MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a4d7a965507ccd0e5f46bad16c6dd68fcb496229ba49b81cfea2b66e957fc35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loda

Vendor detections: 15

Intelligence 15 IOCs 1 YARA File information Comments

SHA256 hash:	5a4d7a965507ccd0e5f46bad16c6dd68fcb496229ba49b81cfea2b66e957fc35
SHA3-384 hash:	5d3cacd1490c8b6b9c5efbb291de5da37d9a55587ac984bdd844df725b472e7399eb99cfa2620c21fa25fff8d9e5895f
SHA1 hash:	87d3a954b2fe31e19e3170aeabe2764d84020b9e
MD5 hash:	074523ed9b787f0a00370669e990bd6f
humanhash:	quebec-potato-tango-carbon
File name:	074523ed9b787f0a00370669e990bd6f.exe
Download:	download sample
Signature	Loda Create hunting rule
File size:	11'933'696 bytes
First seen:	2026-02-19 17:05:59 UTC
Last seen:	2026-02-19 17:45:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4bb2436b569f68911a870608bbdf4781 (1 x Loda)
ssdeep	196608:KveTf16AV+r3ONwruEwNds6YHNrPgYXVFDVdRXdAnl4GMNw6qVqfnJ79rFt5XI:KI1697OCyEwNFYHlgYF7dRNAnltMNw6M
TLSH	T1E5C633991DCB00D6EAC21470DB2BABE723F694BA489D4C353AC9314170B2FB6B05F957
TrID	27.0% (.EXE) Win64 Executable (generic) (6522/11/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Loda

abuse_ch

Loda C2:
195.177.94.71:4000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
195.177.94.71:4000	https://threatfox.abuse.ch/ioc/1750884/

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/40a365cd-d4e0-4574-856f-ebc72c40b19d/

Malware family:

loda

ID:

File name:

074523ed9b787f0a00370669e990bd6f.exe

Verdict:

Malicious activity

Analysis date:

2026-02-19 17:08:05 UTC

Tags:

auto-reg loda rat autoit

Link:

https://app.any.run/tasks/e6bed10d-e252-4dfc-bdfd-373bd01e687c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53868/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.95999559.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6997432ac950ab5d9aaf7773

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Creating a process from a recently created file

DNS request

Connection attempt

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6997431710e80629d4ea583d/reports/918fb038-4a89-4f7d-8064-da80f0f13a62/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/5a4d7a965507ccd0e5f46bad16c6dd68fcb496229ba49b81cfea2b66e957fc35

Verdict:

Malicious

File Type:

exe x32

Link:

https://opentip.kaspersky.com/5a4d7a965507ccd0e5f46bad16c6dd68fcb496229ba49b81cfea2b66e957fc35/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/7d4bc251-694b-4b4d-96da-b98446fae285

Result

Threat name:

LodaRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1872042

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected LodaRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5a4d7a965507ccd0e5f46bad16c6dd68fcb496229ba49b81cfea2b66e957fc35

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a4d7a965507ccd0e5f46bad16c6dd68fcb496229ba49b81cfea2b66e957fc35/

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2026-02-17 14:53:19 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ljgxvfsva7gnbzpunowrnrw5nd6ljfrctosjxaop5ivwn2kx7q2q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/260219-vmnzesdv8f/

Behaviour

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

AutoIT Executable

Adds Run key to start application

Executes dropped EXE

Unpacked files

SH256 hash:

5a4d7a965507ccd0e5f46bad16c6dd68fcb496229ba49b81cfea2b66e957fc35

MD5 hash:

074523ed9b787f0a00370669e990bd6f

SHA1 hash:

87d3a954b2fe31e19e3170aeabe2764d84020b9e

Link:

https://www.unpac.me/results/ff98be9d-ec72-4d4d-b803-76a52027831a/

SH256 hash:

21f497be59f7cda0079e1c6ab9803962204e3d2bcadb6545ffe0c5091ff4d78a

MD5 hash:

b9c7de1700291db6e3a4682f8f69f7b1

SHA1 hash:

57585951dda0779252f1634bb1fa20a5af0a1fdd

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/ff98be9d-ec72-4d4d-b803-76a52027831a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Loda

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a4d7a965507ccd0e5f46bad16c6dd68fcb496229ba49b81cfea2b66e957fc35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/53868/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample