MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
SHA3-384 hash: c0d27ae5ec40f45faa31f2611cda3b27a79fe53074c61451acabf6f7538e01ce16b216c4440678855c315e69a3a7f6e2
SHA1 hash: f05af9477a0e87e53fa870537ebe9d061aeb7831
MD5 hash: 8df974cd82ec27ce7638acccc66fd3a5
humanhash: diet-mexico-comet-robin
File name:final Order.exe
Download: download sample
Signature Loda
Create hunting rule
File size:1'187'883 bytes
First seen:2020-08-17 06:09:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep 24576:0RmJkcoQricOIQxiZY1iaaDUvJTyx8lYAv5Ed5pNorrOqMT:RJZoQrbTFZY1iaaDUv88l5v5EdvLq2
Threatray 169 similar samples on MalwareBazaar
TLSH CA45E122F5D68036C2B323B19E7EF76A963D65360337D19B27C82D315EA04816B39763
Reporter abuse_ch
Tags:exe Loda


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mailfilter02.viettel.com.vn
Sending IP: 125.235.240.54
From: htethtet.win@vcm.com.mm
Subject: Request for quotation (Very Urgent)
Attachment: final Order.REV (contains "final Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.VBS.Dropper-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
35 / 100
Link:
https://www.joesandbox.com/analysis/432538
Signature
a
c
d
e
f
h
I
l
m
n
o
p
s
t
u
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 268548 Sample: final Order.exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 35 22 Initial sample is a PE file and has a suspicious name 2->22 6 final Order.exe 2 4 2->6         started        10 AXHOGH.exe 2->10         started        12 AXHOGH.exe 2->12         started        14 AXHOGH.exe 2->14         started        process3 dnsIp4 20 46.243.136.238, 4000 ETOP-ASPL Netherlands 6->20 18 C:\Users\user\AppData\Roaming\...\AXHOGH.exe, PE32 6->18 dropped 16 wscript.exe 6->16         started        file5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 06:11:09 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nrpbodwafuymk6ulxtvykm7lopx5pndprlq423svf6tkkzlk7m3a._file
Verdict:
malicious
Similar samples:
38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844
Loda
62e2d0479075cb28a37635972b9d3ad111e77b86b70de000409e11fe3f1d025a
Loda
63e969ed05409bdcf1992ef0ad0fb143d76e808379a2070a372f77b490c83770
Loda
647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249
Loda
8a72a55d126b69bda2f37fd88050aeed02d97733f6777759b542db8a442435bc
Loda
9129967bfcf44c87ec6eb83a30f5500a5e453c76281b7ec3b0c1caa778377e08
Loda
aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7
Loda
b24cb4cd3db305d5451cb3c0d0e60fe578b1fd38aca4be6032fb0ce2f0b786b4
Loda
ed105272dc3c77f54e7d170474afa6590a98477e6b076d7e5d1cf6c5e152319d
Loda
fb400e7c4b16ab67fa5c080f8b1e7f7db965b77d097526a6a28ef5ca34f24bd9
Loda
+ 159 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/200817-s2ybb37436/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Drops startup file
Drops startup file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loda

rar 5434c7fee218acc23b752e91d11781a10b8c03b24d153d0708185a12791b0eb0

Loda

Executable exe 6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36

(this sample)

  
Dropped by
MD5 cb94dfdbebc0aa8f7b48efb228cba0f9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5434c7fee218acc23b752e91d11781a10b8c03b24d153d0708185a12791b0eb0
Cape
Cape
https://www.capesandbox.com/analysis/46634/

Comments