MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
SHA3-384 hash: 4056fa714ce73dfad92b295a8b22d6e9f6ccba6737ad923733125de69d265efcff57c51661392cd489b7be28c16d8dec
SHA1 hash: 31a54c5118109afa7d5c7c465bb4d3b25c947284
MD5 hash: a364b35d4dbdcf328367df843a6286c1
humanhash: batman-cardinal-delta-washington
File name:a364b35d4dbdcf328367df843a6286c1.exe
Download: download sample
Signature Loda
Create hunting rule
File size:13'576'628 bytes
First seen:2023-03-04 20:05:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook)
ssdeep 196608:Lg+Aalc1yGZIh6L5iYl/dsy+7d3tFELLs1cAm6f971YAmX1ZK1vauo9Dn:Lgsl5hef1k7ptmQbm6fnmlZsoRn
Threatray 225 similar samples on MalwareBazaar
TLSH T12DD63312BBDD8176C2B25273BD79F711AF3A79260225F09B2FC40939AE60112572E773
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d25466a66a160e63 (1 x Loda)
Reporter abuse_ch
Tags:exe Loda


Avatar
abuse_ch
Loda C2:
2.58.56.188:4000

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
a364b35d4dbdcf328367df843a6286c1.exe
Verdict:
Malicious activity
Analysis date:
2023-03-04 20:07:57 UTC
Tags:
rat quasar evasion loda trojan loader limerat
Link:
https://app.any.run/tasks/ac571b16-d316-4bf7-be82-0ef8d2a3564c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Txt.Malware.LodaRAT-9769386-0
Create hunting rule

SecuriteInfo.com.VBS.Dropper-4.UNOFFICIAL
Create hunting rule

Txt.Malware.LodaRAT-9978072-0
Create hunting rule

Win.Trojan.Barys-1
Create hunting rule

Win.Packed.Generic-9830106-0
Create hunting rule

Win.Trojan.Generic-6295765-0
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

Win.Trojan.Generic-6898101-0
Create hunting rule

Win.Trojan.Generic-6898102-0
Create hunting rule

Win.Malware.Barys-6836745-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
DNS request
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit greyware keylogger lodarat overlay packed redline shell32.dll
Link:
https://www.filescan.io/uploads/6403a4acbfec0852a68f265e/reports/bddf0723-0835-4d7b-ac1d-d712aef51645/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2563e050-e686-4854-9b65-da8615897868
Result
Threat name:
LimeRAT, Blackshades, LodaRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187207
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Deletes shadow drive data (may be related to ransomware)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: LimeRAT
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Blackshades RAT
Yara detected Generic Downloader
Yara detected LimeRAT
Yara detected LodaRAT
Yara detected RansomwareGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820083 Sample: ORHP1V2ErO.exe Startdate: 04/03/2023 Architecture: WINDOWS Score: 100 81 Snort IDS alert for network traffic 2->81 83 Multi AV Scanner detection for domain / URL 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 18 other signatures 2->87 9 ORHP1V2ErO.exe 2 9 2->9         started        13 windowsdefender.exe 2->13         started        15 wfmsc.exe 2->15         started        17 9 other processes 2->17 process3 file4 63 C:\Users\user\AppData\Roaming\...\wfmsc.exe, PE32 9->63 dropped 65 C:\Users\user\AppData\Local\Temp\OHITWG.exe, PE32 9->65 dropped 67 C:\Users\user\AppData\Local\Temp\HMAGXL.exe, PE32 9->67 dropped 69 C:\Users\user\AppData\Local\Temp69ULXGA.vbs, ASCII 9->69 dropped 103 Creates multiple autostart registry keys 9->103 19 OHITWG.exe 15 5 9->19         started        24 HMAGXL.exe 3 9->24         started        26 cmd.exe 9->26         started        28 wscript.exe 9->28         started        105 Antivirus detection for dropped file 13->105 107 Multi AV Scanner detection for dropped file 13->107 109 Machine Learning detection for dropped file 13->109 111 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->111 signatures5 process6 dnsIp7 71 ip-api.com 208.95.112.1, 49696, 49699, 80 TUT-ASUS United States 19->71 57 C:\Windows\SysWOW64\...\ccleaner.exe, PE32 19->57 dropped 89 Antivirus detection for dropped file 19->89 91 Multi AV Scanner detection for dropped file 19->91 93 May check the online IP address of the machine 19->93 101 2 other signatures 19->101 30 ccleaner.exe 15 3 19->30         started        34 schtasks.exe 1 19->34         started        59 C:\Users\user\AppData\...\windowsdefender.exe, PE32 24->59 dropped 95 Machine Learning detection for dropped file 24->95 97 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->99 36 windowsdefender.exe 24->36         started        39 schtasks.exe 1 24->39         started        41 conhost.exe 26->41         started        43 schtasks.exe 26->43         started        file8 signatures9 process10 dnsIp11 73 xmarvel.ddns.net 2.58.56.188, 2222, 4000, 4782 SOFTNET-ASInternetServiceProviderinSloveniaandSouthE Netherlands 30->73 75 192.168.2.1 unknown unknown 30->75 77 ip-api.com 30->77 113 Antivirus detection for dropped file 30->113 115 Multi AV Scanner detection for dropped file 30->115 117 May check the online IP address of the machine 30->117 121 5 other signatures 30->121 45 schtasks.exe 30->45         started        47 schtasks.exe 30->47         started        49 conhost.exe 34->49         started        79 pastebin.com 172.67.34.170, 443, 49704 CLOUDFLARENETUS United States 36->79 61 C:\Users\user\AppData\Roaming\IconLib.dll, PE32 36->61 dropped 119 Protects its processes via BreakOnTermination flag 36->119 51 conhost.exe 39->51         started        file12 signatures13 process14 process15 53 conhost.exe 45->53         started        55 conhost.exe 47->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2023-02-27 06:13:58 UTC
File Type:
PE (Exe)
Extracted files:
534
AV detection:
33 of 39 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcltzd4vnj34nsekus2qrtrituwftftodz7sv5h4tt6z4i3i35ta._file
Verdict:
malicious
Similar samples:
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
Loda
22c729d8f90b69b76d5a3f5f2dce8c149ff62d25f2b6d8d60a9557d4b0ebdc07
Loda
2551a571a99fb4d75cdcb33388ee46757767d949fb098658e38144f77733db97
Loda
2c916a10a631eaf7666091451c1b618a4bc6e2c159306d9723b6f0ab54e579fe
Loda
3888e180beb35b0ebef5b78b77e27f47879ea46b32adee17e65278d3d3a7fe47
Loda
74b86bc238ebe4299858163c95541dd07cec75a2960b74fdb78940c9aee38864
Loda
98d1a1ed8da6588112a805e5864e7ff29031d5bf9db49486a63fc7d652e66f8e
Loda
eea1286b7f160f458a376a7c640b076ac424fa2bdeb8460488715f8989152de2
Loda
+ 215 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:limerat family:quasar family:revengerat botnet:storage persistence rat spyware trojan
Link:
https://tria.ge/reports/230304-yvd1zaeb4w/
Behaviour
Creates scheduled task(s)
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Drops file in System32 directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
LimeRAT
Quasar RAT
Quasar payload
RevengeRAT
Malware Config
C2 Extraction:
xmarvel.ddns.net:4782
2.58.56.188:4782
Unpacked files
SH256 hash:
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3
MD5 hash:
7cf120a9dad95a45232d7d6f3f87b067
SHA1 hash:
55b96683b6b78888e1d0463fed961b30c014dde7
Detections:
LimeRat
Create hunting rule
Link:
https://www.unpac.me/results/2257c9c8-7229-4930-a723-67acda2bd0b9/
SH256 hash:
5da1a393e344fe0cb894cf740241f309e3ddd05bf6fabf93ec9421e32666315a
MD5 hash:
35f3228c85b8a43d962096ac50ba3ca9
SHA1 hash:
c558bbe950f36b03effab41595d1a88dc4b68bdc
Link:
https://www.unpac.me/results/2257c9c8-7229-4930-a723-67acda2bd0b9/
SH256 hash:
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
MD5 hash:
a364b35d4dbdcf328367df843a6286c1
SHA1 hash:
31a54c5118109afa7d5c7c465bb4d3b25c947284
Link:
https://www.unpac.me/results/2257c9c8-7229-4930-a723-67acda2bd0b9/
Malware family:
xRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78973c8f956a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments