MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f7950c2e180309a2666f594c83800ea4122770b25e3cd896b5d0a362a1647e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f7950c2e180309a2666f594c83800ea4122770b25e3cd896b5d0a362a1647e4
SHA3-384 hash: 62fc739436272c521070bebbfa76bd982431727642a40c0812da67920bca42c54c2aedeea4140968dfb87372c9258dec
SHA1 hash: 62b896265bbf3bbab4acdb2c3e2465ce4445647e
MD5 hash: 2bfb75dab0ad053058cc84af0b4eae49
humanhash: pip-eight-nitrogen-muppet
File name:new.exe
Download: download sample
File size:1'190'787 bytes
First seen:2021-10-19 06:03:57 UTC
Last seen:2022-09-21 03:52:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep 24576:0RmJkcoQricOIQxiZY1iaNE9G9YKCCsEA89Fh/tFrby2O6yqLZFKGzE8:RJZoQrbTFZY1iae814EAsOXqlFKGw8
Threatray 417 similar samples on MalwareBazaar
TLSH T12545E121F5C69036C1B323B19E7EF76A9A3D69360336D2DB27C81D215EA05816B39733
File icon (PE):PE icon
dhash icon 8bd85625886ba58a
Reporter ankit_anubhav
Tags:exe Loda

Intelligence

File Origin
# of uploads :
2
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
new.exe
Verdict:
Malicious activity
Analysis date:
2021-10-19 06:10:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d9a1f542-857f-46ff-806c-62b419050d7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198386/
Detection(s):
Txt.Malware.LodaRAT-9769386-0
Create hunting rule

SecuriteInfo.com.VBS.Dropper-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Deleting a system file
Replacing system files
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit greyware hacktool keylogger overlay packed
Link:
https://www.filescan.io/uploads/616e5fd8db358dd15ec2b7e9/reports/29e07d07-23b6-400d-915e-357ff325c904/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac3629c3-3bfd-41e1-9485-2814266f91d8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/872840
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505268 Sample: new.exe Startdate: 19/10/2021 Architecture: WINDOWS Score: 84 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Sigma detected: WScript or CScript Dropper 2->37 39 Sigma detected: Suspicious Script Execution From Temp Folder 2->39 7 new.exe 2 4 2->7         started        11 QRCMGC.exe 2->11         started        14 QRCMGC.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 31 194.5.98.212, 4001, 49748, 49753 DANILENKODE Netherlands 7->31 27 C:\Users\user\AppData\Roaming\...\QRCMGC.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\Temp\DMAWFG.vbs, ASCII 7->29 dropped 18 cmd.exe 1 7->18         started        21 wscript.exe 7->21         started        43 Antivirus detection for dropped file 11->43 45 Multi AV Scanner detection for dropped file 11->45 file5 signatures6 process7 signatures8 41 Uses schtasks.exe or at.exe to add and modify task schedules 18->41 23 conhost.exe 18->23         started        25 schtasks.exe 1 18->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f7950c2e180309a2666f594c83800ea4122770b25e3cd896b5d0a362a1647e4/
Threat name:
Win32.Backdoor.LodaRat
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 06:04:10 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0d58813f6e88337b27157411f7a929995e64dd389c16da0fc12e0bdf0f4c48d5
194739d84e81db630a2a5c890dd560d088d829959239829efc86221640a8d99a
1a722652518e589be34613b12d419efee2235ff0b0a37556fbb9cda5eb27b1d2
38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844
3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
62e2d0479075cb28a37635972b9d3ad111e77b86b70de000409e11fe3f1d025a
647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
9129967bfcf44c87ec6eb83a30f5500a5e453c76281b7ec3b0c1caa778377e08
+ 407 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211019-gsmrnagbgm/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
autoit_exe
Adds Run key to start application
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
8f7950c2e180309a2666f594c83800ea4122770b25e3cd896b5d0a362a1647e4
MD5 hash:
2bfb75dab0ad053058cc84af0b4eae49
SHA1 hash:
62b896265bbf3bbab4acdb2c3e2465ce4445647e
Link:
https://www.unpac.me/results/43b8cde2-296c-40e6-b809-cb9a3efdb29e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f7950c2e180309a2666f594c83800ea4122770b25e3cd896b5d0a362a1647e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 8f7950c2e180309a2666f594c83800ea4122770b25e3cd896b5d0a362a1647e4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198386/

Comments