MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109
SHA3-384 hash: b76c9d5e8a6c4a0a9b37092077dfcf2a7f4fedfee20c501dbe8adddf07ce43e175072447eb0afcd60617202cf1d4f18d
SHA1 hash: 48eb10734c70d81a60b32a070ef232bfb5ab53c4
MD5 hash: 338388b8cb49473293f63fcb38b8ecf8
humanhash: august-four-twenty-pennsylvania
File name:be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109.ps1
Download: download sample
Signature DonutLoader
Create hunting rule
File size:667 bytes
First seen:2026-02-17 07:00:21 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:uRfBhPhbHEzh0JkLJX8WFiyTnISV7YsWN7Wo0UqymwCGE8WlAvEic:M5fTEuwR8WFiGIDHWoaF8WSc
Threatray 2'705 similar samples on MalwareBazaar
TLSH T1EA017825B2AC1E0308F62925F6097742D98116333302782171A1D5C63FBCDA7DD1A492
Magika powershell
Reporter JAMESWT_WT
Tags:178-16-53-70 donutloader ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Other.Malware-gen.22672652.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699412122715406c647a6759
Tags:
agent shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69941245981ff1d38a586193/reports/648efbf2-a327-451c-9a66-34402ab5d0a2/overview
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-02-03T08:05:00Z UTC
Last seen:
2026-02-06T10:53:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.PowerShell.Generic Trojan.Win32.Agent.sb HEUR:Trojan.Multi.Donut.b HEUR:Trojan.MSIL.Rozena.gen Trojan.Win64.Agentb.sb Trojan.Win64.Agent.sb Backdoor.Androm.HTTP.Download Trojan.Win32.Shellcode.sb HEUR:Trojan.Win64.Donut.a Trojan.Shellcode.TCP.C&C Trojan-Downloader.Agent.HTTP.C&C PDM:Trojan.Win32.Generic NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109/results?tab=lookup
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109
Threat name:
Script-PowerShell.Trojan.DonutLoader
Create hunting rule
Status:
Malicious
First seen:
2026-02-09 08:46:39 UTC
File Type:
Text (PowerShell)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xz3pww64jloc7icluytypfjeccvm5rhzkf6x52hp22g6uzi5qeeq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
17dabc99eeece44134c31afcbba6d93fedee62f019cf5eadb2b9438b1e491e70
DonutLoader
29ffffb8bba66471daaab7684fbafe004fe92a7806785d117316b73d5695db00
DonutLoader
3e02008bba6f868cf0bbe58a5428362c5f963a1dcb8d8682b1777af925a07587
DonutLoader
3e081805b7db9aa700d3e96fe2212493e1d4704a43ec7b57459f7dd0eb33bbd3
DonutLoader
41e9c4a2e8d9fdf2f8853ab181f8333e0d83dcd728449cef5d4001eac8e50354
DonutLoader
5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a
DonutLoader
713fe892def917dd16fa304cf3719a22418c2b9db9d8e36cee27973f788236eb
DonutLoader
a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222
DonutLoader
error
DonutLoader
fc791cea301af15a8c46dfd5ddf048fbc52cb694d5e9118c41363675823a328b
DonutLoader
fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7
DonutLoader
+ 2'695 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader execution loader
Link:
https://tria.ge/reports/260217-hsvmyaaw4b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Badlisted process makes network request
Detects DonutLoader
DonutLoader
Donutloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be76fb5bdc4adc2fa04ba62787952410aacec4f9517d7ee8efd68dea651d8109

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments