MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a
SHA3-384 hash: 532a456efe63dc3f828b7eff1edc019810c169041e252eb3ed4693634021d840a6db2aa51b7954186662ce147bcc3bd0
SHA1 hash: 4de82667ff21b3762a9ebf84107e9ba90f075a28
MD5 hash: d62ae5e99588850a1bbbe70a315ee0c5
humanhash: comet-maine-early-spring
File name:OmniValidator.exe
Download: download sample
Signature DonutLoader
Create hunting rule
File size:7'852'119 bytes
First seen:2025-10-02 15:04:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72c4e339b7af8ab1ed2eb3821c98713a (50 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer)
ssdeep 196608:FSDa0W8/La0YlOjmFxRxtYSHdK24uZWKRoGQ:2W83hKppjWU
TLSH T1DC863384334108E8ECAE533E98D1565AA6F678264384C7CF9BF04DA60E672E5FF35B50
TrID 64.5% (.EXE) InstallShield setup (43053/19/16)
15.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.0% (.ICL) Windows Icons Library (generic) (2059/9)
3.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter burger
Tags:donutloader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OmniValidator.exe
Verdict:
Malicious activity
Analysis date:
2025-10-02 15:03:03 UTC
Tags:
pyinstaller
Link:
https://app.any.run/tasks/942857b0-9803-42c4-ac10-6f03d681a75b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29931/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68de9465b54520161ad46b65
Tags:
autorun xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed pyinstaller
Link:
https://www.filescan.io/uploads/68de948c74e5a289899e50cd/reports/fdc01167-6696-447f-a4c9-789770939db4/overview
Verdict:
Malicious
Labled as:
Malware_
Link:
https://www.hybrid-analysis.com/sample/dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-02T12:22:00Z UTC
Last seen:
2025-10-03T10:29:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/eba21ed6-ecba-4697-9580-a402f1ce98df
Result
Threat name:
Apollo Agent
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1788209
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Apollo Agent
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1788209 Sample: OmniValidator.exe Startdate: 02/10/2025 Architecture: WINDOWS Score: 100 47 toolshare.com.tr 2->47 49 secure.firmwaresync.com.tr 2->49 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 7 other signatures 2->61 9 OmniValidator.exe 1001 2->9         started        13 SystemFile.exe 2->13         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->39 dropped 41 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->41 dropped 43 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 9->43 dropped 45 49 other malicious files 9->45 dropped 69 Encrypted powershell cmdline option found 9->69 71 Bypasses PowerShell execution policy 9->71 73 Adds a directory exclusion to Windows Defender 9->73 75 Found pyInstaller with non standard icon 9->75 15 OmniValidator.exe 9->15         started        signatures6 process7 signatures8 81 Encrypted powershell cmdline option found 15->81 83 Adds a directory exclusion to Windows Defender 15->83 18 powershell.exe 14 17 15->18         started        22 powershell.exe 23 15->22         started        process9 dnsIp10 51 toolshare.com.tr 193.38.34.5, 443, 49702 AS1TOTALCLOUDFR France 18->51 37 C:\ProgramData\SystemFile.exe, PE32+ 18->37 dropped 25 SystemFile.exe 14 2 18->25         started        29 conhost.exe 18->29         started        31 schtasks.exe 18->31         started        63 Uses schtasks.exe or at.exe to add and modify task schedules 22->63 65 Loading BitLocker PowerShell Module 22->65 67 Powershell drops PE file 22->67 33 WmiPrvSE.exe 22->33         started        35 conhost.exe 22->35         started        file11 signatures12 process13 dnsIp14 53 secure.firmwaresync.com.tr 172.67.135.12, 443, 49703, 49704 CLOUDFLARENETUS United States 25->53 77 Antivirus detection for dropped file 25->77 79 Multi AV Scanner detection for dropped file 25->79 signatures15
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/d62ae5e99588850a1bbbe70a315ee0c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-10-02 15:05:33 UTC
File Type:
PE+ (Exe)
Extracted files:
1717
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3u5xj3j2lftfcmqbmtslljtxkz3t4c5ki5al6zvsg7hotmfghrna._file
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader defense_evasion execution loader persistence pyinstaller upx
Link:
https://tria.ge/reports/251002-sfyh6sdq7y/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
UPX packed file
Obfuscated Files or Information: Command Obfuscation
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
Win.Malware.Lazy-10014174-0
YARA:
n/a
Link:
https://app.threat.zone/submission/3fdab06e-07ac-4c0e-a331-86b88a9730e1
Unpacked files
SH256 hash:
dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a
MD5 hash:
d62ae5e99588850a1bbbe70a315ee0c5
SHA1 hash:
4de82667ff21b3762a9ebf84107e9ba90f075a28
Link:
https://www.unpac.me/results/c00ecdb9-573e-46c3-a2ee-4d64ab3c40af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DonutLoader

Executable exe dd3b74ed3a596651320164e4b5a67756773e0baa4740bf66b237cee9b0a63c5a

(this sample)

DonutLoader

Executable exe 13bf1cfedc09e959f6fe09da8c9a687de9ed0d7ba10ca5839a6f0928429a1272

  
Dropping
SHA256 13bf1cfedc09e959f6fe09da8c9a687de9ed0d7ba10ca5839a6f0928429a1272
Cape
Cape
https://www.capesandbox.com/analysis/29931/
  
Dropping
MD5 a1be9ad4d50189570adf05e5ea2d8cc5

Comments