MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loda

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea
SHA3-384 hash:	0186602d9d54cfd0b44049677106a858dad57793ef8b2e17bb2a7f5e1521e433371a46c0841e38a0d739481e606465fe
SHA1 hash:	3ba5f0fa5f47765bee9bbc77a7a23e72934b0fba
MD5 hash:	9de2302839c449544b36a64859fa5e9e
humanhash:	bakerloo-orange-neptune-sixteen
File name:	9de2302839c449544b36a64859fa5e9e.exe
Download:	download sample
Signature	Loda Create hunting rule
File size:	11'967'488 bytes
First seen:	2026-03-17 06:42:52 UTC
Last seen:	2026-03-17 07:33:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4bb2436b569f68911a870608bbdf4781 (2 x Loda)
ssdeep	196608:+7JNyO3JVvjYhVRwXjcVlvaozKMKRrlF8XEd5hTR6eAYrTp4SVbKLbuvxquRG9NF:+7TJbLYlVlv0M5w5jTtVAuVMso4
TLSH	T1E7C6335B2DD740EADC8118B08B27ABD723F361E989894C357AC6388D7991FB7702F416
TrID	27.0% (.EXE) Win64 Executable (generic) (6522/11/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Loda

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/b0473931-1968-4570-9e1b-2d5306f40501/

Malware family:

n/a

ID:

File name:

Detalle_Pago_Reserva_Grupo_Juan_Carlos_RamC3ADrez_Mayo_2026.xls

Verdict:

Malicious activity

Analysis date:

2026-03-17 00:39:39 UTC

Tags:

macros macros-on-open loader auto-reg autoit

Link:

https://app.any.run/tasks/ce5fc6a9-2b18-4eca-8593-5034dc24d9dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/57707/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.24244681.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b8f80488c80c01586b0cc8

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Creating a process from a recently created file

DNS request

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lodarat packed unsafe

Link:

https://www.filescan.io/uploads/69b8f802677ac46843a5f3a8/reports/9da9f39e-7f47-4bce-af7c-b57356d02bdc/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea

Verdict:

Malicious

File Type:

exe x32

Detections:

PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Autoit.sb Trojan.Win32.Agent.sb HEUR:Trojan.VBS.Agent.gen Trojan-Downloader.AutoIt.TCP.C&C Trojan.Win32.Agent.xcdbgv not-a-virus:RiskTool.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0571a69a-e282-4b85-911c-ea7c85d7c54b

Result

Threat name:

LodaRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1884692

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected LodaRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/9de2302839c449544b36a64859fa5e9e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea/

Verdict:

Malicious

Threat:

Family.LODA

Link:

https://tip.neiki.dev/file/b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea

Threat name:

Win32.Trojan.Etset

Status:

Malicious

First seen:

2026-03-17 02:20:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wdiurkhizje7wdksugppttsewyi7ayffdnltrsfjh4sis5axppva._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/260317-hg11kses5n/

Behaviour

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

AutoIT Executable

Adds Run key to start application

Executes dropped EXE

Unpacked files

SH256 hash:

b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea

MD5 hash:

9de2302839c449544b36a64859fa5e9e

SHA1 hash:

3ba5f0fa5f47765bee9bbc77a7a23e72934b0fba

Link:

https://www.unpac.me/results/843b3893-f7f3-4336-8cb8-1ad6da26d9ed/

SH256 hash:

a343db340934600637870df71f99a78c91b1e1f3e5fc2e16c45c366128739e18

MD5 hash:

e561b99245d15fffa52f4575e7b96bae

SHA1 hash:

219220cf1c8287c82cc12a3a0b7d33c10683ec6a

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/843b3893-f7f3-4336-8cb8-1ad6da26d9ed/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b0d148a8e8ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loda

exe b0d148a8e8ca49fb0d52a19ef9ce44b611f060a51b5738c8a93f248974177bea

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3797691/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/57707/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample