MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f
SHA3-384 hash: 074980c58d7d273611b04011f912b6a6706ea19362e0858fde4cc661f233b5bd8bb70e895574fa19deee6454f669781e
SHA1 hash: 142060e00cf1eba47cf3219d413960a5e446f267
MD5 hash: a2033ac1629ce140d14afe46c623d5a7
humanhash: leopard-violet-nebraska-glucose
File name:7ZSfxMod_x86.exe
Download: download sample
Signature DonutLoader
Create hunting rule
File size:10'145'067 bytes
First seen:2025-05-20 03:15:07 UTC
Last seen:2025-05-22 18:39:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 196608:+ppo9y2K2WqNYw5AAQi+gpV4DgAO5KHQjOAw1w9TG4UYUbYu:+ppo9y2k4h5AAQijpV4DgAOeCPBp7gEu
Threatray 9 similar samples on MalwareBazaar
TLSH T19BA6330133E0F8F2C1678975CF4C936E4036E754F7D59E2BA7124E599CA32AA814B3DA
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter burger
Tags:donutloader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
505
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IJHXXBPF.exe
Verdict:
Malicious activity
Analysis date:
2025-05-20 03:10:20 UTC
Tags:
hijackloader loader
Link:
https://app.any.run/tasks/2c04815d-0226-41e7-9ef9-5d6d3e588891

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682bf3062f280a98fb4223a2
Tags:
shellcode dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer microsoft_visual_cc overlay overlay packed packer_detected redcap
Link:
https://www.filescan.io/uploads/682bf3d0c609634bd7ca63b6/reports/2a918700-4c45-4837-b724-2194faae60d6/overview
Verdict:
Malicious
Labled as:
Win64_TrojanDownloader_Rugmi_EX
Link:
https://www.hybrid-analysis.com/sample/c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02b10705-5cb0-4a25-b6cd-d093442078f9
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1694450
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694450 Sample: 7ZSfxMod_x86.exe Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 127 unositescdn.buzz 2->127 129 airflysales.shop 2->129 131 3 other IPs or domains 2->131 159 Suricata IDS alerts for network traffic 2->159 161 Multi AV Scanner detection for dropped file 2->161 163 Multi AV Scanner detection for submitted file 2->163 165 Joe Sandbox ML detected suspicious sample 2->165 11 7ZSfxMod_x86.exe 11 2->11         started        14 msiexec.exe 80 40 2->14         started        16 Lab_Circuitry.exe 2->16         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 97 C:\Users\user\AppData\Local\...\msvcr120.dll, PE32+ 11->97 dropped 99 C:\Users\user\AppData\Local\...\msvcp120.dll, PE32+ 11->99 dropped 101 C:\Users\user\AppData\Local\Temp\Qt5Xml.dll, PE32+ 11->101 dropped 111 4 other malicious files 11->111 dropped 22 Lab_Circuitry.exe 10 11->22         started        103 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 14->103 dropped 105 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32+ 14->105 dropped 113 2 other files (none is malicious) 14->113 dropped 26 BinarySynchronize32.exe 14->26         started        107 C:\Users\user\AppData\Local\...\3CF8A2C.tmp, PE32+ 16->107 dropped 155 Modifies the context of a thread in another process (thread injection) 16->155 157 Maps a DLL or memory area into another process 16->157 28 tcpvcon.exe 16->28         started        30 backgroundTaskHost.exe 16->30         started        32 agenthelp.exe 16->32         started        139 239.255.255.250 unknown Reserved 19->139 109 C:\Users\user\AppData\Local\Temp\515FC7.tmp, PE32+ 19->109 dropped 34 msedge.exe 19->34         started        37 tcpvcon.exe 19->37         started        39 msedge.exe 19->39         started        41 3 other processes 19->41 file6 signatures7 process8 dnsIp9 81 C:\ProgramData\...\Lab_Circuitry.exe, PE32+ 22->81 dropped 83 C:\ProgramData\ARB_writer_dbg\msvcr120.dll, PE32+ 22->83 dropped 85 C:\ProgramData\ARB_writer_dbg\msvcp120.dll, PE32+ 22->85 dropped 95 4 other files (none is malicious) 22->95 dropped 177 Found direct / indirect Syscall (likely to bypass EDR) 22->177 43 Lab_Circuitry.exe 7 22->43         started        87 C:\ProgramData\...\BinarySynchronize32.exe, PE32+ 26->87 dropped 89 C:\ProgramData\...\vcruntime140.dll, PE32+ 26->89 dropped 91 C:\ProgramData\protectdriver\msvcp140.dll, PE32+ 26->91 dropped 93 C:\ProgramData\protectdriver\mfc140u.dll, PE32+ 26->93 dropped 47 BinarySynchronize32.exe 26->47         started        49 conhost.exe 28->49         started        133 13.107.246.69, 443, 49748 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->133 135 ax-0001.ax-msedge.net 150.171.27.10, 443, 49729 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->135 137 27 other IPs or domains 34->137 51 conhost.exe 37->51         started        file10 signatures11 process12 file13 115 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 43->115 dropped 117 C:\Users\user\AppData\Local\...\agenthelp.exe, PE32+ 43->117 dropped 119 C:\Users\user\AppData\Local\Temp\281193.tmp, PE32+ 43->119 dropped 179 Modifies the context of a thread in another process (thread injection) 43->179 181 Found hidden mapped module (file has been removed from disk) 43->181 183 Maps a DLL or memory area into another process 43->183 185 Found direct / indirect Syscall (likely to bypass EDR) 43->185 53 agenthelp.exe 4 2 43->53         started        57 tcpvcon.exe 3 43->57         started        121 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 47->121 dropped 123 C:\Users\user\AppData\Local\...\Lmcheck.exe, PE32+ 47->123 dropped 125 C:\Users\user\AppData\Local\...\3B57FDB.tmp, PE32+ 47->125 dropped 59 tcpvcon.exe 47->59         started        61 Lmcheck.exe 47->61         started        signatures14 process15 dnsIp16 141 airflysales.shop 104.21.96.96, 443, 49694, 49771 CLOUDFLARENETUS United States 53->141 143 cdnjet.sbs 172.67.180.159, 443, 49695 CLOUDFLARENETUS United States 53->143 167 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 53->167 169 Tries to harvest and steal browser information (history, passwords, etc) 53->169 171 Writes to foreign memory regions 53->171 175 4 other signatures 53->175 63 chrome.exe 53->63         started        66 msedge.exe 53->66         started        68 msiexec.exe 3 53->68         started        173 Switches to a custom stack to bypass stack traces 57->173 70 conhost.exe 57->70         started        72 conhost.exe 59->72         started        145 unositescdn.buzz 172.67.206.69, 49757, 80 CLOUDFLARENETUS United States 61->145 signatures17 process18 dnsIp19 153 192.168.2.5, 138, 443, 49323 unknown unknown 63->153 74 chrome.exe 63->74         started        77 chrome.exe 63->77         started        79 msedge.exe 66->79         started        process20 dnsIp21 147 www.google.com 172.217.12.132, 443, 49700, 49704 GOOGLEUS United States 74->147 149 plus.l.google.com 74->149 151 5 other IPs or domains 74->151
Score:
80%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4juyzuuhwi352ugm3q7nvc7pgr56hwetmexnvm7ofirmzxlj47q._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
002c9d6070fe8ba48e26cde3161c24c745534b732e4b2748c8198d65b3da1aa4
DonutLoader
19f6b0cbf4d58ca4c4dda40eb41107ad5bdf05fb914dd3c5fdb101dbde4532e8
DonutLoader
329f64bb5413cb69ed61dcdcafd3686782d8ac163301de64ff60ba158f35b5c9
DonutLoader
6b8a49b6b37d69213762c8f2c8a9970014364f4055f08a850d27c0343fbe00de
DonutLoader
a5c2cd0db95e87a627f59f7c0b66753969a6a036744e21e437ead5074b9a30a3
DonutLoader
c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f
DonutLoader
error
DonutLoader
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery loader spyware stealer
Link:
https://tria.ge/reports/250520-dr286stlt5/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/89a24d54-3031-49d9-88af-982c07e6bdde
Unpacked files
SH256 hash:
c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f
MD5 hash:
a2033ac1629ce140d14afe46c623d5a7
SHA1 hash:
142060e00cf1eba47cf3219d413960a5e446f267
Link:
https://www.unpac.me/results/0aa0f327-2377-4183-aa11-2dbe5d301752/
SH256 hash:
250c3717663e4ab3ce50e4a53bc532bf0c0850d2917773dd7e482e733081a1a1
MD5 hash:
2bd07acef2ffd5ad8388b714d4f81995
SHA1 hash:
056824e256291f87d8cc216a3eb4ca15b3713b2f
Link:
https://www.unpac.me/results/0aa0f327-2377-4183-aa11-2dbe5d301752/
SH256 hash:
29406e68aca5cc7633ae80039f4d8fcf14e3614a4476f258627a7889b305646b
MD5 hash:
05a8b9c97982ec89bdd81d5c7de45cf8
SHA1 hash:
39b10629fc1d299cc342e8c038055e46cc56ae70
Link:
https://www.unpac.me/results/0aa0f327-2377-4183-aa11-2dbe5d301752/
SH256 hash:
6e6dd64c7e4d73f85a7e0b96a3c847314c909f918a86b22331b7a5ed27fff7ac
MD5 hash:
37a584203a9ef1fad9517546988b77ca
SHA1 hash:
df8ab0755141766aec17edc4a982e89221b47a7e
Link:
https://www.unpac.me/results/0aa0f327-2377-4183-aa11-2dbe5d301752/
SH256 hash:
8a70f0c243e7c6ec5f60ec667d20bbc89de53a1455d7cd4313da337760030655
MD5 hash:
efee87118a310edb82a7a6aeebaec1c1
SHA1 hash:
93691e084ae1401b91d1ba15f0f5a316d027db6a
Link:
https://www.unpac.me/results/0aa0f327-2377-4183-aa11-2dbe5d301752/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c7134c66943d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:sus_pe_free_without_allocation
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects an executable importing functions to free memory without importing allocation functions, often indicative of dynamic import resolution
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

Executable exe c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f

(this sample)

Microsoft Software Installer (MSI) msi deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990

  
URLhaus
https://urlhaus.abuse.ch/url/3547625/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990
  
Dropping
MD5 a281700f6f0e1fadbed3ba2aca2dbe61

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments