MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ebfdf71910f9b5da413b3d5e5a561b15a82603a4b0b81ef0c5cbd776ad5ff81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DonutLoader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	6ebfdf71910f9b5da413b3d5e5a561b15a82603a4b0b81ef0c5cbd776ad5ff81
SHA3-384 hash:	61cbb966e299e37f30751d199093af2e02924ce6b657c7aca45c8f3a6a47f5b3d15ef8ffbeb65a9512a41d98077853d3
SHA1 hash:	cd96db323b788dc80f154ea0220d359780c0eab2
MD5 hash:	34d742fb3ef89b962be944303f505346
humanhash:	coffee-failed-paris-hawaii
File name:	ПІДТВЕРДЖЕННЯ_ОПЛАТИ_ТРАНЗАКЦІЯ_ЗАВЕРШЕНА.lzh
Download:	download sample
Signature	DonutLoader Create hunting rule
File size:	2'823'988 bytes
First seen:	2026-01-20 09:18:42 UTC
Last seen:	Never
File type:	lzh
MIME type:	application/x-lzh-compressed
ssdeep	49152:6SmKGuXgkB3uvyeQKX57I1Z9Kwnh71n0xeL9CD05E4RYxkQaHzCzuDJKDJ9p:JmKzXgkfey9Ke7V0x4RD5HzCzuEDJH
TLSH	T128D5332F999554B072C06DFCBC4E226F7AB82DB992845B7CC3F0C51C72C85B04B9AD96
TrID	99.8% (.LZH) LHARK compressed archive (2504/2/1) 0.1% (.LZH/LHA) LHARC/LZARK compressed archive (generic) (4/2)
Magika	lha
Reporter	smica83
Tags:	donutloader lzh UKR

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	?????????????_??????_??????????_?????????.JS
File size:	6'774'930 bytes
SHA256 hash:	40b522cbecb83a9a78f51ba421617e6c306ffe0fc49eea9930cbd0e047a1051b
MD5 hash:	7b69ba24c5e8da8a0ba661b08cebfa7b
MIME type:	text/plain
Signature	DonutLoader

Vendor Threat Intelligence

No detections

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696f4896bcad3327ec06b3f1

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug autoit dropper evasive expired-cert fingerprint keylogger obfuscated repaired zero-day

Link:

https://www.filescan.io/uploads/696f489755805a763fea6258/reports/4a31bb1b-c884-4922-8a2b-3519c11c0ca6/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/6ebfdf71910f9b5da413b3d5e5a561b15a82603a4b0b81ef0c5cbd776ad5ff81

Verdict:

Malicious

File Type:

lha

First seen:

2026-01-20T06:25:00Z UTC

Last seen:

2026-01-20T06:49:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.Script.Generic Trojan-Downloader.JS.Cryptoload.sb Trojan.Win32.Shellcode.sb Backdoor.Win32.Remcos.sb HEUR:Trojan-Dropper.Script.Generic

Link:

https://opentip.kaspersky.com/6ebfdf71910f9b5da413b3d5e5a561b15a82603a4b0b81ef0c5cbd776ad5ff81/results?tab=lookup

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6ebfdf71910f9b5da413b3d5e5a561b15a82603a4b0b81ef0c5cbd776ad5ff81/

Verdict:

Malicious

Threat:

Family.DONUTLOADER

Link:

https://tip.neiki.dev/file/6ebfdf71910f9b5da413b3d5e5a561b15a82603a4b0b81ef0c5cbd776ad5ff81

Threat name:

Script-JS.Trojan.Malgent

Status:

Malicious

First seen:

2026-01-20 09:19:34 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n27564mrb6nv3jatwpk6ljlbwfnieyb2jmfyd3ymls6xo2wv76aq._file

Result

Malware family:

donutloader

Score:

10/10

Tags:

family:donutloader collection discovery execution loader

Link:

https://tria.ge/reports/260120-q66lcsev4a/

Behaviour

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Checks computer location settings

Executes dropped EXE

Detected Nirsoft tools

NirSoft MailPassView

Detects DonutLoader

DonutLoader

Donutloader family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6ebfdf71910f9b5da413b3d5e5a561b15a82603a4b0b81ef0c5cbd776ad5ff81

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample