MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b00e65f141bd037ee4e702f84f6079132a689f31970c29b4d1d67b6a1de4e0bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loda

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 1 File information Comments

SHA256 hash:	b00e65f141bd037ee4e702f84f6079132a689f31970c29b4d1d67b6a1de4e0bc
SHA3-384 hash:	89c95ddaaa265db158382d6c44c20543ade94d6b15e4aca193e697094f49f025a0b20e5c8d2c51a8e377511090cece5e
SHA1 hash:	2680e2011e29a3ff1f6bd70fc1e8c3a73b5564b9
MD5 hash:	76dfeeb731295ac4ddedb8d828e9b4d3
humanhash:	papa-romeo-vegan-princess
File name:	76dfeeb731295ac4ddedb8d828e9b4d3.exe
Download:	download sample
Signature	Loda Create hunting rule
File size:	1'187'949 bytes
First seen:	2021-11-14 01:06:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	369fe35b86c83b3130c02698158a4d4d (14 x Formbook, 4 x RedLineStealer, 4 x AgentTesla)
ssdeep	24576:BRmJkcoQricOIQxiZY1WNfEiU4il6WwP1MvYR6eqbg79:uJZoQrbTFZY1WNfEboZR6y
Threatray	441 similar samples on MalwareBazaar
TLSH	T1DB45E122B5C69036C2B327B19E7EF76A963D79360336D29727C82D311EA05416B39733
File icon (PE):
dhash icon	531b8c335295c864 (1 x Loda)
Reporter	abuse_ch
Tags:	exe Loda

abuse_ch

Loda C2:
79.142.76.244:29769

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
79.142.76.244:29769	https://threatfox.abuse.ch/ioc/248056/

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/205570/

Detection(s):

PUA.Win.Packer.Ep-7

PUA.Win.Packer.Embedpe-3

PUA.Win.Packer.AcprotectUltraprotect-1

SecuriteInfo.com.BackDoor.IRC.Bot.3238.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autoit greyware hacktool keylogger lodarat nymeria overlay packed

Link:

https://www.filescan.io/uploads/619061383edf00a722d2d62f/reports/2a2549d3-e7f2-44bc-9dbd-2ea3bdefeef7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/807e1ab4-cb71-4b46-9b0d-6db917d2ab54

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/888714

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Uses Windows timers to delay execution

Yara detected Embedded PE file in AUTOIT SCRIPT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b00e65f141bd037ee4e702f84f6079132a689f31970c29b4d1d67b6a1de4e0bc/

Threat name:

Win32.Backdoor.LodaRat

Status:

Malicious

First seen:

2021-11-13 04:48:25 UTC

AV detection:

22 of 44 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wahgl4kbxubx5zhhal4e6ydzcmvgrhzrs4gctngr2z5wuhpe4c6a._file

Verdict:

unknown

Loda

1a722652518e589be34613b12d419efee2235ff0b0a37556fbb9cda5eb27b1d2

Loda

38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844

Loda

3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1

Loda

647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249

Loda

6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36

Loda

7d4b1b72b1318cb933e0d6420813499581064f57a713b7e1ee8caa3753113ca0

Loda

8f7950c2e180309a2666f594c83800ea4122770b25e3cd896b5d0a362a1647e4

Loda

a9431563de4e84d5d231fff8382087131368a29066f7711fdbfee0f70f37fe99

Loda

+ 431 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/211114-bgna6acfel/

Behaviour

Enumerates physical storage devices

autoit_exe

Unpacked files

SH256 hash:

b00e65f141bd037ee4e702f84f6079132a689f31970c29b4d1d67b6a1de4e0bc

MD5 hash:

76dfeeb731295ac4ddedb8d828e9b4d3

SHA1 hash:

2680e2011e29a3ff1f6bd70fc1e8c3a73b5564b9

Link:

https://www.unpac.me/results/2411d755-08a2-4707-8f93-9e8518976473/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/205570/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample