MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c
SHA3-384 hash: cf8c57107c663ac98780a3051665fffd58f29c46824f152d71d569a69388deeff9e42c3e1c022b36bf7362fd8da89d62
SHA1 hash: c794af81b4495f9c27d662baddf9880706b518bd
MD5 hash: c78332a0c33300a02ce44358381034ad
humanhash: aspen-stream-hotel-pip
File name:captura de pantalla.scr
Download: download sample
Signature Loda
Create hunting rule
File size:830'147 bytes
First seen:2020-10-13 12:30:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 890e522b31701e079a367b89393329e6 (25 x Formbook, 12 x AgentTesla, 8 x Loda)
ssdeep 24576:0thEVaPqLwR1o5URAiSXehlVfQkElrV/1:IEVUcUoaEGVf1q11
Threatray 175 similar samples on MalwareBazaar
TLSH 060523EA64DAA601F8FC47B37BD312D186C0DA9297BDAF4CF03C496C36790165A0649F
Reporter abuse_ch
Tags:Loda scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box0.fima-logistics.com
Sending IP: 194.15.36.155
From: Javier Bardem <office@fima-logistics.com>
Reply-To: <mobilecommunications@vivaldi.net>
Subject: pago de nueva reserva
Attachment: captura de pantalla.pdf.z (contains "captura de pantalla.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70445/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Packed.LokiBot-6963314-0
Create hunting rule

SecuriteInfo.com.PSW.Banker6.BTQY.1690.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/489656
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297270 Sample: captura de pantalla.scr Startdate: 13/10/2020 Architecture: WINDOWS Score: 76 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Uses schtasks.exe or at.exe to add and modify task schedules 2->32 7 PFKESG.exe 2->7         started        10 captura de pantalla.exe 1 2 2->10         started        14 PFKESG.exe 2->14         started        16 PFKESG.exe 2->16         started        process3 dnsIp4 34 Antivirus detection for dropped file 7->34 36 Multi AV Scanner detection for dropped file 7->36 26 setupbases.awsmppl.com 194.187.251.163, 49758, 9735 M247GB United Kingdom 10->26 24 C:\Users\user\AppData\Roaming\...\PFKESG.exe, PE32 10->24 dropped 18 cmd.exe 1 10->18         started        file5 signatures6 process7 process8 20 conhost.exe 18->20         started        22 schtasks.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 10:00:46 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n75n2ekmogaorw52yv2ranvusyuiizrnyvevw34zrdm4jdjgssoa._file
Verdict:
malicious
Similar samples:
38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844
Loda
647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249
Loda
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
Loda
83b924a12b9d879758a2cd4c73a095de0ba4016163f76c94404820e741534030
Loda
8a72a55d126b69bda2f37fd88050aeed02d97733f6777759b542db8a442435bc
Loda
9129967bfcf44c87ec6eb83a30f5500a5e453c76281b7ec3b0c1caa778377e08
Loda
aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7
Loda
ed105272dc3c77f54e7d170474afa6590a98477e6b076d7e5d1cf6c5e152319d
Loda
faa47da24f0494f637c0264a6d1d53f033a693c5bce624b8e9d4c525dd0e2e9f
Loda
fb400e7c4b16ab67fa5c080f8b1e7f7db965b77d097526a6a28ef5ca34f24bd9
Loda
+ 165 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence
Link:
https://tria.ge/reports/201013-qjefbva3ex/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
d6eeb77ff49b2d42dfa398b21933a6af2887f9c863e292a26d31b71eb5a3bd9f
MD5 hash:
ad957c63b6283957f7d8ed8c6bcbf14a
SHA1 hash:
4fc74dfba6d8d2ed093311279ea0c32c4812f38e
Link:
https://www.unpac.me/results/c15da31e-5b3c-48b9-a6ce-0715d22f5c7d/
SH256 hash:
6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c
MD5 hash:
c78332a0c33300a02ce44358381034ad
SHA1 hash:
c794af81b4495f9c27d662baddf9880706b518bd
Link:
https://www.unpac.me/results/c15da31e-5b3c-48b9-a6ce-0715d22f5c7d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loda

zip 4773cee4161b68ccac5f5f23a8de79d4b7130b6f06e175f62941a925f3c1155c

Loda

Executable exe 6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c

(this sample)

  
Dropped by
MD5 b09e4e7d11e55f678378b29802471c48
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4773cee4161b68ccac5f5f23a8de79d4b7130b6f06e175f62941a925f3c1155c
Cape
Cape
https://www.capesandbox.com/analysis/70445/

Comments