MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c02be262ac6d2ef431dde68f7351d0d96f09d497bdad34f23804ccaadc5be86d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c02be262ac6d2ef431dde68f7351d0d96f09d497bdad34f23804ccaadc5be86d
SHA3-384 hash: 7838f029e94f8e71b30f5d4f624ca144952ac4c9e2adf63eb4375fa92ee1c2ae859bcf6cef7bea0249070861c5a9bddd
SHA1 hash: 3dfff1d005d9a3f03db7736c28f124a528b423ee
MD5 hash: da7943edb57966a44912369b23a58d95
humanhash: kentucky-pennsylvania-whiskey-hamper
File name:XGICGKYK.msi
Download: download sample
Signature DonutLoader
Create hunting rule
File size:4'513'792 bytes
First seen:2025-05-09 11:54:37 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:jpYKXClWKasf9NtWtzPXsFRub0phSwS/gXyfmoT1ScRPRR:6KylWef9Nt4zPXsFwbeVvybRR
TLSH T1D7263302F49C209DDE5D26F5AA8357E57AAEDEF00E73885C6019B39D3D7324298207E7
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:185-125-50-140 donutloader msi mychecksecureconnect-cloud

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681dedda4a59e5a2ce03421b
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context expired-cert fingerprint installer keylogger packed wix
Link:
https://www.filescan.io/uploads/681ded33d95f3e34e9651e02/reports/c34f2a56-22ed-41ea-b0c6-cd22e6bfa994/overview
Verdict:
Suspicious
Labled as:
Trojan.MSI.Agent
Link:
https://www.hybrid-analysis.com/sample/c02be262ac6d2ef431dde68f7351d0d96f09d497bdad34f23804ccaadc5be86d
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c02be262ac6d2ef431dde68f7351d0d96f09d497bdad34f23804ccaadc5be86d
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1685315
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1685315 Sample: XGICGKYK.msi Startdate: 09/05/2025 Architecture: WINDOWS Score: 92 60 shed.dual-low.s-part-0043.t-0009.t-msedge.net 2->60 62 s-part-0043.t-0009.t-msedge.net 2->62 64 casoneroutegold-prod-bggfgca0dkaag8a8.b01.azurefd.net 2->64 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 2 other signatures 2->76 10 msiexec.exe 79 39 2->10         started        13 CodedDi.exe 4 2->13         started        16 msiexec.exe 3 2->16         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 10->46 dropped 48 C:\Users\user\AppData\Local\...\datastate.dll, PE32 10->48 dropped 50 C:\Users\user\AppData\Local\...\CodedDi.exe, PE32 10->50 dropped 18 CodedDi.exe 6 10->18         started        52 C:\Users\user\AppData\Local\...\4675677.tmp, PE32 13->52 dropped 88 Maps a DLL or memory area into another process 13->88 22 cmd.exe 1 13->22         started        24 ElevaInterface64.exe 1 13->24         started        signatures6 process7 file8 40 C:\ProgramData\writerControl\sqlite3.dll, PE32 18->40 dropped 42 C:\ProgramData\writerControl\datastate.dll, PE32 18->42 dropped 44 C:\ProgramData\writerControl\CodedDi.exe, PE32 18->44 dropped 78 Switches to a custom stack to bypass stack traces 18->78 26 CodedDi.exe 5 18->26         started        30 conhost.exe 22->30         started        signatures9 process10 file11 54 C:\Users\user\AppData\Local\...\2668453.tmp, PE32 26->54 dropped 56 C:\Users\user\...levaInterface64.exe, PE32 26->56 dropped 80 Found hidden mapped module (file has been removed from disk) 26->80 82 Maps a DLL or memory area into another process 26->82 84 Switches to a custom stack to bypass stack traces 26->84 86 Found direct / indirect Syscall (likely to bypass EDR) 26->86 32 ElevaInterface64.exe 2 26->32         started        36 cmd.exe 3 26->36         started        signatures12 process13 dnsIp14 58 185.125.50.140, 443, 49694, 49702 INPLATLABS-ASRU Russian Federation 32->58 66 Switches to a custom stack to bypass stack traces 32->66 68 Found direct / indirect Syscall (likely to bypass EDR) 32->68 38 conhost.exe 36->38         started        signatures15 process16
Score:
35%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/c02be262ac6d2ef431dde68f7351d0d96f09d497bdad34f23804ccaadc5be86d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c02be262ac6d2ef431dde68f7351d0d96f09d497bdad34f23804ccaadc5be86d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-01 11:15:05 UTC
File Type:
Binary (Archive)
Extracted files:
167
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yav6eyvmnuxpimo542hxguoq3fxqtvexxwwtj4ryatgkvxc35bwq._file
Verdict:
malicious
Label(s):
sectoprat
Create hunting rule
Similar samples:
error
DonutLoader
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat discovery persistence privilege_escalation rat trojan
Link:
https://tria.ge/reports/250509-n3psbsvnw4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
SectopRAT
SectopRAT payload
Sectoprat family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a9615c11-9b8b-4def-97c7-1a0b207f8712
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c02be262ac6d2ef431dde68f7351d0d96f09d497bdad34f23804ccaadc5be86d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments