MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b7251a0a5c170b55af5c68107fded3c46ae02ba8d45ee16dfff0a7fa5a57fa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DonutLoader

Vendor detections: 8

Intelligence 8 IOCs YARA 9 File information Comments

SHA256 hash:	8b7251a0a5c170b55af5c68107fded3c46ae02ba8d45ee16dfff0a7fa5a57fa1
SHA3-384 hash:	8fca1ee352ab250554c0b6b0ed14014d4db5f4fce504305d45ed3bc427a3474c276b21a8aabfce61c2564f438a72ac5c
SHA1 hash:	41f938e11d350b254f95433638f89f9ca09c8cda
MD5 hash:	2ab73f923615240df6584c525d9ed8fe
humanhash:	oven-seventeen-hydrogen-minnesota
File name:	PROJECT_DRAWING_PLAN.zip
Download:	download sample
Signature	DonutLoader Create hunting rule
File size:	1'226 bytes
First seen:	2026-02-19 10:48:50 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24:91PWVbU+kS+zpbnMpri8CreFFe53wd5QZRZubPZrJzwKZYm75tl:9RkAwgMe53CSP6Rvl
TLSH	T1AF21A7A9500F2765C41423B046E3080E75F3A99B6BB7C387AAD710F2F4CA564451D717
Magika	zip
Reporter	smica83
Tags:	donutloader zip

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PROJECT POTO.lnk
File size:	1'982 bytes
SHA256 hash:	b999354f59d775130e8f62e9fadf47da75dd0b5d8c2957cedf89a2bb23d79026
MD5 hash:	bd09a2da0147fc31a22e126d666b6db7
MIME type:	application/octet-stream
Signature	DonutLoader

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/fe7b7abd-2d2b-43ff-b96b-1fce38d29805/

Detection(s):

Sanesecurity.Foxhole.Lnk_Zip_1.UNOFFICIAL

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL

Sanesecurity.Malware.30517.LnkHeur.UNOFFICIAL

Sanesecurity.Malware.30537.LnkHeur.UNOFFICIAL

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL

TwinWave.EvilLNK.IrmPipesCaughtUp.20250729.UNOFFICIAL

SecuriteInfo.com.Zip.LNK-1.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6996eaadc950ab5d9aaf4fac

Tags:

emotet shell overt sage

Verdict:

Unknown

Threat level:

n/a -.1.0/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6996eaa904510f87ba7517e6/reports/3a426081-e56b-4a7a-abbb-278ee3950a41/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/8b7251a0a5c170b55af5c68107fded3c46ae02ba8d45ee16dfff0a7fa5a57fa1

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/8b7251a0a5c170b55af5c68107fded3c46ae02ba8d45ee16dfff0a7fa5a57fa1

Details

Hidden Powershell

Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.

Verdict:

Malicious

File Type:

zip

Link:

https://opentip.kaspersky.com/8b7251a0a5c170b55af5c68107fded3c46ae02ba8d45ee16dfff0a7fa5a57fa1/results?tab=lookup

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8b7251a0a5c170b55af5c68107fded3c46ae02ba8d45ee16dfff0a7fa5a57fa1/

Threat name:

Shortcut.Trojan.Boxter

Status:

Malicious

First seen:

2026-02-18 16:57:41 UTC

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rnzfdiffyfylkwxvy2aqp7pnhrdk4av2rvc64fw774fh7jnfp6qq._file

Result

Malware family:

donutloader

Score:

10/10

Tags:

family:asyncrat family:donutloader botnet:30305 defense_evasion execution loader persistence rat

Link:

https://tria.ge/reports/260219-pykhgsfx4e/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Async RAT payload

AsyncRat

Asyncrat family

Detects DonutLoader

DonutLoader

Donutloader family

Malware Config

C2 Extraction:

pizzashop.kozow.com:30305
brotherspizza.kozow.com:30305

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/8b7251a0a5c170b55af5c68107fded3c46ae02ba8d45ee16dfff0a7fa5a57fa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

Rule name:	Download_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies download artefacts in shortcut (LNK) files.

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	Long_RelativePath_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.

Rule name:	PS_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerShell artefacts in shortcut (LNK) files.

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

Rule name:	SUSP_LNK_SuspiciousCommands Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects LNK file with suspicious content

Rule name:	SUSP_ZIP_LNK_PhishAttachment Create hunting rule
Author:	ignacior
Description:	Detects suspicius tiny ZIP files with malicious lnk files
Reference:	Internal Research

Rule name:	SUSP_ZIP_LNK_PhishAttachment_Pattern_Jun22_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious tiny ZIP files with phishing attachment characteristics
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample