MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e
SHA3-384 hash: 7d8d919099a38eca777c1ed52e4a59c6d829f2ba76c14522a5cedec71e264457b060934623ad34bf009b3dbf435f5a71
SHA1 hash: 619d7e703f2178cf1794dac78c1da8aa3b1353cb
MD5 hash: 7de220d7296166fbb91e889fbfe0737b
humanhash: massachusetts-vermont-eleven-autumn
File name:1.exe
Download: download sample
Signature DonutLoader
Create hunting rule
File size:5'563'904 bytes
First seen:2026-04-01 07:31:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (57 x PureHVNC, 56 x Stealc, 35 x CoinMiner)
ssdeep 98304:mgH6BUkSSUfixd2jVZp9541rE8/XcpnC7TmyXeb+2kAK+rAp80pS:mgaBUkS7fE2jV55yrBOC7TRfAFo8b
TLSH T1D546336476AD2E38D59A963E0A0F3F22F60126FC9721E03C17469E0B5237F7543B9729
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter aachum
Tags:196-18-12-167 donutloader exe fullsofts-org


Avatar
iamaachum
https://fullsofts.org/ => https://fileport.io/pK9f4DLuUfXu

C2: 196.18.12.167:8000

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
1.exe
Verdict:
No threats detected
Analysis date:
2026-04-01 07:27:52 UTC
Tags:
themida
Link:
https://app.any.run/tasks/4c9e7e2c-13b6-4f75-bc45-279f63eed0f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60010/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.27755751.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ccc8f33a18a6e1ddf0388e
Tags:
autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connection attempt
Reading critical registry keys
DNS request
Sending an HTTP GET request
Creating a window
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Running batch commands
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed themidawinlicense unsafe
Link:
https://www.filescan.io/uploads/69ccca00be4fad62665e797e/reports/77f8bead-4222-4051-9ea0-24d2fd932290/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-01T08:21:00Z UTC
Last seen:
2026-04-01T22:45:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Exploit.Win32.ChecksumController.ly
Link:
https://opentip.kaspersky.com/79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e/results?tab=lookup
Malware family:
Phemedrone Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b96e679d-3da5-4e0a-8cc1-4d762c572087
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1891885
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses Register-ScheduledTask to add task schedules
Uses the Windows Restart Manager Abuse for Browser Credential File unlocking
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1891885 Sample: 1.exe Startdate: 01/04/2026 Architecture: WINDOWS Score: 100 49 ip-api.com 2->49 55 Suricata IDS alerts for network traffic 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 3 other signatures 2->61 9 1.exe 22 9 2->9         started        14 CoreWorker_IwVZUvEqmTYQRhE.exe 1 2->14         started        16 CoreWorker_IwVZUvEqmTYQRhE.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 51 196.18.12.167, 49721, 49723, 49726 M247GB Seychelles 9->51 53 ip-api.com 208.95.112.1, 49725, 80 TUT-ASUS United States 9->53 45 C:\Users\...\CoreWorker_IwVZUvEqmTYQRhE.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\1.exe.log, ASCII 9->47 dropped 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->75 77 Query firmware table information (likely to detect VMs) 9->77 79 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->79 81 8 other signatures 9->81 20 CoreWorker_IwVZUvEqmTYQRhE.exe 1 1 9->20         started        23 cmd.exe 1 9->23         started        25 chrome.exe 2 9->25         started        27 5 other processes 9->27 file6 signatures7 process8 signatures9 63 Suspicious powershell command line found 20->63 65 Protects its processes via BreakOnTermination flag 20->65 67 Bypasses PowerShell execution policy 20->67 69 Uses Register-ScheduledTask to add task schedules 20->69 29 cmd.exe 1 20->29         started        32 powershell.exe 38 20->32         started        71 Adds a directory exclusion to Windows Defender 23->71 34 conhost.exe 23->34         started        process10 signatures11 83 Adds a directory exclusion to Windows Defender 29->83 36 powershell.exe 23 29->36         started        39 conhost.exe 29->39         started        85 Loading BitLocker PowerShell Module 32->85 41 conhost.exe 32->41         started        43 WmiPrvSE.exe 32->43         started        process12 signatures13 73 Loading BitLocker PowerShell Module 36->73
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/7de220d7296166fbb91e889fbfe0737b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-04-01 07:27:50 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgigx6iv6ardvt4vxp2mzkdn6dopt4jimy5ngtwqxwuc4x2a2qxa._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
error
DonutLoader
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader defense_evasion execution loader persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/260401-jc4rcahw6k/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Themida packer
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects DonutLoader
DonutLoader
Donutloader family
Unpacked files
SH256 hash:
79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e
MD5 hash:
7de220d7296166fbb91e889fbfe0737b
SHA1 hash:
619d7e703f2178cf1794dac78c1da8aa3b1353cb
Link:
https://www.unpac.me/results/577210a2-51cb-4ce3-a4c1-07491e1cec3e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79906bf915f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e16f150e68ebfc8674514c397828c0eaa4599dd302a8e7d49f3bf8f9fd36ec98

DonutLoader

Executable exe 79906bf915f0223acf95bbf4cca86df0dcf9f128663ad34ed0bda82e5f40d42e

(this sample)

  
Link
https://tria.ge/260401-h683gshv4m/behavioral2
  
Dropped by
SHA256 e16f150e68ebfc8674514c397828c0eaa4599dd302a8e7d49f3bf8f9fd36ec98
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/60010/

Comments