MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9
SHA3-384 hash: fb7a4d9fb05a60f7f4a62066597be3ccadb169df9c9f8df6a1f0e1cb18d96381b8dbac10f6e7627ca098e85e53c43014
SHA1 hash: 30d32984988e34295b3845ff9c7792e1369aef80
MD5 hash: 7c5d9e4121c74f9b5c7be2bb03018a2a
humanhash: mars-delaware-delta-earth
File name:Quote.pdf--09098.js
Download: download sample
Signature DonutLoader
Create hunting rule
File size:654'782 bytes
First seen:2025-10-26 16:53:28 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:BlhNPtsD6VOv+2EbEJGa0k5O6BdPhBHtmxdfsThttq1o:VttscOCCG329BdhBNG+F
TLSH T177D46B2CE0B6D4860205E3EE75A40686682A11DFD1EFD26816B4DD6FA41873C73FCFA5
Magika javascript
Reporter abuse_ch
Tags:donutloader js

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fe525e6c859164aa64e1bf
Tags:
obfuscate autorun xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint obfuscated powershell
Link:
https://www.filescan.io/uploads/68fe530c3a79800405f74cea/reports/114dd316-a390-4f9d-82fd-c804a8e0e680/overview
Verdict:
Malicious
Labled as:
Generik.NMHOHQF trojan
Link:
https://www.hybrid-analysis.com/sample/b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9
Verdict:
Malicious
File Type:
js
First seen:
2025-10-24T17:40:00Z UTC
Last seen:
2025-10-28T13:04:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic Trojan.VBS.SAgent.sb Trojan.BAT.Agent.sb HEUR:Trojan.BAT.Tesre.gen Trojan.PowerShell.AmsiBypass.sb HEUR:Trojan.PowerShell.Tesre.sb Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802037
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Creates processes via WMI
Drops script or batch files to the startup folder
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1802037 Sample: Quote.pdf--09098.js Startdate: 26/10/2025 Architecture: WINDOWS Score: 100 105 Malicious sample detected (through community Yara rule) 2->105 107 Yara detected Powershell decode and execute 2->107 109 Sigma detected: Drops script at startup location 2->109 111 7 other signatures 2->111 9 wscript.exe 1 1 2->9         started        12 cmd.exe 1 2->12         started        14 cmd.exe 2->14         started        16 5 other processes 2->16 process3 dnsIp4 121 Wscript starts Powershell (via cmd or directly) 9->121 123 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->123 125 Suspicious execution chain found 9->125 127 Creates processes via WMI 9->127 19 cmd.exe 1 9->19         started        22 cmd.exe 1 12->22         started        24 conhost.exe 12->24         started        26 cmd.exe 14->26         started        28 conhost.exe 14->28         started        103 127.0.0.1 unknown unknown 16->103 30 cmd.exe 16->30         started        32 cmd.exe 16->32         started        34 cmd.exe 1 16->34         started        36 5 other processes 16->36 signatures5 process6 signatures7 113 Suspicious powershell command line found 19->113 115 Wscript starts Powershell (via cmd or directly) 19->115 38 cmd.exe 1 19->38         started        40 conhost.exe 19->40         started        42 cmd.exe 1 22->42         started        45 cmd.exe 26->45         started        47 cmd.exe 30->47         started        49 cmd.exe 32->49         started        51 cmd.exe 1 34->51         started        53 cmd.exe 36->53         started        process8 signatures9 55 cmd.exe 2 38->55         started        129 Suspicious powershell command line found 42->129 131 Wscript starts Powershell (via cmd or directly) 42->131 58 powershell.exe 42->58         started        61 conhost.exe 42->61         started        63 powershell.exe 45->63         started        65 conhost.exe 45->65         started        67 2 other processes 47->67 69 2 other processes 49->69 71 2 other processes 51->71 73 2 other processes 53->73 process10 file11 117 Suspicious powershell command line found 55->117 119 Wscript starts Powershell (via cmd or directly) 55->119 75 powershell.exe 1 29 55->75         started        79 conhost.exe 55->79         started        89 C:\Users\user\AppData\Roaming\...\2dca.bat, ASCII 58->89 dropped 81 WerFault.exe 21 58->81         started        91 C:\Users\user\AppData\Roaming\...\7b05.bat, ASCII 63->91 dropped 83 WerFault.exe 63->83         started        93 C:\Users\user\AppData\Roaming\...\6ee5.bat, ASCII 67->93 dropped 85 WerFault.exe 67->85         started        95 C:\Users\user\AppData\Roaming\...\094c.bat, ASCII 69->95 dropped 87 WerFault.exe 69->87         started        97 C:\Users\user\AppData\Roaming\...\47a6.bat, ASCII 71->97 dropped 99 C:\Users\user\AppData\Roaming\...\ead7.bat, ASCII 73->99 dropped signatures12 process13 file14 101 C:\Users\user\AppData\Roaming\...\8873.bat, ASCII 75->101 dropped 133 Drops script or batch files to the startup folder 75->133 135 Found suspicious powershell code related to unpacking or dynamic code loading 75->135 137 Loading BitLocker PowerShell Module 75->137 signatures15
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-26 17:00:55 UTC
File Type:
Text (HTML)
AV detection:
5 of 38 (13.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wclbviwjsgg465e3g52ejas5azawdrgevpvcy75bio3djjgszduq._file
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution loader
Link:
https://tria.ge/reports/251026-vp2y3adj9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Program crash
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Drops startup file
Detects DonutLoader
DonutLoader
Donutloader family
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0961aa2c9918dcf749b377444825d064161c4c4abea2c7fa143b634a4d2c8e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments