Table of Contents
A new DattoRMM sample was identified by threat intelligence feeds on 2026-04-15 17:40:48. This post breaks down what we know about the specific sample, how to recognize related activity on your network, and what to do if you or your organization might be affected.
The Sample at a Glance
| Field | Value |
|---|---|
| SHA-256 | f58cb609fb798117ad61bcfbcea69a7284d43468b61f1274cbf58759c3e366ab |
| File name | TrueView.exe |
| File type | exe |
| Size | 10.54 MB |
| Origin (first observed) | US |
| First seen | 2026-04-15 17:40:48 |
| Family | DattoRMM |
| Tags | DattoRMM, exe, signed |
| VirusTotal detection | 15/76 engines flagged malicious |
What DattoRMM Does
DattoRMM is a malware family observed delivering malicious payloads to Windows systems. Samples in this family typically steal credentials, establish persistence, or enable remote access for attackers.
Seeing this family on your network — or finding a file matching this hash — is a red flag. DattoRMM samples are typically distributed through phishing emails, malvertising, fake software downloads, or cracked installers. Once executed, the malware usually establishes persistence on the host, harvests credentials and sensitive data, and establishes an outbound channel to command-and-control infrastructure operated by the attackers.
Search this threat on ThreatChain threatchain.io
Detection Landscape
Multiple security vendors have weighed in on this specific sample:
- ANY.RUN:
[{'malware_family': None, 'verdict': 'Malicious activity', 'file_name': 'TrueView.exe', 'date': '2026-04-15 17:43:49', 'analysis_url': 'https://app.any.run/tasks/689b7e3e-f5e2-448d-9a07-78da26c2e167', 'tags': ['datto', 'rmm-tool', 'auto-reg']}] - vxCube:
malware2 - Intezer:
suspicious - Spamhaus_HBL:
[{'detection': 'suspicious', 'link': 'https://www.spamhaus.org/hbl/'}] - UnpacMe:
[{'sha256_hash': 'f58cb609fb798117ad61bcfbcea69a7284d43468b61f1274cbf58759c3e366ab', 'md5_hash': '986af9a919c2aa068e6b9df61b63dd67', 'sha1_hash': 'bae91a247e6c9de559a2c22989888e854e0d6c3d', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '51ef37aba482d8b9e8f32b3c0aac657f3e7f4f0aa1ab1ec2785c4a2dd190f040', 'md5_hash': '0f0613eb7b301c1122ac88d00799c107', 'sha1_hash': '46874ba28b7bd9ce3102ade9366263d918260f04', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'd2c5255f75c6cc1b0b3893a0109439ab9dac0de323a496384fb22b09c7aba10c', 'md5_hash': 'e90629a0a6e77c2099f8887ad4020ac0', 'sha1_hash': '5542dbd6cc4db306d3849d3c8542dbbdff238892', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '3b15c6e4ca42036d7424f93ea0806a2d35220d65faaf2bd2479a54258f631b55', 'md5_hash': '428c3a07fba184367a5085e46e4a790b', 'sha1_hash': 'f2de6cd4ec99ab784d18914a21de9d919a450089', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1', 'md5_hash': '56a321bd011112ec5d8a32b2f6fd3231', 'sha1_hash': 'df20e3a35a1636de64df5290ae5e4e7572447f78', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '0e92d3683673d7899d33c71d2b5e022d83198aab9413dcafc43f6ce597cdf252', 'md5_hash': 'fcbce484db6b9051b50381be4c70d4ad', 'sha1_hash': 'f752be7a7a0d9e7986855db6806b01c70350c058', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '24bd076d31dc9d363eb2adb8b27a7d45d9f975aeec565132d27901537e31f239', 'md5_hash': 'd552de7d39179b914db7cc2dbdd005c2', 'sha1_hash': '044329c6c335224ba05a4e398a5fcb204f13ac36', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d', 'md5_hash': 'c8164876b6f66616d68387443621510c', 'sha1_hash': '7a9df9c25d49690b6a3c451607d311a866b131f4', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '4d47bbb4ff0b6739fb6e069087b6d73b0e2ebc173da9fa47a3a94fcbc506d9f3', 'md5_hash': '36fd5269d81b6296a49c84d139a6693b', 'sha1_hash': 'ae05c3a1f049a8740339ad873a96c2e1c3cb61fb', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '5413095e2e536356a2f8facfcf0818f711bc512aad8a0034f646cbd4e9f979df', 'md5_hash': '9bd9998fada60eb7e157148a5d681633', 'sha1_hash': '0715f534b854ac2e3660dd073610e2c6426ef274', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '5913c5adf3d13df54f269072777d520e5beab2b9f2e263393ed13c83266568cf', 'md5_hash': 'bd92b9cc2d7628864eb867c226401be2', 'sha1_hash': '1eeb0366437c0ae338b2cd953b038dc08d08a1c4', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '5a7ca101fd8efe0006f2f69d786989adc968d82cea35d83e976fb12d9baace32', 'md5_hash': 'e42998e3bb92e6696a82ef796efac507', 