MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 007d4a581f70c7d0a86307123df5d769c3d948dd9b7d5c4ec3b274f2b0bf3647. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loda

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments 1

SHA256 hash:	007d4a581f70c7d0a86307123df5d769c3d948dd9b7d5c4ec3b274f2b0bf3647
SHA3-384 hash:	39a3b97c549885b003d34798d627f33c5f8b1b4b2b4a83210345b602be55fcb2b371d30730a71649002e43ac021e13e4
SHA1 hash:	e7aa41f2b685f4108d484e6b0d29c344293ea763
MD5 hash:	838d874bf630974e28861a3d5085e09b
humanhash:	blossom-oscar-lithium-michigan
File name:	838d874bf630974e28861a3d5085e09b
Download:	download sample
Signature	Loda Create hunting rule
File size:	1'313'280 bytes
First seen:	2024-01-11 05:44:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook)
ssdeep	24576:e4lavt0LkLL9IMixoEgeaQway4e3nMrJclk1MvuduAHEq9MmCS:Jkwkn9IMHeage3nM9zMvudWaPCS
TLSH	T13755D01373EE83A5C3725173BA55BB01AEBB7C2506B4F49B2FD8093DE920161921E673
TrID	63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 11.6% (.EXE) Win64 Executable (generic) (10523/12/4) 7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.9% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	1b934a92e95b9331 (1 x Loda)
Reporter	zbetcheckin
Tags:	32 exe Loda

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

c444868d4cbbecd4c7083de14310fcc934d9e60a2c41de4a30057044acd9b962.exe

Verdict:

Malicious activity

Analysis date:

2024-01-02 19:53:06 UTC

Tags:

loader smoke smokeloader

Link:

https://app.any.run/tasks/38001292-4ff4-4ad6-8eda-a62089e9f312

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/470302/

Detection(s):

Txt.Malware.LodaRAT-9769386-0

SecuriteInfo.com.VBS.Dropper-4.UNOFFICIAL

Txt.Malware.LodaRAT-9978072-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit control greyware keylogger lolbin nanocore packed predator shell32 threat

Link:

https://www.filescan.io/uploads/659f806294d1aebfb299371d/reports/13c42a81-6ef9-40a5-ae69-d7f09ed4641e/overview

Verdict:

Malicious

Labled as:

AIT.Lisk.3.B45E998A

Link:

https://www.hybrid-analysis.com/sample/007d4a581f70c7d0a86307123df5d769c3d948dd9b7d5c4ec3b274f2b0bf3647

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6117b757-2b83-4d7a-8838-ae2b3f24146f

Result

Threat name:

LodaRAT

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1372861

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses dynamic DNS services

Yara detected LodaRAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/007d4a581f70c7d0a86307123df5d769c3d948dd9b7d5c4ec3b274f2b0bf3647

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/007d4a581f70c7d0a86307123df5d769c3d948dd9b7d5c4ec3b274f2b0bf3647/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2024-01-03 03:19:19 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ab6uuwa7odd5bkdda4jd35oxnhb5ssg5tn6vytwdwj2pfmf7gzdq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240111-gfqb1sgdg6/

Behaviour

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Enumerates physical storage devices

Unpacked files

SH256 hash:

007d4a581f70c7d0a86307123df5d769c3d948dd9b7d5c4ec3b274f2b0bf3647

MD5 hash:

838d874bf630974e28861a3d5085e09b

SHA1 hash:

e7aa41f2b685f4108d484e6b0d29c344293ea763

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/d0a08c31-b3d5-4ae0-919f-85e2a349fee8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Loda

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/007d4a581f70c7d0a86307123df5d769c3d948dd9b7d5c4ec3b274f2b0bf3647

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIt Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	AutoIT packer

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loda

exe 007d4a581f70c7d0a86307123df5d769c3d948dd9b7d5c4ec3b274f2b0bf3647

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/470302/

URLhaus

https://urlhaus.abuse.ch/url/2748042/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-01-11 05:44:41 UTC

url : hxxps://deviltelegram.000webhostapp.com/A.exe