MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19797c19a8085666238177fd7da99b34c6e20e9a8f6fff2ad2cd13005251090c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loda

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	19797c19a8085666238177fd7da99b34c6e20e9a8f6fff2ad2cd13005251090c
SHA3-384 hash:	ce25dcfa052718e920798360866ae5448d1fa7952771f75b5bd7da12748b9ed59ef74d900084acdf0ac51696587ccc25
SHA1 hash:	0670fd65afaefab7dd94322554458dceb85107eb
MD5 hash:	2eb7673e5753a0a2a92d9d35b5dc5389
humanhash:	muppet-georgia-maryland-artist
File name:	ESDJCC.exe
Download:	download sample
Signature	Loda Create hunting rule
File size:	1'598'976 bytes
First seen:	2025-10-14 18:23:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0e136cae6f625c80ecae333d9e2a37fa (10 x Loda)
ssdeep	49152:Gkwkn9IMHeaEZv3rZynq8BB7+1wkmYOFtNsaPCS:ldnVwv3riFBBSSkmhvPC
TLSH	T14875DF1267EF8391C3725033BA22B741AE7B7D2405EAB0571FE73E7DAA70461121A673
TrID	32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
dhash icon	f0d0c8cdcd88c0e0 (12 x AsyncRAT, 6 x XWorm, 4 x Formbook)
Reporter	Anonymous
Tags:	exe Loda

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://github.com/admsalespre01-design/JOJO

Verdict:

Malicious activity

Analysis date:

2025-10-14 15:46:55 UTC

Tags:

github anti-evasion autoit upx

Link:

https://app.any.run/tasks/90746b23-0c52-4d11-8a4b-dafcea797215

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/32818/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee962a97a16d00a8d9f2c6

Tags:

autorun autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context autoit compiled-script fingerprint keylogger microsoft_visual_cc obfuscated packed packed packer_detected threat

Link:

https://www.filescan.io/uploads/68ee97c174d89de012b5c680/reports/d67c47ef-9b45-4df9-9fef-0f91602d0640/overview

Verdict:

Malicious

Labled as:

AIT.Heur2.Lisk.4.98E5FB07

Link:

https://www.hybrid-analysis.com/sample/19797c19a8085666238177fd7da99b34c6e20e9a8f6fff2ad2cd13005251090c

Verdict:

Unknown

File Type:

exe x32

Link:

https://opentip.kaspersky.com/19797c19a8085666238177fd7da99b34c6e20e9a8f6fff2ad2cd13005251090c/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/21ed9c3a-36a1-40c1-98c5-e4d398e7acb1

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/19797c19a8085666238177fd7da99b34c6e20e9a8f6fff2ad2cd13005251090c

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/2eb7673e5753a0a2a92d9d35b5dc5389

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19797c19a8085666238177fd7da99b34c6e20e9a8f6fff2ad2cd13005251090c/

Verdict:

Malicious

Threat:

Backdoor.Script.LodaRat

Link:

https://tip.neiki.dev/file/19797c19a8085666238177fd7da99b34c6e20e9a8f6fff2ad2cd13005251090c

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-10-14 18:02:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=df4xygnibblgmi4bo76x3km3gtdoedu2r5x76kwszujqausrbega._file

Verdict:

malicious

Label(s):

autoit

Similar samples:

error

Loda

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery execution persistence

Link:

https://tria.ge/reports/251014-w7xbzaav3h/

Behaviour

NTFS ADS

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

AutoIT Executable

Adds Run key to start application

Executes dropped EXE

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/aad00418-f202-4459-9b99-a59087db6a28

Unpacked files

SH256 hash:

19797c19a8085666238177fd7da99b34c6e20e9a8f6fff2ad2cd13005251090c

MD5 hash:

2eb7673e5753a0a2a92d9d35b5dc5389

SHA1 hash:

0670fd65afaefab7dd94322554458dceb85107eb

Link:

https://www.unpac.me/results/93c2a2d2-41bb-48a3-9ab3-85ed79a8f248/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19797c19a8085666238177fd7da99b34c6e20e9a8f6fff2ad2cd13005251090c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIt Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	AutoIT packer

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32818/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample