MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d2e4f11193ed6e79071fe272dbd73db699e90f50c1ad9fdd9bdd03f165139e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d2e4f11193ed6e79071fe272dbd73db699e90f50c1ad9fdd9bdd03f165139e2
SHA3-384 hash: 60bf5fdb350be14d53591e36cb37b8893e9d6bd67df687c1fa9572b4121b095f9df31841bd643f4d59efab643aeb626b
SHA1 hash: bae056504f4c00ac2cb3b17bc26ff1eeec75e54e
MD5 hash: a4bc9cd6f9fcfa91180b2850ee2294d0
humanhash: eight-ack-nuts-blossom
File name:a4bc9cd6f9fcfa91180b2850ee2294d0.exe
Download: download sample
Signature Loda
Create hunting rule
File size:1'550'848 bytes
First seen:2021-08-22 11:06:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:jbRMhols1uL3+aysFBuLi7JGIlp1A+KXQbPFrx9HCPSATchz8RWXslqtwrR6oJx3:jChbs6iBu8GIb39HCPSATc5rwAor3
Threatray 1'089 similar samples on MalwareBazaar
TLSH T1EA758B3C19B91637D1B5D365EBE58423F148986FB414AE69ADDE03A7030BA9334C723E
Reporter abuse_ch
Tags:exe Loda


Avatar
abuse_ch
Loda C2:
79.142.76.244:9735

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.142.76.244:9735 https://threatfox.abuse.ch/ioc/192601/

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a4bc9cd6f9fcfa91180b2850ee2294d0.exe
Verdict:
Malicious activity
Analysis date:
2021-08-22 11:06:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f2121a6a-23f2-4f0b-b4ac-8e654fdd6a0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181220/
Detection(s):
Win.Packed.Pwsx-9887685-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Running batch commands
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/067d127d-66cb-4ab0-87ce-af273bd14139
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/837024
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 469455 Sample: YINFFTpCA4.exe Startdate: 22/08/2021 Architecture: WINDOWS Score: 96 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected AntiVM3 2->70 72 5 other signatures 2->72 8 YINFFTpCA4.exe 7 2->8         started        12 EFWXUV.exe 2->12         started        14 EFWXUV.exe 2->14         started        process3 file4 56 C:\Users\user\AppData\...\RERCUsunCHgQ.exe, PE32 8->56 dropped 58 C:\Users\...\RERCUsunCHgQ.exe:Zone.Identifier, ASCII 8->58 dropped 60 C:\Users\user\AppData\Local\...\tmp57DE.tmp, XML 8->60 dropped 62 C:\Users\user\AppData\...\YINFFTpCA4.exe.log, ASCII 8->62 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 Adds a directory exclusion to Windows Defender 8->76 78 Injects a PE file into a foreign processes 8->78 16 YINFFTpCA4.exe 8->16         started        20 powershell.exe 23 8->20         started        22 powershell.exe 25 8->22         started        32 2 other processes 8->32 80 Multi AV Scanner detection for dropped file 12->80 82 Machine Learning detection for dropped file 12->82 24 powershell.exe 12->24         started        26 schtasks.exe 12->26         started        28 powershell.exe 12->28         started        30 EFWXUV.exe 12->30         started        signatures5 process6 dnsIp7 64 interface.cloudns.nz 79.142.76.244, 49704, 9735 ALTUSNL Netherlands 16->64 54 C:\Users\user\AppData\Roaming\...FWXUV.exe, PE32 16->54 dropped 34 cmd.exe 16->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 32->46         started        48 conhost.exe 32->48         started        file8 process9 process10 50 conhost.exe 34->50         started        52 schtasks.exe 34->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d2e4f11193ed6e79071fe272dbd73db699e90f50c1ad9fdd9bdd03f165139e2/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 17:11:42 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=luxe6eizh3lopedr7yts3plt3nuz5ehvbqnnt7ozxxid6fsrhhra._file
Verdict:
malicious
Similar samples:
3f2e8fd710205958051a8f03cd6ba8e0595e9a6688b08255ff11af359a135dcc
Loda
42b69d127811ca7706dde5099f967a1502a3192cf4e3d4b0b7cf5660959f7d07
Loda
55b779f35f7ba5b7e409de245f0c6c8c2f7f38292f7d33b42e65f1fe4cbe6ee9
Loda
635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164
Loda
69858f544bafcbb3e3f32f1584fa4d162cdc44cd9fd05c129044ff081a8becae
Loda
9f2ac60f8370f645f50a08dc1c87c0c6964013c586138942bf457682f1d6eaef
Loda
a4c035de8a4edb11a8cfaef2f2f8326d8909578cf9d5a5534edd4eb9d5a50680
Loda
b3be486490acd78ed37b0823d7b9b6361d76f64d26a089ed8fbd42d838f87440
Loda
cc773fa6caca8fd14bc2b054038dcaa627496f233e31c9b51ddc0d7e51d1a79b
Loda
+ 1'079 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210822-qh43gp7dmj/
Behaviour
Creates scheduled task(s)
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
autoit_exe
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
162312745dcfcd2f232bd5cf18bae913c1ba02aa6617fe6463b9c7f185255187
MD5 hash:
ade8cd1a169402fff464cc5f11af6580
SHA1 hash:
2b8fed96c5fe62fbef68eb9318ced89daa79d321
Link:
https://www.unpac.me/results/3c493448-1267-4839-a94b-90f93a422a50/
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/3c493448-1267-4839-a94b-90f93a422a50/
SH256 hash:
b6f1e1733c23989257af6e41b053425f918228955e9a56974d18830b52b9736b
MD5 hash:
dff735aff27456a433bbb8dfaef5b9d8
SHA1 hash:
57693d2061bd337476277fad35e274934e06f7aa
Link:
https://www.unpac.me/results/3c493448-1267-4839-a94b-90f93a422a50/
SH256 hash:
5d2e4f11193ed6e79071fe272dbd73db699e90f50c1ad9fdd9bdd03f165139e2
MD5 hash:
a4bc9cd6f9fcfa91180b2850ee2294d0
SHA1 hash:
bae056504f4c00ac2cb3b17bc26ff1eeec75e54e
Link:
https://www.unpac.me/results/3c493448-1267-4839-a94b-90f93a422a50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d2e4f11193ed6e79071fe272dbd73db699e90f50c1ad9fdd9bdd03f165139e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181220/

Comments