MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef07fd45a08d335cb014a643df38662d7ba5f6c4fca3fdb26111f8bbf2a223f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DonutLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash: ef07fd45a08d335cb014a643df38662d7ba5f6c4fca3fdb26111f8bbf2a223f2
SHA3-384 hash: 7d805fcb9763c0efd5668c33c81df616184d68b5e04350a634238bf5af5c88bdb94c242e07b6b3ca16834af756e9b598
SHA1 hash: ad36a5e55e0c07eaff875e840c7235503cd79bd2
MD5 hash: a61a64bb1d0b340ea3511ab3b3f97e26
humanhash: batman-victor-yankee-potato
File name:lfbwxecb.bat
Download: download sample
Signature DonutLoader
File size:16'168'793 bytes
First seen:2026-07-04 07:56:53 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 49152:JVSAf7MARB+eOT1SA7N8eWWPxKvBanRUVFhxIr4y4ZDVQTmJIBIAvCZTLpHKNDmA:4
Threatray 4 similar samples on MalwareBazaar
TLSH T18FF633215E66AD7D0BACC33820AB1F1E2B905FC4845CF8EB93E4B5C7226FF518957864
Magika txt
Reporter smica83
Tags:bat donutloader

Intelligence


File Origin
# of uploads :
1
# of downloads :
55
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_ef07fd45a08d335cb014a643df38662d7ba5f6c4fca3fdb26111f8bbf2a223f2.txt
Verdict:
No threats detected
Analysis date:
2026-07-04 07:59:31 UTC
Tags:
susp-powershell api-base64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
91.7%
Tags:
vmdetect dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Deleting a recently created file
Connection attempt
Sending a custom TCP request
Setting a single autorun event
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm base64 obfuscated powershell
Result
Threat name:
GO Agent, Go Keylogger, OverlordAgent
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Found large BAT file
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected GO Agent
Yara detected Go Keylogger
Yara detected Keylogger Generic
Yara detected OverlordAgent
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1937404 Sample: lfbwxecb.bat Startdate: 04/07/2026 Architecture: WINDOWS Score: 100 96 ax-0003.ax-msedge.net 2->96 98 api.msn.com 2->98 100 5 other IPs or domains 2->100 118 Found malware configuration 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for dropped file 2->122 124 15 other signatures 2->124 14 cmd.exe 3 2->14         started        18 explorer.exe 69 132 2->18         started        signatures3 process4 dnsIp5 88 C:\Users\...\lfbwxecb.bat:Zone.Identifier, ASCII 14->88 dropped 90 C:\Users\Public\lfbwxecb.bat, ASCII 14->90 dropped 154 Suspicious powershell command line found 14->154 156 Uses cmd line tools excessively to alter registry or file data 14->156 21 powershell.exe 16 14->21         started        24 powershell.exe 15 14->24         started        26 conhost.exe 14->26         started        30 2 other processes 14->30 102 ax-0003.ax-msedge.net 150.171.28.12, 443, 49711 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 18->102 158 System process connects to network (likely due to code injection or exploit) 18->158 28 cmd.exe 18->28         started        file6 signatures7 process8 signatures9 126 Suspicious powershell command line found 21->126 128 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->128 32 powershell.exe 24 21->32         started        130 Found suspicious powershell code related to unpacking or dynamic code loading 24->130 132 Compiles code for process injection (via .Net compiler) 24->132 134 Uses cmd line tools excessively to alter registry or file data 28->134 36 powershell.exe 28->36         started        38 reg.exe 28->38         started        40 conhost.exe 28->40         started        process10 file11 82 C:\Users\user\AppData\...\lwcrsoq5.cmdline, Unicode 32->82 dropped 106 Injects code into the Windows Explorer (explorer.exe) 32->106 108 Writes to foreign memory regions 32->108 110 Creates a thread in another existing process (thread injection) 32->110 42 explorer.exe 10 1 32->42 injected 46 csc.exe 3 32->46         started        49 conhost.exe 32->49         started        112 Suspicious powershell command line found 36->112 114 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->114 51 powershell.exe 36->51         started        116 Creates autostart registry keys with suspicious names 38->116 signatures12 process13 dnsIp14 104 51.195.202.236, 49710, 49718, 49729 OVHFR United Kingdom 42->104 146 Unusual module load detection (module proxying) 42->146 53 cmd.exe 1 42->53         started        92 C:\Users\user\AppData\Local\...\lwcrsoq5.dll, PE32 46->92 dropped 56 cvtres.exe 1 46->56         started        94 C:\Users\user\AppData\Local\...\ybxwfyw0.0.cs, Unicode 51->94 dropped 148 Injects code into the Windows Explorer (explorer.exe) 51->148 150 Writes to foreign memory regions 51->150 152 Creates a thread in another existing process (thread injection) 51->152 58 csc.exe 51->58         started        61 conhost.exe 51->61         started        file15 signatures16 process17 file18 136 Suspicious powershell command line found 53->136 138 Uses cmd line tools excessively to alter registry or file data 53->138 63 powershell.exe 53->63         started        66 conhost.exe 53->66         started        68 reg.exe 1 53->68         started        84 C:\Users\user\AppData\Local\...\ybxwfyw0.dll, PE32 58->84 dropped 70 cvtres.exe 58->70         started        signatures19 process20 signatures21 160 Suspicious powershell command line found 63->160 162 Hides that the sample has been downloaded from the Internet (zone.identifier) 63->162 72 powershell.exe 63->72         started        process22 signatures23 140 Injects code into the Windows Explorer (explorer.exe) 72->140 142 Writes to foreign memory regions 72->142 144 Creates a thread in another existing process (thread injection) 72->144 75 csc.exe 3 72->75         started        78 conhost.exe 72->78         started        process24 file25 86 C:\Users\user\AppData\Local\...\hu0gvhq0.dll, PE32 75->86 dropped 80 cvtres.exe 1 75->80         started        process26
Result
Malware family:
donutloader
Score:
  10/10
Tags:
family:donutloader adware execution loader persistence ransomware spyware
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Adds Run key to start application
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Detects DonutLoader
Family: DonutLoader
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments