MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af842257a5720b2a587284626867caed0bbc03fbaf8163258eb52d36b053a428. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af842257a5720b2a587284626867caed0bbc03fbaf8163258eb52d36b053a428
SHA3-384 hash: 98d0273b6d021abd1d895be6a6847052ff2c19ae74ae525b2b5db0e34c0175584e040dddf5a1a5eabe1386b19cd649d4
SHA1 hash: fa0ba8699fde5e84c5295feeb8240fd31054f026
MD5 hash: dc14cd48169a1ab64074a09521fdcf1d
humanhash: oscar-two-coffee-freddie
File name:2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exe
Download: download sample
Signature Loda
Create hunting rule
File size:1'151'847 bytes
First seen:2021-07-21 06:27:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep 24576:5RmJkcoQricOIQxiZY1iaqoBlHOWD3EKMFmihl5N1lC8R:WJZoQrbTFZY1iaqAOWrYTN1M8
Threatray 288 similar samples on MalwareBazaar
TLSH T12B35E121F5C68036C2B327B19E7EF7A99A3D69370336D19727C82D325EA05416B29733
dhash icon 2c6c00c066a66630 (2 x Vjw0rm, 2 x WSHRAT, 1 x Loda)
Reporter lowmal3
Tags:exe Loda

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.212:4001 https://threatfox.abuse.ch/ioc/161890/

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exe
Verdict:
Malicious activity
Analysis date:
2021-07-21 06:36:59 UTC
Tags:
trojan loda loader
Link:
https://app.any.run/tasks/82c08c35-296a-4e31-9b11-e56fdd22def9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172937/
Detection(s):
Txt.Malware.LodaRAT-9769386-0
Create hunting rule

SecuriteInfo.com.VBS.Dropper-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c19cd52e-5f45-438c-a66c-fb5538a405c1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/819350
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451757 Sample: 2 ( P-O DRAWINGS ) SUPPLY P... Startdate: 21/07/2021 Architecture: WINDOWS Score: 68 33 Multi AV Scanner detection for submitted file 2->33 35 Sigma detected: WScript or CScript Dropper 2->35 37 Sigma detected: Suspicious Script Execution From Temp Folder 2->37 7 2 ( P-O DRAWINGS ) SUPPLY PRODUCT.exe 2 4 2->7         started        11 EHOTEW.exe 2->11         started        14 EHOTEW.exe 2->14         started        16 4 other processes 2->16 process3 dnsIp4 31 194.5.98.212, 4001, 49719 DANILENKODE Netherlands 7->31 27 C:\Users\user\AppData\Roaming\...HOTEW.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\Temp29VTJEZ.vbs, ASCII 7->29 dropped 18 cmd.exe 1 7->18         started        21 wscript.exe 7->21         started        41 Multi AV Scanner detection for dropped file 11->41 file5 signatures6 process7 signatures8 39 Uses schtasks.exe or at.exe to add and modify task schedules 18->39 23 conhost.exe 18->23         started        25 schtasks.exe 1 18->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af842257a5720b2a587284626867caed0bbc03fbaf8163258eb52d36b053a428/
Threat name:
Win32.Backdoor.LodaRat
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 06:28:04 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6ccev5foifsuwdsqrrgqz6k5uf3ya73v6awgjmowuwtnmctuqua._file
Verdict:
unknown
Similar samples:
0d58813f6e88337b27157411f7a929995e64dd389c16da0fc12e0bdf0f4c48d5
Loda
194739d84e81db630a2a5c890dd560d088d829959239829efc86221640a8d99a
Loda
38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844
Loda
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
Loda
83b924a12b9d879758a2cd4c73a095de0ba4016163f76c94404820e741534030
Loda
8a72a55d126b69bda2f37fd88050aeed02d97733f6777759b542db8a442435bc
Loda
9129967bfcf44c87ec6eb83a30f5500a5e453c76281b7ec3b0c1caa778377e08
Loda
aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7
Loda
ed105272dc3c77f54e7d170474afa6590a98477e6b076d7e5d1cf6c5e152319d
Loda
fb400e7c4b16ab67fa5c080f8b1e7f7db965b77d097526a6a28ef5ca34f24bd9
Loda
+ 278 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210721-k9zkl551l2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
autoit_exe
Adds Run key to start application
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
af842257a5720b2a587284626867caed0bbc03fbaf8163258eb52d36b053a428
MD5 hash:
dc14cd48169a1ab64074a09521fdcf1d
SHA1 hash:
fa0ba8699fde5e84c5295feeb8240fd31054f026
Link:
https://www.unpac.me/results/24277760-7fe1-4900-9316-7e39facd1476/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af842257a5720b2a587284626867caed0bbc03fbaf8163258eb52d36b053a428

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loda

Executable exe af842257a5720b2a587284626867caed0bbc03fbaf8163258eb52d36b053a428

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/172937/

Comments