MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c52a7b20696067025fbe356c3cdc70b9d813a1969bbdf415df73456aa92d4097. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c52a7b20696067025fbe356c3cdc70b9d813a1969bbdf415df73456aa92d4097
SHA3-384 hash: d0888e2832831e57c66fa75e0d7cb405ea9109e15d8a1249633fcb5055d3a368012c062e9e16a7a068c39d151feabfc9
SHA1 hash: 5945f3262ab4c14b7c195cea6cef96d3ae96b05e
MD5 hash: 1230a6b01a64cf2b3d7d604715f97e16
humanhash: table-monkey-eight-spaghetti
File name:Overview of Project Salary and Commission.pdf.exe
Download: download sample
Signature DonutLoader
Create hunting rule
File size:28'515'620 bytes
First seen:2025-12-09 11:21:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c990338f8145dc29c6f38fb73cf05c77 (58 x BlankGrabber, 7 x PythonStealer, 5 x DiscordTokenStealer)
ssdeep 786432:/1LGar/Q97OIXdwJkVJEwRWcV0GZ9qJJkw2:/9zdYG+JvR0GZ9K
Threatray 2'516 similar samples on MalwareBazaar
TLSH T1C65733388F9B06EDE8F7D53CD3219902B26439484B94CE9A47C0C7492DA35D9727EBA1
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon c6c2ccc4f4e0e0f8 (47 x PythonStealer, 26 x CoinMiner, 24 x SVCStealer)
Reporter smica83
Tags:donutloader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/ca25c6b1-744d-49ea-847f-b8e9e4072678/
Malware family:
n/a
ID:
1
File name:
Overview of Project Salary and Commission.pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-12-09 11:23:23 UTC
Tags:
python auto-startup rat arch-exec arch-doc zgrat stealer purehvnc netreactor
Link:
https://app.any.run/tasks/848d35ba-0f4e-4fe2-a396-85f9cf3f61a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43974/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69380665db58e1a2c22bab9f
Tags:
underscore asyncrat autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cridex expand installer-heuristic lolbin masquerade microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller
Link:
https://www.filescan.io/uploads/6938062dbba50eaf0429734b/reports/3c0c0745-38a1-45c0-9229-f2018ae3949d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/c52a7b20696067025fbe356c3cdc70b9d813a1969bbdf415df73456aa92d4097
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-08T11:59:00Z UTC
Last seen:
2025-12-09T18:55:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Badex.c PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Cryptos.gen Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.jgp Trojan.Python.Agent.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/c52a7b20696067025fbe356c3cdc70b9d813a1969bbdf415df73456aa92d4097/results?tab=lookup
Result
Threat name:
DonutLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1829390
Signature
Bypasses PowerShell execution policy
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Double Extension File Execution
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Unusual module load detection (module proxying)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DonutLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1829390 Sample: Overview of Project Salary ... Startdate: 09/12/2025 Architecture: WINDOWS Score: 100 84 Suricata IDS alerts for network traffic 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 7 other signatures 2->90 11 Overview of Project Salary and Commission.pdf.exe 14 2->11         started        14 wscript.exe 2->14         started        17 wscript.exe 2->17         started        19 2 other processes 2->19 process3 file4 74 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->74 dropped 76 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 11->76 dropped 78 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 11->78 dropped 80 9 other files (none is malicious) 11->80 dropped 21 Overview of Project Salary and Commission.pdf.exe 74 11->21         started        104 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->104 signatures5 process6 file7 58 C:\Users\user\AppData\Local\...\winsound.pyd, PE32 21->58 dropped 60 C:\Users\user\AppData\...\vcruntime140.dll, PE32 21->60 dropped 62 C:\Users\user\AppData\...\unicodedata.pyd, PE32 21->62 dropped 64 56 other files (none is malicious) 21->64 dropped 24 python.exe 38 21->24         started        process8 file9 66 C:\Users\user\AppData\Local\...\py.exe, PE32 24->66 dropped 68 C:\Users\user\AppData\Local\...\winsound.pyd, PE32 24->68 dropped 70 C:\Users\user\AppData\...\vcruntime140.dll, PE32 24->70 dropped 72 26 other files (none is malicious) 24->72 dropped 27 cmd.exe 1 24->27         started        30 conhost.exe 24->30         started        process10 signatures11 102 Uses schtasks.exe or at.exe to add and modify task schedules 27->102 32 py.exe 8 27->32         started        37 conhost.exe 27->37         started        process12 dnsIp13 82 51.79.170.237, 49722, 56001 OVHFR Canada 32->82 50 C:\Users\user\AppData\Roaming\...\run.vbs, ASCII 32->50 dropped 52 C:\Users\user\AppData\...\tmprrculs70.xml, XML 32->52 dropped 54 C:\Users\user\AppData\Local\Drivers\run.vbs, ASCII 32->54 dropped 56 C:\Users\user\AppData\Roaming\drivers.exe, PE32 32->56 dropped 92 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 32->92 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->94 96 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 32->96 98 6 other signatures 32->98 39 powershell.exe 37 32->39         started        42 cmd.exe 1 32->42         started        file14 signatures15 process16 signatures17 100 Loading BitLocker PowerShell Module 39->100 44 conhost.exe 39->44         started        46 conhost.exe 42->46         started        48 schtasks.exe 1 42->48         started        process18
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c52a7b20696067025fbe356c3cdc70b9d813a1969bbdf415df73456aa92d4097
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/1230a6b01a64cf2b3d7d604715f97e16
Gathering data
Verdict:
Malicious
Threat:
Family.ZGRAT
Link:
https://tip.neiki.dev/file/c52a7b20696067025fbe356c3cdc70b9d813a1969bbdf415df73456aa92d4097
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-08 17:41:26 UTC
File Type:
PE+ (Exe)
Extracted files:
455
AV detection:
13 of 37 (35.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yuvhwidjmbtqex56gvwdzxdqxhmbhimwto67ifo7oncwvkjniclq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
donutloader
Create hunting rule
Similar samples:
19738529a0e8634d5a32cd0fe8c58f900f99fa9622164c54fc56b9f4d088d0a3
DonutLoader
1e897d6c9c99c23476645d624ebaa0a33bc1a865901b68f02ec4c858a4b4e01e
DonutLoader
44e6b327d72b03553c621df0d14e2e9dce380938f9c3eeeb2ed05ce8009369af
DonutLoader
864f41d231931ce8dda8dfef17c84106adab9d3d2023b5e41ddc403e79ea3461
DonutLoader
8c74e843dc4024992e37e7214ad134479e60e8b89f330acd2b79552c3ba556fe
DonutLoader
99978bb92355f3b3436b8e28f416d787bafd523deae3f03c97e0d9ed292e0305
DonutLoader
ae05c7d70a5afa168435f9111cb79cdd6bfb1e17979b44de1540ccfd932a5b32
DonutLoader
b6e0fb10c486aae7779fe8e7a93b314dcbcdd6f0afaa30820699941604d28b1d
DonutLoader
bdac952b955a036fe825e6453f4188eb8ef834d27b41d02f990a42a5cf44802b
DonutLoader
error
DonutLoader
fb1ef020f64681c4e3d3b3f4406f47aa7858dea79b39f00c803aaa83781a7714
DonutLoader
+ 2'506 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution loader persistence pyinstaller spyware stealer
Link:
https://tria.ge/reports/251209-nf5j9sgj8s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fde6213b-ccdd-4e96-a71d-d2a860766423
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c52a7b206960/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c52a7b20696067025fbe356c3cdc70b9d813a1969bbdf415df73456aa92d4097

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43974/

Comments