MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a
SHA3-384 hash: c8e6b1555250028fea031df6ef465b0877190d67a729f0067964f6a088531865142fa8d83525d740340424afab9cad86
SHA1 hash: a04cff2819b26ba37ce8642359a150d33766596d
MD5 hash: d346a54d61507adac944b61539bde6a2
humanhash: venus-uniform-six-fix
File name:Invoice.exe
Download: download sample
Signature Loda
Create hunting rule
File size:1'845'248 bytes
First seen:2022-05-12 06:11:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:KZ219IXmcuYfwffqlO2FOa6MzL5ZDVD4jUsQQIEc6q1pe1f8Zdau:Ks19GCYcfcBWMlFB4jUsQQ4zGf8Z
TLSH T1C9858D983294F9DEC817D175CA685CF0AB207C66C32B820B90173D9EB97D683DF215A7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f26efec4b6c2c00c (24 x AgentTesla, 14 x Loki, 12 x Formbook)
Reporter AndreGironda
Tags:exe Loda LodaRAT


Avatar
AndreGironda
MITRE T1566.001
Date: 11 May 2022 20:30-21:00 -0700
Received: from 162-241-137-201.unifiedlayer.com (162.241.137.201)
Received: from [103.151.123.185] (port=58649)
From: Brain Miller <smtpfox-29gp7@mybrokerdesk.com>
Subject: Re: Payment Invoice #28357 Details
Message-ID: <20220511204042.7F32AAB59821A394@mybrokerdesk.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_C2676FCA.45AFE36E"
X-Get-Message-Sender-Via: your.myhomebuyermovies.tv: authenticated_id: smtpfox-29gp7@mybrokerdesk.com
X-Authenticated-Sender: your.myhomebuyermovies.tv: smtpfox-29gp7@mybrokerdesk.com
Return-Path: smtpfox-29gp7@mybrokerdesk.com
Attachment Name: Invoice.zip
Zipfile SHA256: da0f6e298df6247344642667c038648ffb7cb404b17a5e0810aa8f4bfceeac32
Unzipped Executable Name: Invoice.exe
Executable SHA256: 2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a
Unpacked Executable SHA256: fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509
Unpacked AutoIT SHA256: 39b499fd6be6f1b68cfa7181efaa0c2e612b52c66a9e95e40f110cf13adcb310

C2 Connect from AutoIT -- hXXp://funmustsolutions[.]site/wp-includes/icex/Script.php

POST /wp-includes/icex/Script.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
User-Agent: 4cab856c-2ae4-4cbd-8a04-329969ee64da
Content-Length: 8
Host: funmustsolutions.site

