MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4319ba20af83dd8ba6041fd70c3c27dc2c79c648de642487fc1a217e0549fc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4319ba20af83dd8ba6041fd70c3c27dc2c79c648de642487fc1a217e0549fc8
SHA3-384 hash: a6a73e6df0b4ce8339d55c33165affc0748b64dbb2991dc21a91909139aaeda43b3823cc4e272abb295df917794cdde1
SHA1 hash: aef7912134f830b596d2b3d2f063d6b07be89ce1
MD5 hash: da2f7a1f37ff269219662ab3a4488aa1
humanhash: xray-jig-nineteen-uranus
File name:Order.pfg.exe
Download: download sample
Signature Loda
Create hunting rule
File size:1'363'968 bytes
First seen:2020-05-05 07:26:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:ogN2hgoa54eMgMqYS92vDs5rOi/uj2qSbyFvw7mPn7zr5:p46DRMgMqYS92gROwuqqAwwKPn7zr
Threatray 950 similar samples on MalwareBazaar
TLSH FE5501281D7C2532C5A9C2BE8AC48436F12090A731339E7139D3968B5F87E4265FB97F
Reporter abuse_ch
Tags:exe Loda


Avatar
abuse_ch
Malspam distributing Loda:

HELO: slot0.airwestmechanical.cf
Sending IP: 64.190.90.61
From: Air West M. LLC <info@airwestmechanical.cf>
Reply-To: Air West M. LLC <airwestm@unamaf-undp.org>
Subject: Re: Order
Attachment: Order.pfg.rar (contains "Order.pfg.exe")

Loda C2:
unama.duckdns.org:4000 (37.230.175.86)

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 07:35:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qyzxiqk7a65rotaih6xbq6cpxbmphderxteesd7ygrbpycut7ea._file
Verdict:
malicious
Similar samples:
180e63e884c208203b6f222673df84b703a55db642fcbc97183a979fc01381b8
Loda
1e7645dc4a6c0905d8d8ab0674ea1e775f6d363f7294ae4d64837b21f93d6959
Loda
215efb4d72a987d380f71ce2cea15cb73c3084253026a2c80efd7a3c83ae5f9f
Loda
2f53c96770351e95583b6c3d3bde7c4d44f0fc9e324517fd084a61000ed63dde
Loda
370fce30fb19905514c9e42d8cf687b95552261d2d5d47be8b273eca41cfb66f
Loda
95654631036f198ae09278641c978609781eee27cdff60dcfe05ba72b367eee7
Loda
accfb8da98afdd5a90448bcdead0ce0913e7c1c505a0e4a4fe661fb4dae3da6f
Loda
afa655613277fa5927ea6e777245abc8812101008ff0d542efd12b9ec4d9e17c
Loda
d488a34718cf2db560dd4c62ccb5fac527cc192716c2d166a71f98abd384aba6
Loda
e6e3032e4bcd9d1a92bd61d8c3aae211e2d28093b87e01d15feb25ebfdad02d4
Loda
+ 940 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-5vthavc89x/
Behaviour
Creates scheduled task(s)
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loda

rar b4f3f489c159efd60ff8cdf584f357f2044586c5c5d4b23db8d322b2aea9a141

Loda

Executable exe e4319ba20af83dd8ba6041fd70c3c27dc2c79c648de642487fc1a217e0549fc8

(this sample)

  
Dropped by
MD5 d7e8f3f1577e494ab9e3875aeb05838a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b4f3f489c159efd60ff8cdf584f357f2044586c5c5d4b23db8d322b2aea9a141

Comments