MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 887803544d8c1546be31013fb4fc8c09e4adf4f7408813011e32080803e3cdda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 24 File information Comments

SHA256 hash:	887803544d8c1546be31013fb4fc8c09e4adf4f7408813011e32080803e3cdda
SHA3-384 hash:	ca110cbfec0928ae89b858d65ff4537d69784fa1aa3423e806303264b60f4de4c6e13330ac748b7289af3a6e9babdc4a
SHA1 hash:	668aa0b5b3cc5c7cb6c5e4ff3c1f22d4acedcb8b
MD5 hash:	f7d09f1e4b030dc39f3ab7a37aea3c6a
humanhash:	double-london-mockingbird-tennessee
File name:	file
Download:	download sample
File size:	2'290'688 bytes
First seen:	2025-12-28 16:47:30 UTC
Last seen:	2025-12-28 17:49:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (124 x Vidar, 92 x Rhadamanthys, 51 x Stealc)
ssdeep	24576:98e/q/9jfrdR9dAf6GBNeIXIY8kHMWVMA0wGmcoeleTNj4HGu2U+cVTFSH7:98eCFjZR9SfBH54uH1VnUmp
Threatray	27 similar samples on MalwareBazaar
TLSH	T186B55A0BBCA158FAC0A9A23188369196BB61BC451F3123DB2E90F7BC2F72BD05D75754
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543

Bitsight

url: http://130.12.180.43/files/7992210799/c94b76d.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2025-12-28 16:48:15 UTC

Tags:

github loader stealer donutloader golang arch-doc

Link:

https://app.any.run/tasks/df7a4dbe-8b65-42ba-93a1-2b522d65a716

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46317/

Detection(s):

Win.Malware.Wingo-10058333-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69515f506de7591fd8fc17d1

Tags:

shellcode backdoor virus

Verdict:

Malicious

Labled as:

WinGo/ShellcodeRunner.UG trojan

Link:

https://www.hybrid-analysis.com/sample/887803544d8c1546be31013fb4fc8c09e4adf4f7408813011e32080803e3cdda

Result

Gathering data

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/fed84102-ceef-4ee1-af5e-8f3e07ed9179

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/887803544d8c1546be31013fb4fc8c09e4adf4f7408813011e32080803e3cdda

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/f7d09f1e4b030dc39f3ab7a37aea3c6a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/887803544d8c1546be31013fb4fc8c09e4adf4f7408813011e32080803e3cdda/

Verdict:

Malicious

Threat:

Family.DONUTLOADER

Link:

https://tip.neiki.dev/file/887803544d8c1546be31013fb4fc8c09e4adf4f7408813011e32080803e3cdda

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rb4agvcnrqkunprrae73j7embhsk35hxicebgai6gieaqa7dzxna._file

Verdict:

malicious

Label(s):

donutloader

8cdc955d3b984ef389b30c4038a8961a379eff7a03372d0cd9954d3631f9d9bb

90bb3c411fffd0b0969cf9358658963c41ddc3b43ed7b957dad79db58d29e7e6

91f1cecbb69cde553fd3e755672abe64171ed3746a186e08d41f9415a3f8d5d3

a9ddcfbfd2cb226daf2198e34ff67e64ce2f83e7c4e15e5025e979004b5aa8ec

c77cc2fc6cc1cc42a96b66802666e035e4ba35be006638271e1fc1916344e3d0

cd5829453cfc83ecc63a28b6005a6407c7b7b081627e741e7064cd2b1d3800bd

e8b08cc9b26fa0ff42d77d0b0e8fd69f5894330585744c027734dc735ede1b65

error

f507c38c06bcaa13c785d1c0480c5d491074a90a9e8ead9cc9f068bba63ab306

+ 17 additional samples on MalwareBazaar

Result

Malware family:

donutloader

Score:

10/10

Tags:

family:donutloader discovery loader spyware stealer

Link:

https://tria.ge/reports/251228-va7wrszjes/

Behaviour

Browser Information Discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Detects DonutLoader

DonutLoader

Donutloader family

Verdict:

Malicious

Tags:

External_IP_Lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/a2d9f4af-e5d3-4251-a41f-74ffbdd79644

Unpacked files

SH256 hash:

887803544d8c1546be31013fb4fc8c09e4adf4f7408813011e32080803e3cdda

MD5 hash:

f7d09f1e4b030dc39f3ab7a37aea3c6a

SHA1 hash:

668aa0b5b3cc5c7cb6c5e4ff3c1f22d4acedcb8b

Link:

https://www.unpac.me/results/e96a6606-88e1-4344-a3a8-f42664b5c85a/

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/887803544d8c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 887803544d8c1546be31013fb4fc8c09e4adf4f7408813011e32080803e3cdda

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3745411/

Cape

https://www.capesandbox.com/analysis/46317/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample