MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 affe23699997f46b33a4f43d8558d7ec89603460ecea2f98952527dbaf09288f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: affe23699997f46b33a4f43d8558d7ec89603460ecea2f98952527dbaf09288f
SHA3-384 hash: 9ec944ae17343558fb932cc5e0554e5794c44351b26a0c75e44ef7d1781f133b654a8c5636b2ae73f57af619270f2c2b
SHA1 hash: d5164e7eda92506aa4ed9a2a21bf599d643402f3
MD5 hash: 3dd7ceb0c44f0c9bfd84d802f8b9eee2
humanhash: mike-red-aspen-fourteen
File name:3dd7ceb0c44f0c9bfd84d802f8b9eee2
Download: download sample
Signature Loda
Create hunting rule
File size:1'434'744 bytes
First seen:2022-07-12 20:10:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (251 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 24576:ORmJkcoQricOIQxiZY1iaJOvvvz35L+kdSvBBMynFsf+YF:bJZoQrbTFZY1iaJynzJLJgDrnFsmYF
TLSH T17B659D36F18FE022C1E1B678E9E9A215066B6D2E3D1DA1B636C8B911D970D407F17F23
TrID 39.1% (.EXE) Win32 Executable (generic) (4505/5/1)
26.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
17.3% (.EXE) Generic Win/DOS Executable (2002/3)
17.3% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 48494a4c4c4a2108 (1 x Loda)
Reporter zbetcheckin
Tags:exe Loda Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
3dd7ceb0c44f0c9bfd84d802f8b9eee2
Verdict:
Malicious activity
Analysis date:
2022-07-12 20:26:08 UTC
Tags:
redline
Link:
https://app.any.run/tasks/98fbca72-be9f-40a4-ab1b-38f2defc7fb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286676/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Searching for the window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the Program Files subdirectories
DNS request
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a recently created process
Infecting executable files
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
autoit greyware hacktool keylogger neshta overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62cdd55a81790e51fe5cb0e4/reports/27a6e5b7-82e0-40c9-8097-fabdb57c7d3b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HackingTeam
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c59f52b-a235-467b-b011-955bdac85b8d
Result
Threat name:
Neshta, RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1029728
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Neshta
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 662218 Sample: PSBD4K3T9C Startdate: 12/07/2022 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for dropped file 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 9 other signatures 2->65 9 PSBD4K3T9C.exe 4 2->9         started        13 smartScan.exe 2->13         started        15 svchost.com 2->15         started        17 smartScan.exe 2->17         started        process3 file4 45 C:\Users\user\AppData\...\PSBD4K3T9C.exe, PE32 9->45 dropped 47 C:\Windows\svchost.com, MS-DOS 9->47 dropped 49 C:\Users\user\AppData\Local\...\setup.exe, MS-DOS 9->49 dropped 51 10 other malicious files 9->51 dropped 71 Creates an undocumented autostart registry key 9->71 73 Drops PE files with a suspicious file extension 9->73 75 Drops executable to a common third party application directory 9->75 77 Infects executable files (exe, dll, sys, html) 9->77 19 PSBD4K3T9C.exe 3 5 9->19         started        79 Antivirus detection for dropped file 13->79 24 smartScan.exe 15->24         started        signatures5 process6 dnsIp7 55 34.174.95.150, 12345, 49742, 49743 ATGS-MMD-ASUS United States 19->55 41 C:\Users\user\AppData\...\smartScan.exe, PE32 19->41 dropped 43 C:\Users\user\AppData\Local\Temp\WZFCDS.exe, PE32 19->43 dropped 67 Antivirus detection for dropped file 19->67 69 Drops executables to the windows directory (C:\Windows) and starts them 19->69 26 svchost.com 1 19->26         started        30 cmd.exe 1 19->30         started        file8 signatures9 process10 file11 53 C:\Windows\directx.sys, ASCII 26->53 dropped 81 Antivirus detection for dropped file 26->81 83 Machine Learning detection for dropped file 26->83 85 Sample is not signed and drops a device driver 26->85 32 WZFCDS.exe 15 3 26->32         started        87 Uses schtasks.exe or at.exe to add and modify task schedules 30->87 35 conhost.exe 30->35         started        37 schtasks.exe 1 30->37         started        signatures12 process13 signatures14 57 Antivirus detection for dropped file 32->57 39 conhost.exe 32->39         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/affe23699997f46b33a4f43d8558d7ec89603460ecea2f98952527dbaf09288f/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 13:16:10 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v77cg2mzs72gwm5e6q6ykwgx5sewanda5tvc7geveut5xlyjfchq._file
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:redline botnet:excele infostealer persistence spyware stealer
Link:
https://tria.ge/reports/220712-yx8y5aeahr/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Detect Neshta payload
Modifies system executable filetype association
Neshta
RedLine
RedLine payload
Malware Config
C2 Extraction:
34.174.95.150:54865
Unpacked files
SH256 hash:
758a9fda1f74b1eb8452877281287d38cc26455947e173bfe8e74b3876d4aad8
MD5 hash:
245b9ab4590f2e0c382f32df3370be4a
SHA1 hash:
ec40f8972e9c06073b8c542382a9c722520e5334
Link:
https://www.unpac.me/results/25a357e8-0f98-476f-90af-13ddbf101bf0/
SH256 hash:
affe23699997f46b33a4f43d8558d7ec89603460ecea2f98952527dbaf09288f
MD5 hash:
3dd7ceb0c44f0c9bfd84d802f8b9eee2
SHA1 hash:
d5164e7eda92506aa4ed9a2a21bf599d643402f3
Detections:
win_neshta_g0
Create hunting rule
Link:
https://www.unpac.me/results/25a357e8-0f98-476f-90af-13ddbf101bf0/
Malware family:
RedLine.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/affe23699997/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/affe23699997f46b33a4f43d8558d7ec89603460ecea2f98952527dbaf09288f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loda

Executable exe affe23699997f46b33a4f43d8558d7ec89603460ecea2f98952527dbaf09288f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2251357/
Cape
Cape
https://www.capesandbox.com/analysis/286676/

Comments


Avatar
zbet commented on 2022-07-12 20:11:03 UTC

url : hxxp://judithabusufaitdyg.duckdns.org/winupdate.exe