'sha1_hash': '8202e573a8abedaaa138b3cef6135ce09c0e87e6', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '5cb69d880a0ceb97926036debb3e01ea2095e8766f49cedf27658a18002cf217', 'md5_hash': '53dbdacadb12d1075036068693a5a390', 'sha1_hash': '00cc052cdca64619fc968c3327b2a140857fa53c', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '5f29e16edff5379e93d5be9bee4cddf98132b84326027688511ac0f3157aaf94', 'md5_hash': 'd01819bfe03222dfa9e35a36555b6b6c', 'sha1_hash': '25f8069590b14724f28e6a04b8a42e4ef4a8562d', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '64925bf576e340cb7218c07d096efa9b8f118ad71100f1339386a93bedec8239', 'md5_hash': '8ebf7a91b257eee294f827006cdd74fc', 'sha1_hash': '1f10c8b06f870c857566a263e08633e82d3bc9c0', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '74e9ea4521981be2e6f2ed16ac290a7c02edda5a5c9667e73c81f6e26279e19e', 'md5_hash': '7c6b16079293813e00866903e5f3ddee', 'sha1_hash': 'eed5c13066fc476290e2154c0f47b059b497696f', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '88773a254a7e056a83d6eb7d80b57cc0195cc16bca8317ea35a0576b6a38c639', 'md5_hash': '7734b6c01e0c7cecb74187e675259663', 'sha1_hash': 'ab786ca77c67c97ad63444238187fab85f1c8716', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '8b0f62bb2f3af65e458ca56535a580c31fc9ce555ec8dae825031c843b440f1e', 'md5_hash': '93847672e8ab6a31d56a93b28daa130c', 'sha1_hash': '3654b18fa3b2cbb90bf65ffd78b4449c04e7fd69', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '8e0c73e94cdd28b0373bb6e1fbebe29f258f8fbf0d4771ac9dd08dbcda3ef6d9', 'md5_hash': 'ae2f45308384f5f2aaec76f079dca1af', 'sha1_hash': '30e20b3f79f9164644b7ba2bc171cd60bcfb0690', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '9292eb06bf4cd100c94abd2949a96351a0f3710008674993c7491da578e1ede1', 'md5_hash': '99a817a04b25690b98edf3370ed2eb83', 'sha1_hash': '1a878f0e4fb4f7ea1d75674eb724fc6feaccdff0', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '92f1d0d6ccfb0d030789f3c5c636fcdd08f6d0541a5a54f185e8ecd85592e3f9', 'md5_hash': '6aa2393ff1fde1a61d0cf51730428f74', 'sha1_hash': '3c847a95a6547aa49919789d7a0cb6ed76122849', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '9d6f57b2cda902df276730d76c481d4537402643d1aed03dab81a5d17286c913', 'md5_hash': 'ad23b4cdfda55b7abe505087b246b1a3', 'sha1_hash': '442fb06d6c8173429f8f4133478086ccaf4dc271', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294', 'md5_hash': '83cd62eab980e3d64c131799608c8371', 'sha1_hash': '5b57a6842a154997e31fab573c5754b358f5dd1c', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'b46f763461aea32fcea7ad964533a0706e6ea377c211f8dbd1841241a4edc7e3', 'md5_hash': 'c9217b4fc057c99ef0b1c603de094a30', 'sha1_hash': '8b6326767783e351c6bed00ea2aa46ce441048c0', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'b635ba89e9cc8455f252b7e24e5d2838f50aaf75121ca7d070bb7d6cf41a6235', 'md5_hash': '06b971620bda7960f7d8e43ce69e3bbe', 'sha1_hash': '08e1f37cd9c1d320fac3a32105f16abbbb73092c', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'b746d90bcf5e7a8a4aec80e2bf8aa5f5ce849f1916dc9fe0fb228dcc90090fd9', 'md5_hash': 'a4b9e2b46a9670f831c1a6323a61db31', 'sha1_hash': '0c35a56d1bc942c53fc4837be935851a86dedfaf', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9', 'md5_hash': 'a5f8399a743ab7f9c88c645c35b1ebb5', 'sha1_hash': '168f3c158913b0367bf79fa413357fbe97018191', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'dc6cf05cde0f011869a289faa32a791994e200a3fbaff3e30678d67672ed3543', 'md5_hash': '980a9457e4dd84b0e002523cb5ca728e', 'sha1_hash': 'f725746ee48bb640778dcf241c8fb7805a07172e', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'dfa9351dcbbbde572684f569b900ade24380fc0ad63d592c4100d754b2bfdf7e', 'md5_hash': 'e28c8111ea4cab3890fb559e977f5847', 'sha1_hash': 'cc19e6ceee81d2dcea7358cd0d9c53f442088dad', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'dfeab83e6a9555a6c18070c611d868e117fa2fef6f815da26e622feb2e610254', 'md5_hash': '8e4e0ea396b5452bed54e6888cb07ca1', 'sha1_hash': '1a7afcdd7f118b3ef8f1d9761fa71faeee16fd2c', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'e333548749078be5b6207453755e40220361ace77bae0b81b60e2666b5fa8986', 'md5_hash': 'aa78ec5b23873e94e11f619b7566cc95', 'sha1_hash': '3e4b0d084212dc096ae1b2b4194a11c4e9fa255c', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'e9932fb947df5125648828248f51beb1f0b213b41f0a15bf77d56bc4b9217375', 'md5_hash': '9defb2682db3afbc640ac3fdf4045154', 'sha1_hash': '3996fe866d6bd39878ea6b498e439589020c1ed8', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'ea7fd75e2bb069699d4da09f3601d70ca8e401f58949178cdbf2c5928720daa1', 'md5_hash': '8f6875148b45c300b95514cb40703c2e', 'sha1_hash': '0015b8e21d84e0f6f174cf71b63651bad94582df', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'eb209f6eccdebca405183de5f24ef34ee8c850615e6ab9f086f5a4fb6851e071', 'md5_hash': '975354d0a22c4a77e27624bfcb05777e', 'sha1_hash': 'd4e71d00d95dede191e1347dd4bf284908705cd2', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'eb627549fa4ba8dfedbe22ab7dda5ef750ee29a588ae8760b73ff39f6af3cc1b', 'md5_hash': '839ebb0c02f5fa42a3baa3a6011f0b72', 'sha1_hash': '81fe569a2010ee2048d30d521f3258492a8cd645', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'f041747b5b6b20b6620ca13a7b276c9e9070e54cda8c29f6add54cba9a42a2f5', 'md5_hash': '0f581e56ed5ba500ce5d98d105b04a37', 'sha1_hash': 'b6e2cade601bc6fd15e7f07ed41a4dfa4ee0a589', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'f43ec0e1544baf147e28a7135f3e9cda40cf2657f31fa8c6acb2501fd95b4e3e', 'md5_hash': 'a5a4cd5e052208055b3154e9afe2f463', 'sha1_hash': '3be61fcc6003faab2f96577dc721618489dc367c', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': 'f71621c47c610e0886846cf53d955fd0e7448951f99ecc22facd47493ef97a87', 'md5_hash': 'e548a93d16964e52868c47cef1c98f2e', 'sha1_hash': '4b96b0aa48f6ac050a764c7d65f4129a9bb8cf21', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}, {'sha256_hash': '7274fe736fe36cdc8343b04fea6ff598ce384ead99ea94e4b47d4d329037331d', 'md5_hash': '941a7b4dc105c3487d2b2961dc6ccb01', 'sha1_hash': 'ac71c5b759cabd78213748329909eaee60810d12', 'detections': [], 'link': 'https://www.unpac.me/results/68e12b59-0d65-44c5-b938-763bf2aef020/'}] - Kaspersky:
Adware
Indicators of Compromise
If you're hunting for this sample or related DattoRMM activity, here are the concrete indicators to feed into your SIEM, EDR, or host-based searches:
- SHA-256 hash:
f58cb609fb798117ad61bcfbcea69a7284d43468b61f1274cbf58759c3e366ab - Filename pattern:
TrueView.exe - File type: exe
- Behavioral tags: DattoRMM, exe, signed
- YARA rules matched: FreddyBearDropper, PE_Digital_Certificate, TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
How to Check If You're Affected
- Search your endpoint logs for the SHA-256
f58cb609fb798117ad61bcfbcea69a7284d43468b61f1274cbf58759c3e366ab. Most EDR platforms support historical hash searches across all monitored hosts. - Check for the filename
TrueView.exein recently downloaded files, email attachments, and installer bundles. - Look for outbound connections to uncommon TLDs or newly registered domains — DattoRMM typically beacons to command-and-control infrastructure shortly after execution.
- Review scheduled tasks and registry run keys — this family commonly establishes persistence through standard Windows autorun locations.
- Run an updated AV or EDR scan across potentially affected hosts. Because this sample is already in public threat intel feeds, current signatures should flag it.
What to Do If You Find It
If you find evidence of this sample or related activity on your systems:
- Isolate the affected host from the network immediately to prevent lateral movement.
- Capture memory and disk images before rebooting. Reboots destroy critical forensic evidence, especially in RAM.
- Rotate credentials that may have been exposed — browser-saved passwords, VPN credentials, SSH keys, and any service accounts used on the affected host. DattoRMM frequently targets these.
- Check for secondary payloads. DattoRMM is often a stepping stone for additional malware including ransomware or banking trojans.
- Report the incident to your security team. For larger organizations, consider notifying your regional CERT.
Free Threat Lookups
You can verify any suspicious hash against the ThreatChain database for free — no signup, no API key required. Paste any MD5, SHA-1, or SHA-256 at threatchain.io/lookup and get results across multiple intel sources in seconds.
For cross-referencing this specific sample, you can also look it up directly on MalwareBazaar where the original submission and vendor analysis is recorded.
Sample Available for Researchers
This sample is available as a password-protected ZIP (password: infected) for security researchers.
Protect Your Infrastructure with ThreatChain SIEM
Real-time threat detection powered by 2.6M+ indicators. Search any hash, domain, wallet, or IP.
View Pricing