bdd72b8917a
SHA1 hash:
de1ede0c57e726a14ee58dab6f897d94ffeba064
Malware family:
DonutLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments