MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DonutLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940
SHA3-384 hash: 83627bbe41c94b4a312d1df26816483f4f5be6d450501affcdc624282c44384d7deae36e190fb7681821085b0a920d5c
SHA1 hash: a9e4d59f7bb31f8295547c96062c3c56c04bbe13
MD5 hash: 33697e276e3d4fcef225368b516ac89d
humanhash: equal-nitrogen-december-batman
File name:33697e276e3d4fcef225368b516ac89d.exe
Download: download sample
Signature DonutLoader
Create hunting rule
File size:139'264 bytes
First seen:2025-11-20 07:00:29 UTC
Last seen:2025-11-20 09:13:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 073dd26d517108ec052956158ee6e659 (2 x DonutLoader)
ssdeep 3072:i1TGZrLcgm8tuh3pqPZQY10gp3rmAo4JTNDdaFWG:iA0d8tufqGY1Vp3astY
Threatray 16 similar samples on MalwareBazaar
TLSH T13DD35B9B72E530FCE07B8539C9920A05FB72B87657615BEF03A4426A1F232D09D3DB61
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:donutloader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
33697e276e3d4fcef225368b516ac89d.exe
Verdict:
No threats detected
Analysis date:
2025-11-20 07:10:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e2823169-0118-4daf-9d7e-cc3956eb4a37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38761/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.83855917.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691ebc9527c5936d7d0dff63
Tags:
shellcode cobalt shell virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
DNS request
Connection attempt
Creating a window
Sending an HTTP GET request
Сreating synchronization primitives
Sending an HTTP POST request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc zusy
Link:
https://www.filescan.io/uploads/691ebc95c0cead54cd71fcb9/reports/8f725c6a-3ff7-451e-bd8c-701152b6d579/overview
Verdict:
Malicious
Labled as:
Win64/ShellcodeRunner.HJ trojan
Link:
https://www.hybrid-analysis.com/sample/fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-16T11:46:00Z UTC
Last seen:
2025-11-21T07:07:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Coins.sb Trojan-PSW.Lumma.HTTP.C&C Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Inject.sb Trojan.Win32.Shellcode.iao VHO:Trojan-PSW.Win32.Stealer.gen Trojan-PSW.Win32.Stealer.sb
Link:
https://opentip.kaspersky.com/fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/943234a8-9ef2-4912-a3ea-27c64a6b715e
Result
Threat name:
DonutLoader, Stealc v2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1817507
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected DonutLoader
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1817507 Sample: aDMEYzg0BH.exe Startdate: 20/11/2025 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 8 other signatures 2->40 7 aDMEYzg0BH.exe 24 2->7         started        11 elevation_service.exe 2->11         started        13 elevation_service.exe 2->13         started        15 elevation_service.exe 2->15         started        process3 dnsIp4 30 149.102.156.62, 49691, 80 COGENT-174US United States 7->30 32 196.251.107.94, 49690, 5553 ANGANI-ASKE Seychelles 7->32 42 Early bird code injection technique detected 7->42 44 Found many strings related to Crypto-Wallets (likely being stolen) 7->44 46 Tries to harvest and steal browser information (history, passwords, etc) 7->46 48 6 other signatures 7->48 17 powershell.exe 15 15 7->17         started        20 conhost.exe 7->20         started        22 msedge.exe 7->22         started        24 5 other processes 7->24 signatures5 process6 dnsIp7 28 158.220.93.201, 49696, 80 LEVANTISCH Switzerland 17->28 26 conhost.exe 17->26         started        process8
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/33697e276e3d4fcef225368b516ac89d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2025-11-16 16:38:21 UTC
File Type:
PE+ (Exe)
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7n4q4lnx5o2atk5rkuje6by4st46sj27c7zhpsuefun7tppnjfaa._file
Verdict:
malicious
Label(s):
shellcode_loader_007
Create hunting rule
donutloader
Create hunting rule
stealc
Create hunting rule
Similar samples:
0f5d52e0b104dc37a4b8832bb9a691f1f42bc90589faf62a58281a8f59a881f0
DonutLoader
745f67eb3c497e12e17886a4b68255e41e5b1c00714c79f0502c139d36acb278
DonutLoader
75ce93e3a94ae6ed9288f61d8c7c3b56a7628e022fc51af45b0f5e1a321fe2e9
DonutLoader
a849d1769b7f67ac1d0872e5b2f6f2fc58554ce634f916e15462ba5a6a2f1b29
DonutLoader
ae525cc8316e04ab303e21633e179ff833f32123d61a8b2a35f62858e25b60aa
DonutLoader
b98b53ca03e3e9009b31bcc37b90b206064b25effce449dde63c51cef6a47470
DonutLoader
c36d6aa31395cdae0a5623dd10984e235a6986d61d4f7e1db0849f88000cfc01
DonutLoader
error
DonutLoader
+ 6 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery loader spyware stealer
Link:
https://tria.ge/reports/251120-hsxsaswlcj/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
Badlisted process makes network request
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a16dcc65-454b-47c2-8231-f38ba532a8c5
Unpacked files
SH256 hash:
fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940
MD5 hash:
33697e276e3d4fcef225368b516ac89d
SHA1 hash:
a9e4d59f7bb31f8295547c96062c3c56c04bbe13
Link:
https://www.unpac.me/results/b6e5878f-594c-4f11-80a7-59927eddec12/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb790e2db7eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

Executable exe fb790e2db7ebb409abb155124f071c94f9e9275f17f277ca842d1bf9bded4940

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/38761/
  
URLhaus
https://urlhaus.abuse.ch/url/3712355/
  
Delivery method
Distributed via web download

Comments