MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3
SHA3-384 hash: f629965b20547f19cdd3cc2ce54b8ba5d8e279a4499e784f2cc10b19cad8081dea33bbcfd2f280919dbfcb52735a32b5
SHA1 hash: ab18da9731e24b04c1ef2c59cee175ccd87f4e60
MD5 hash: 359c3c22f3c01b291ed8dbbccfce2ae6
humanhash: salami-six-whiskey-delta
File name:file
Download: download sample
Signature DonutLoader
Create hunting rule
File size:3'698'450 bytes
First seen:2026-03-19 19:31:39 UTC
Last seen:2026-03-19 19:56:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (8 x ValleyRAT, 5 x GCleaner, 4 x CoinMiner)
ssdeep 98304:zzUU83tEzZaY+Jxuhv/qvIK0McID3ORUGZ:zzUfiMY+khagKreOk
TLSH T1CE062349E7E804F8F0B3A1B489634A02F7767CAD0371D68F03B556A51F273A19E39B61
TrID 93.7% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
2.3% (.EXE) Win64 Executable (generic) (6522/11/2)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 9494b494d4aeaeac (904 x DCRat, 483 x NirCmd, 172 x RedLineStealer)
Reporter Bitsight
Tags:donutloader dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://158.94.208.7/files/8180653200/8bg1lmE.exe

Intelligence

File Origin
# of uploads :
13
# of downloads :
188
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
SFX commands and extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/b20a2a14-e332-4e57-a8be-16a4775cb5b4/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-03-19 19:31:53 UTC
Tags:
auto generic donutloader loader stealer netreactor purehvnc
Link:
https://app.any.run/tasks/966377e3-8492-4903-a64b-ed078909b107

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58232/
Detection(s):
SecuriteInfo.com.BackDoor.RevetRat.2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bc4f3f88c80c01586c2863
Tags:
dropper obfusc sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Creating a process from a recently created file
Launching a process
Enabling the 'hidden' option for recently created files
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm crypto finger fingerprint installer installer installer-heuristic lolbin microsoft_visual_cc overlay packed packed sfx
Link:
https://www.filescan.io/uploads/69bc4f3d493cb7d62d07445f/reports/5a582d1e-3cc2-4f82-a957-d14188133777/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3
Verdict:
Malicious
File Type:
exe x64
Detections:
HEUR:Trojan.MSIL.Agent.gen Backdoor.MSIL.Agent.sb Trojan-PSW.Win32.Xploder.sb Trojan-PSW.Win32.Coins.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.nva PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.Stealer.gen
Link:
https://opentip.kaspersky.com/b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3/results?tab=lookup
Malware family:
VideoLAN
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/53e34ba9-4689-4754-ad96-88ecdf22bd50
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-03-19 19:35:55 UTC
File Type:
PE+ (Exe)
Extracted files:
32
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xeiwlavfwyu4ucmd4nadp2sgpjns3ijpnpwysbfyly2ufhaiytzq._file
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader defense_evasion loader persistence spyware stealer
Link:
https://tria.ge/reports/260319-x82thscy7j/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Hide Artifacts: Hidden Files and Directories
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects DonutLoader
DonutLoader
Donutloader family
Unpacked files
SH256 hash:
b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3
MD5 hash:
359c3c22f3c01b291ed8dbbccfce2ae6
SHA1 hash:
ab18da9731e24b04c1ef2c59cee175ccd87f4e60
Link:
https://www.unpac.me/results/0e51b1a6-4c50-4994-85db-0eec5469d2eb/
SH256 hash:
47f4ab192954a913dad60c6b2e259a30f5bab0f161cba5ee3f1b684d3451703e
MD5 hash:
46ca486686a3cba219c71f2d3b42d42e
SHA1 hash:
400e85e2afd55da862b9e89e722a6b6bc0377aa2
Link:
https://www.unpac.me/results/0e51b1a6-4c50-4994-85db-0eec5469d2eb/
SH256 hash:
5d695d8a0bb1d919cc77a2aa2488a61797bfa065238160278ee458120630aaf9
MD5 hash:
f9538485432d3ec640f89096ba2d4d00
SHA1 hash:
b050b847b1fe8be78d56b29bd23c25e05c227a92
Link:
https://www.unpac.me/results/0e51b1a6-4c50-4994-85db-0eec5469d2eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

Executable exe b9116582a5b629ca0983e34037ea467a5b2da12f6bed8904b85e35429c08c4f3

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3800046/
Cape
Cape
https://www.capesandbox.com/analysis/58232/

Comments