MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DonutLoader

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590
SHA3-384 hash:	0d95d1d878f2b46759fb924fa6e4f2a984ef5926148cbaaf8702cec9cf9c33797e92407221e7592c180aec6672c9909a
SHA1 hash:	0bd8c25e18e96fb033fea3e2b4ef14d80709f3ba
MD5 hash:	5a98faed8f5cdb690def154929da30aa
humanhash:	nineteen-ten-delta-cat
File name:	a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590
Download:	download sample
Signature	DonutLoader Create hunting rule
File size:	20'992 bytes
First seen:	2025-09-04 12:42:54 UTC
Last seen:	2025-09-04 12:44:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7c9d4a4d0212d420f6300700665fbe2d (2 x DonutLoader)
ssdeep	384:UzQGppH0Z/53wpVH0n+na+gFxilWzW0m4L4:gQGpIFAx0n+a7kWq0F0
Threatray	2 similar samples on MalwareBazaar
TLSH	T15792E90EA343A4DDD51EC134CAFB9332B5B1B86165BA5B2A12E0C6780F60DA91F39B04
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	donutloader exe fuckrat-ru github-samninja666

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590

Verdict:

Malicious activity

Analysis date:

2025-09-04 12:46:06 UTC

Tags:

github uac auto-reg

Link:

https://app.any.run/tasks/d0cbb93a-2000-42d0-be88-799da138643a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/25048/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b98d67eb163e0ec184537b

Tags:

vmdetect emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Launching a process

Creating a process with a hidden window

Creating a file

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Enabling autorun with the shell\open\command registry branches

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug explorer lolbin mingw overlay packed

Link:

https://www.filescan.io/uploads/68b989756212e2f7426925ff/reports/c59a4d54-f711-4714-b80f-27ae4304f7e3/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-09-02T12:21:00Z UTC

Last seen:

2025-09-02T12:21:00Z UTC

Hits:

~100

Detections:

Trojan-Spy.MSIL.KeyLogger.sb Trojan-Downloader.Win32.Agent.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.evf Trojan.MSIL.Dnoper.sb HEUR:Trojan.Win64.Donut.a HEUR:Trojan.Multi.Donut.b

Link:

https://opentip.kaspersky.com/a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/314e8a38-3bd2-43cc-b184-a3fb41dd1b77

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/5a98faed8f5cdb690def154929da30aa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590/

Verdict:

Malicious

Threat:

Family.DONUTLOADER

Link:

https://tip.neiki.dev/file/a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590

Threat name:

Win64.Trojan.Barys

Status:

Malicious

First seen:

2025-09-02 19:43:09 UTC

File Type:

PE+ (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ueve7xd7jvk6g4hiugqbbh5hnokkjretxetpynqcl5yvtj5eywia._file

Verdict:

malicious

Label(s):

donut_injector

DonutLoader

error

DonutLoader

Result

Malware family:

donutloader

Score:

10/10

Tags:

family:donutloader adware discovery loader persistence ransomware spyware

Link:

https://tria.ge/reports/250904-px6z4afj7y/

Behaviour

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Boot or Logon Autostart Execution: Active Setup

Downloads MZ/PE file

Detects DonutLoader

DonutLoader

Donutloader family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ddc12716-c342-4669-9013-e30ed1e1ddcd

Unpacked files

SH256 hash:

a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590

MD5 hash:

5a98faed8f5cdb690def154929da30aa

SHA1 hash:

0bd8c25e18e96fb033fea3e2b4ef14d80709f3ba

Link:

https://www.unpac.me/results/d1bade97-b20c-4e98-83f6-a64453029670/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a12a4fdc7f4d55e370e8a1a0109fa76b94a4c493b926fc36025f7159a7a4c590

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/25048/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample