MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d58813f6e88337b27157411f7a929995e64dd389c16da0fc12e0bdf0f4c48d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d58813f6e88337b27157411f7a929995e64dd389c16da0fc12e0bdf0f4c48d5
SHA3-384 hash: 990747a3270d85d8617f872fbdee6ee12990703fd5cc005ed0dcaadca10c7b2eb8af292474e88fd8df9d8fcb6ecc1554
SHA1 hash: 02e3741b512e67752154fc388975e77dec90e07b
MD5 hash: f809c56bb46391ec449b2bdb74a33c4e
humanhash: finch-river-magnesium-uncle
File name:f809c56bb46391ec449b2bdb74a33c4e.exe
Download: download sample
Signature Loda
Create hunting rule
File size:1'177'283 bytes
First seen:2020-12-14 09:13:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 369fe35b86c83b3130c02698158a4d4d (14 x Formbook, 4 x RedLineStealer, 4 x AgentTesla)
ssdeep 24576:BRmJkcoQricOIQxiZY1WNuVm1o5URAiSXehlVfQkElrV/1:uJZoQrbTFZY1WNsCoaEGVf1q11
TLSH E245E121B5C69035C2F327B19E7FF36A9A3D69360336D29B27C81D355E604816B29733
Reporter abuse_ch
Tags:exe Loda RAT


Avatar
abuse_ch
Loda C2:
setupbases.awsmppl.com:9735 (194.187.251.163)

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f809c56bb46391ec449b2bdb74a33c4e.exe
Verdict:
Malicious activity
Analysis date:
2020-12-14 09:16:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/75051042-6b4f-4a12-9116-bc8f9881cdb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107909/
Detection(s):
PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.3238.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/561988
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330082 Sample: GPpzgvxnR7.exe Startdate: 14/12/2020 Architecture: WINDOWS Score: 84 28 Multi AV Scanner detection for domain / URL 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Uses schtasks.exe or at.exe to add and modify task schedules 2->34 7 PFKESG.exe 2->7         started        10 GPpzgvxnR7.exe 1 2 2->10         started        14 PFKESG.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 36 Antivirus detection for dropped file 7->36 38 Multi AV Scanner detection for dropped file 7->38 26 setupbases.awsmppl.com 194.187.251.163, 49729, 9735 M247GB United Kingdom 10->26 24 C:\Users\user\AppData\Roaming\...\PFKESG.exe, PE32 10->24 dropped 18 cmd.exe 1 10->18         started        file5 signatures6 process7 process8 20 conhost.exe 18->20         started        22 schtasks.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d58813f6e88337b27157411f7a929995e64dd389c16da0fc12e0bdf0f4c48d5/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 02:55:20 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvmicp3orazxwjyvoqi7pkjjtfpgjxjytqlnud6bfyf56d2mjdkq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201214-zn3zvpm12n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
0d58813f6e88337b27157411f7a929995e64dd389c16da0fc12e0bdf0f4c48d5
MD5 hash:
f809c56bb46391ec449b2bdb74a33c4e
SHA1 hash:
02e3741b512e67752154fc388975e77dec90e07b
Link:
https://www.unpac.me/results/82a75f57-3832-40a6-98c3-52623beb9921/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d58813f6e88337b27157411f7a929995e64dd389c16da0fc12e0bdf0f4c48d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/107909/

Comments