MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb92fd512aced6503edbe52a19c8b5d225e18fa65a079e250c8ddb90f387c4d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb92fd512aced6503edbe52a19c8b5d225e18fa65a079e250c8ddb90f387c4d4
SHA3-384 hash: faa990455aed2561794c432fb485875afa57a8d3f80d010b42a0d6472be03aee4b846165a11af5009047a64e0352e5fb
SHA1 hash: 01fb331e4e367416dec9a68ece4f49b969d237f0
MD5 hash: 75a341a13e13f70c598d9a9b4bbe472c
humanhash: quiet-nineteen-asparagus-pennsylvania
File name:Manikaran Payment 05112025.jpeg.vbs
Download: download sample
Signature DonutLoader
Create hunting rule
File size:659'665 bytes
First seen:2025-11-08 16:46:26 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:nv4AHhX6S13rskySglmxZbhYzlk5ujAwG4IPYhTDrQ:dHFBx25qbdG24lh8
Threatray 186 similar samples on MalwareBazaar
TLSH T186E447BB3912095C869513F92D2536CE86ED2109F032BC7EE6F772987A75148F2BC61C
Magika vba
Reporter abuse_ch
Tags:donutloader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36553/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690f741f3afb53888cc9ceb1
Tags:
obfuscate vmdetect xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm base64 cmd evasive fingerprint lolbin masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/690f74158938e2fe22169db9/reports/91cb9648-38cb-40f0-9e80-8b289ba071e2/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/eb92fd512aced6503edbe52a19c8b5d225e18fa65a079e250c8ddb90f387c4d4
Verdict:
Malicious
File Type:
vbs
First seen:
2025-11-06T03:12:00Z UTC
Last seen:
2025-11-10T14:59:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.JS.Cryptoload.sb Trojan.JS.SAgent.sb HEUR:Trojan.PowerShell.Tesre.sb Trojan.PowerShell.AmsiBypass.sb
Link:
https://opentip.kaspersky.com/eb92fd512aced6503edbe52a19c8b5d225e18fa65a079e250c8ddb90f387c4d4/results?tab=lookup
Result
Threat name:
DonutLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1810656
Signature
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Creates processes via WMI
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected DonutLoader
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1810656 Sample: Manikaran Payment 05112025.... Startdate: 08/11/2025 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Yara detected DonutLoader 2->43 45 Yara detected Powershell decode and execute 2->45 47 11 other signatures 2->47 9 wscript.exe 1 2->9         started        13 svchost.exe 1 1 2->13         started        process3 dnsIp4 31 C:\Users\PublicbehaviorgraphraftingCenter.bat, ASCII 9->31 dropped 53 Wscript starts Powershell (via cmd or directly) 9->53 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->55 57 Suspicious execution chain found 9->57 59 Creates processes via WMI 9->59 16 cmd.exe 1 9->16         started        33 127.0.0.1 unknown unknown 13->33 file5 signatures6 process7 signatures8 35 Suspicious powershell command line found 16->35 37 Wscript starts Powershell (via cmd or directly) 16->37 39 Bypasses PowerShell execution policy 16->39 19 cmd.exe 1 16->19         started        21 conhost.exe 16->21         started        process9 process10 23 cmd.exe 2 19->23         started        signatures11 49 Suspicious powershell command line found 23->49 51 Wscript starts Powershell (via cmd or directly) 23->51 26 powershell.exe 1 28 23->26         started        29 conhost.exe 23->29         started        process12 signatures13 61 Found suspicious powershell code related to unpacking or dynamic code loading 26->61 63 Loading BitLocker PowerShell Module 26->63
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/eb92fd512aced6503edbe52a19c8b5d225e18fa65a079e250c8ddb90f387c4d4
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb92fd512aced6503edbe52a19c8b5d225e18fa65a079e250c8ddb90f387c4d4/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/eb92fd512aced6503edbe52a19c8b5d225e18fa65a079e250c8ddb90f387c4d4
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-08 16:47:24 UTC
File Type:
Text
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ojp2ujkz3lfapw34uvbtsfv2is6dd5glidz4jimrxnzb44hytka._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
2752fec85f58ead6f9966a15c1227148c81fcbdcc393b76699fd2c9a4fc25874
DonutLoader
32d605dc2e89607318b9039a6511ca4c91d770f9dfc514d89fe5232c7b269008
DonutLoader
3c4850bad9e48453996875f76725ab4caf188613ec4621fef7fbca2fd19c2147
DonutLoader
6fe0d90ee6b5cdf3e1f8847dba78459deecc3b975a990240e2b9d52a561d695e
DonutLoader
80943dad82a060b3506f2312c2d282f117e08a1b16cd9f1f6fcaf852be916407
DonutLoader
9c7bccc9beab63a3ebf8995eb4ad568c15e7b65421e11fadbac663d4bc8ef792
DonutLoader
ba155a5175493aa4e350cc470165e37632573b06c353db839f02c9eecc06a8a9
DonutLoader
ceaa19c2955fc7b208d9480844510cbe51ab054d54332c60f6cb8aff902da04c
DonutLoader
d1cfc53e81fdcf625be8284ee7ed47fa1256de5222d2b1d4064524e90724df4e
DonutLoader
error
DonutLoader
+ 176 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution loader
Link:
https://tria.ge/reports/251108-vansws1ram/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Detects DonutLoader
DonutLoader
Donutloader family
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36553/

Comments