MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9258a7ec655140209e0337a49e32a1720574acbc9858a86b7ac895f25e41a172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9258a7ec655140209e0337a49e32a1720574acbc9858a86b7ac895f25e41a172
SHA3-384 hash: 3676938fe59b7e3ad1005314aeed3b59d6d27b270f66d18d3f956b7d4934de2c06db494a4a0af4e55bcbc692f7ea1c8d
SHA1 hash: 3077e20581d0cf504e02f5a071fd7810c3e490a4
MD5 hash: 8fa0e174e7c5fc63236ed51386bb2668
humanhash: stream-kilo-illinois-bluebird
File name:8fa0e174e7c5fc63236ed51386bb2668.exe
Download: download sample
Signature DonutLoader
Create hunting rule
File size:9'111'552 bytes
First seen:2025-06-25 06:34:31 UTC
Last seen:2025-06-27 07:30:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (92 x Rhadamanthys, 62 x Vidar, 41 x LummaStealer)
ssdeep 98304:nlnvEmvQ11ycaPEVF2hccdJeAE8LjBSIGTbXnpZMUFn:nhvLvQby8dOemBKL8Ud
TLSH T176968E43FC9559EAC1A9E23489729253BA717C491B3263D32B50F3386F73BD46AB5310
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:donutloader exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
392
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8fa0e174e7c5fc63236ed51386bb2668.exe
Verdict:
Malicious activity
Analysis date:
2025-06-25 06:49:55 UTC
Tags:
golang loader stealer ultravnc rmm-tool xor-url generic obfuscated-js
Link:
https://app.any.run/tasks/4467e251-8ed8-4860-9464-90ad9c82efd1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11002/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685b99ffb06783b9ebd72f5b
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Connection attempt
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process from a recently created file
DNS request
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/9258a7ec655140209e0337a49e32a1720574acbc9858a86b7ac895f25e41a172
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8ed3c6a5-5d53-4f50-b0c5-a28a462673d6
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1722395
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1722395 Sample: Epgr0RDcpG.exe Startdate: 25/06/2025 Architecture: WINDOWS Score: 100 43 cdnhelofin.pro 2->43 61 Suricata IDS alerts for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 3 other signatures 2->67 11 Epgr0RDcpG.exe 2 2->11         started        signatures3 process4 signatures5 71 Suspicious powershell command line found 11->71 73 Found Tor onion address 11->73 75 Adds a directory exclusion to Windows Defender 11->75 14 Epgr0RDcpG.exe 3 11->14         started        19 conhost.exe 11->19         started        process6 dnsIp7 51 141.98.6.14, 49695, 5563 CMCSUS Germany 14->51 41 C:\Users\user\AppData\Local\...\wgkaw.exe, PE32+ 14->41 dropped 55 Suspicious powershell command line found 14->55 57 Found Tor onion address 14->57 59 Adds a directory exclusion to Windows Defender 14->59 21 cmd.exe 1 14->21         started        23 powershell.exe 23 14->23         started        26 powershell.exe 21 14->26         started        28 conhost.exe 14->28         started        file8 signatures9 process10 signatures11 30 wgkaw.exe 21->30         started        69 Loading BitLocker PowerShell Module 23->69 process12 dnsIp13 53 cdnhelofin.pro 104.21.16.58, 443, 49696 CLOUDFLARENETUS United States 30->53 77 Multi AV Scanner detection for dropped file 30->77 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->79 81 Found many strings related to Crypto-Wallets (likely being stolen) 30->81 83 6 other signatures 30->83 34 chrome.exe 30->34         started        signatures14 process15 process16 36 chrome.exe 34->36         started        39 WerFault.exe 16 34->39         started        dnsIp17 45 plus.l.google.com 142.250.72.110, 443, 49721 GOOGLEUS United States 36->45 47 www.google.com 142.251.40.132, 443, 49701, 49704 GOOGLEUS United States 36->47 49 2 other IPs or domains 36->49
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9258a7ec655140209e0337a49e32a1720574acbc9858a86b7ac895f25e41a172
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/8fa0e174e7c5fc63236ed51386bb2668
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9258a7ec655140209e0337a49e32a1720574acbc9858a86b7ac895f25e41a172/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjmkp3dfkfacbhqdg6sj4mvboicxjlf4tbmkq232zck7exsbufza._file
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution loader spyware stealer
Link:
https://tria.ge/reports/250625-hdnk3ssmx4/
Behaviour
Enumerates system info in registry
GoLang User-Agent
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5675c645-ea4f-4ad2-9d0e-dd03c78bd575
Unpacked files
SH256 hash:
9258a7ec655140209e0337a49e32a1720574acbc9858a86b7ac895f25e41a172
MD5 hash:
8fa0e174e7c5fc63236ed51386bb2668
SHA1 hash:
3077e20581d0cf504e02f5a071fd7810c3e490a4
Link:
https://www.unpac.me/results/f16fcbf4-b74e-4954-8030-56df7613f0d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9258a7ec655140209e0337a49e32a1720574acbc9858a86b7ac895f25e41a172

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/11002/

Comments