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269830/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/627ca57c89dc6403e77724bc/reports/28d141a4-7087-4dcb-8470-38061478c29e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cdeb6240-09aa-4a61-9aa0-3f4582c2dc85
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992367
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Binary is likely a compiled AutoIt script file
Disables Windows Defender (via service or powershell)
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 624863 Sample: Invoice.exe Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 74 youtube-ui.l.google.com 2->74 76 www.youtube.com 2->76 78 19 other IPs or domains 2->78 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 5 other signatures 2->100 12 Invoice.exe 3 2->12         started        16 firefox.exe 2->16         started        18 firefox.exe 2->18         started        signatures3 process4 file5 72 C:\Users\user\AppData\...\Invoice.exe.log, ASCII 12->72 dropped 112 Self deletion via cmd delete 12->112 114 Drops PE files to the startup folder 12->114 20 Invoice.exe 2 4 12->20         started        24 firefox.exe 16->24         started        27 firefox.exe 18->27         started        signatures6 process7 dnsIp8 66 C:\Users\user\AppData\Roaming\explorers.exe, PE32 20->66 dropped 68 C:\Users\user\AppData\...\explorers.exe, PE32 20->68 dropped 70 C:\Users\...\explorers.exe:Zone.Identifier, ASCII 20->70 dropped 102 Self deletion via cmd delete 20->102 29 cmd.exe 1 20->29         started        31 cmd.exe 1 20->31         started        88 d2nxq2uap88usk.cloudfront.net 18.64.103.77, 443, 49825, 49827 MIT-GATEWAYSUS United States 24->88 90 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49821, 49823, 49826 GOOGLEUS United States 24->90 92 10 other IPs or domains 24->92 34 firefox.exe 24->34         started        37 firefox.exe 24->37         started        39 firefox.exe 24->39         started        41 4 other processes 24->41 file9 signatures10 process11 dnsIp12 43 explorers.exe 3 29->43         started        46 conhost.exe 29->46         started        116 Adds a directory exclusion to Windows Defender 31->116 118 Disables Windows Defender (via service or powershell) 31->118 48 conhost.exe 31->48         started        50 timeout.exe 1 31->50         started        80 example.org 34->80 signatures13 process14 signatures15 108 Multi AV Scanner detection for dropped file 43->108 110 Injects a PE file into a foreign processes 43->110 52 explorers.exe 2 43->52         started        process16 dnsIp17 82 funmustsolutions.site 173.82.8.218, 49759, 49766, 49770 MULTA-ASN1US United States 52->82 84 www.mozorg.moz.works 52->84 86 3 other IPs or domains 52->86 55 cmd.exe 1 52->55         started        process18 signatures19 104 Adds a directory exclusion to Windows Defender 55->104 106 Disables Windows Defender (via service or powershell) 55->106 58 powershell.exe 24 55->58         started        60 conhost.exe 55->60         started        62 powershell.exe 55->62         started        64 powershell.exe 55->64         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 01:01:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
38
AV detection:
17 of 41 (41.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fi2jhej3hprblet4ursp7atn3eimaf7n3f4vyhwzizf5sd3gmzfa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220512-gx6qbsafg6/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
AutoIT Executable
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509
MD5 hash:
54fb25c20d4191ff7e5185812485282f
SHA1 hash:
b35c601c1cea874f1e68c8020900cb764e195f6f
Link:
https://www.unpac.me/results/d8f4f7da-4881-469b-b9e8-b2d792f9c14d/
SH256 hash:
c8f053031da47519ffb5b92dd9812d185151cbb2f6186728ed9f3aaa95fc8118
MD5 hash:
b2475f8d75bbedab5489d69b2205fe09
SHA1 hash:
8748925dfc3ec6b21a926fa229d88fb70a3551d3
Link:
https://www.unpac.me/results/d8f4f7da-4881-469b-b9e8-b2d792f9c14d/
SH256 hash:
753bb6d3f2107a7ed0071a4efa04ddb1a9d09edbeb382020e4d558d46b572048
MD5 hash:
b5911e16822a39925df899d348f05e0f
SHA1 hash:
47690a21ed470fae27fa0e315dbbee4d97dd43ee
Link:
https://www.unpac.me/results/d8f4f7da-4881-469b-b9e8-b2d792f9c14d/
SH256 hash:
5e3a156bbead5317892e6be88cdcbae5bee3b46ca2135d8211f396a267774fd7
MD5 hash:
6a815ef8ee5ae48b7d79bc003233309b
SHA1 hash:
17e0d42878d5164599c2633100848b71e9b3364f
Link:
https://www.unpac.me/results/d8f4f7da-4881-469b-b9e8-b2d792f9c14d/
SH256 hash:
2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a
MD5 hash:
d346a54d61507adac944b61539bde6a2
SHA1 hash:
a04cff2819b26ba37ce8642359a150d33766596d
Link:
https://www.unpac.me/results/d8f4f7da-4881-469b-b9e8-b2d792f9c14d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loda

Executable exe 2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a

(this sample)

Loda

Executable exe fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509

  
Dropping
SHA256 fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269830/
  
Dropping
MD5 54fb25c20d4191ff7e5185812485282f

Comments