MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a55df14a927eb0b33bed0878116d0489c40236b84b64a777c3b7a7438a3896ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LodaRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a55df14a927eb0b33bed0878116d0489c40236b84b64a777c3b7a7438a3896ba
SHA3-384 hash: 3600511fee0734b47f9874efed893220d4e2846feefe66b33238548e566dcc31ad2a41aac4b8e3aa90592cb1171ebcdf
SHA1 hash: 9d185c300e3a70c62fb258aae69c0b3b0afe5f2f
MD5 hash: 995fb6aaa0c3686082fa79162946ebd8
humanhash: paris-grey-quiet-autumn
File name:UIWUWL.exe
Download: download sample
Signature LodaRAT
Create hunting rule
File size:1'313'792 bytes
First seen:2023-11-28 15:10:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook)
ssdeep 24576:74lavt0LkLL9IMixoEgeaL8T3Wz/fDp6RL5Z6DlcR5utZgxmxq9MmCS:Okwkn9IMHeaIT3WbLp6RLiDkSLaPCS
Threatray 1'279 similar samples on MalwareBazaar
TLSH T16B55D00373EE83A1C3725173BA56BB01AEBB7D2905B1F49B2FD8093DE920161521E673
TrID 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.6% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 218c67262a4a4ac9 (1 x LodaRAT)
Reporter 1ZRR4H
Tags:46-246-80-17 exe LodaRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
CL CL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460970/
Detection(s):
Txt.Malware.LodaRAT-9769386-0
Create hunting rule

SecuriteInfo.com.VBS.Dropper-4.UNOFFICIAL
Create hunting rule

Txt.Malware.LodaRAT-9978072-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit control greyware keylogger lolbin nanocore packed predator shell32 threat
Link:
https://www.filescan.io/uploads/6566030bbcca970107d0c051/reports/7419dca0-6022-4b6d-b2f6-aedc9900c992/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a55df14a927eb0b33bed0878116d0489c40236b84b64a777c3b7a7438a3896ba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4bbcbe1c-d5b2-4b5d-b100-9ba154fe8a6b
Result
Threat name:
LodaRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349360
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to modify clipboard data
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected LodaRAT
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a55df14a927eb0b33bed0878116d0489c40236b84b64a777c3b7a7438a3896ba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a55df14a927eb0b33bed0878116d0489c40236b84b64a777c3b7a7438a3896ba/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2023-11-07 16:23:22 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvo7csusp2ylgo7nbb4bc3ierhcaenvyjnsko56dw6tuhcrys25a._file
Verdict:
malicious
Similar samples:
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
LodaRAT
2551a571a99fb4d75cdcb33388ee46757767d949fb098658e38144f77733db97
LodaRAT
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
LodaRAT
78cb0c7ea82e64dec145b41cd56d77693e75e312f27a83ae102680233089f549
LodaRAT
a55df14a927eb0b33bed0878116d0489c40236b84b64a777c3b7a7438a3896ba
LodaRAT
c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb
LodaRAT
fd0026d4c45a28a6a810b3c8fe9b9f0e5929a52144088398c7994dc7ae40807a
LodaRAT
+ 1'269 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/231128-sklp6sah55/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Adds Run key to start application
Unpacked files
SH256 hash:
55967e6c3f2494912b985e8a4db5226194edaa657eacc8b984a0acad7b922c37
MD5 hash:
958367a5681c03307bab35ced9982c89
SHA1 hash:
4ee3df497940aa8482e04fa14c4eb3e53698370d
Detections:
allow_rdp_session_without_password
Create hunting rule
Link:
https://www.unpac.me/results/f8c27edb-8e0f-4774-a97c-ec9c03a3c1e5/
SH256 hash:
a55df14a927eb0b33bed0878116d0489c40236b84b64a777c3b7a7438a3896ba
MD5 hash:
995fb6aaa0c3686082fa79162946ebd8
SHA1 hash:
9d185c300e3a70c62fb258aae69c0b3b0afe5f2f
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/f8c27edb-8e0f-4774-a97c-ec9c03a3c1e5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a55df14a927e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a55df14a927eb0b33bed0878116d0489c40236b84b64a777c3b7a7438a3896ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIt
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:AutoIT packer
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/460970/

Comments