MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loda


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509
SHA3-384 hash: d444f7d0bf58e5e2df99e1fcb05015ae93bc2f82b3f9c009cc9d3cddda5d8803e26dac87811fcda8762fa020d5efe9c5
SHA1 hash: b35c601c1cea874f1e68c8020900cb764e195f6f
MD5 hash: 54fb25c20d4191ff7e5185812485282f
humanhash: happy-bravo-green-december
File name:AggregateExcept.exe
Download: download sample
Signature Loda
Create hunting rule
File size:941'568 bytes
First seen:2022-05-12 06:12:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:1AHnh+eWsN3skA4RV1Hom2KXMmHafJ4f7l55:kh+ZkldoPK8YafJy7F
TLSH T187158C0273D1C036FFAB92739B6AF2455ABC79254123852F13981DB9BD701B2273E663
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter AndreGironda
Tags:AutoIT exe Loda LodaRAT


Avatar
AndreGironda
MITRE T1566.001
Date: 11 May 2022 20:30-21:00 -0700
Received: from 162-241-137-201.unifiedlayer.com (162.241.137.201)
Received: from [103.151.123.185] (port=58649)
From: Brain Miller <smtpfox-29gp7@mybrokerdesk.com>
Subject: Re: Payment Invoice #28357 Details
Message-ID: <20220511204042.7F32AAB59821A394@mybrokerdesk.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_C2676FCA.45AFE36E"
X-Get-Message-Sender-Via: your.myhomebuyermovies.tv: authenticated_id: smtpfox-29gp7@mybrokerdesk.com
X-Authenticated-Sender: your.myhomebuyermovies.tv: smtpfox-29gp7@mybrokerdesk.com
Return-Path: smtpfox-29gp7@mybrokerdesk.com
Attachment Name: Invoice.zip
Zipfile SHA256: da0f6e298df6247344642667c038648ffb7cb404b17a5e0810aa8f4bfceeac32
Unzipped Executable Name: Invoice.exe
Executable SHA256: 2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a
Unpacked Executable SHA256: fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509
Unpacked AutoIT SHA256: 39b499fd6be6f1b68cfa7181efaa0c2e612b52c66a9e95e40f110cf13adcb310

C2 Connect from AutoIT -- hXXp://funmustsolutions[.]site/wp-includes/icex/Script.php

POST /wp-includes/icex/Script.php HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
User-Agent: 4cab856c-2ae4-4cbd-8a04-329969ee64da
Content-Length: 8
Host: funmustsolutions.site

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269831/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Creating a file in the %temp% directory
DNS request
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17236/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit control.exe expand.exe greyware hacktool keylogger packed shell32.dll
Link:
https://www.filescan.io/uploads/627ca57e40028d3247cbd144/reports/a783ef2a-33bc-452e-b47b-29cce4dde05f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d375acd0-2e3f-4fd4-bc38-a44b9bad9733
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992389
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Disables Windows Defender (via service or powershell)
Drops PE files to the startup folder
Found API chain indicative of sandbox detection
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624884 Sample: AggregateExcept.exe Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 3 other signatures 2->59 9 AggregateExcept.exe 2 4 2->9         started        13 explorers.exe 2->13         started        15 explorers.exe 2->15         started        17 2 other processes 2->17 process3 file4 45 C:\Users\user\AppData\Roaming\explorers.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\...\explorers.exe, PE32 9->47 dropped 49 C:\Users\...\explorers.exe:Zone.Identifier, ASCII 9->49 dropped 73 Binary is likely a compiled AutoIt script file 9->73 75 Self deletion via cmd delete 9->75 77 Found API chain indicative of sandbox detection 9->77 79 Drops PE files to the startup folder 9->79 19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        signatures5 process6 signatures7 24 explorers.exe 2 19->24         started        28 conhost.exe 19->28         started        65 Adds a directory exclusion to Windows Defender 21->65 67 Disables Windows Defender (via service or powershell) 21->67 30 conhost.exe 21->30         started        32 timeout.exe 1 21->32         started        process8 dnsIp9 51 funmustsolutions.site 173.82.8.218, 49763, 49764, 49765 MULTA-ASN1US United States 24->51 69 Multi AV Scanner detection for dropped file 24->69 71 Binary is likely a compiled AutoIt script file 24->71 34 cmd.exe 1 24->34         started        signatures10 process11 signatures12 61 Adds a directory exclusion to Windows Defender 34->61 63 Disables Windows Defender (via service or powershell) 34->63 37 powershell.exe 25 34->37         started        39 powershell.exe 24 34->39         started        41 conhost.exe 34->41         started        43 powershell.exe 34->43         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509/
Threat name:
Win32.Trojan.Dizemp
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 06:13:07 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=73h4u52zhbioj5w6xaeq7q23cq3gvmt66cw2qm7zicznjszycueq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220512-gx6qbsddhr/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
AutoIT Executable
Adds Run key to start application
Deletes itself
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509
MD5 hash:
54fb25c20d4191ff7e5185812485282f
SHA1 hash:
b35c601c1cea874f1e68c8020900cb764e195f6f
Link:
https://www.unpac.me/results/a573a42b-f14b-4e91-8472-ac1b62b28838/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loda

Executable exe 2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a

Loda

Executable exe fecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509

(this sample)

  
Dropped by
SHA256 2a3493913b3be215927ca464ff826dd910c017edd9795c1ed9464bd90f66664a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269831/
  
Dropped by
MD5 d346a54d61507adac944b61539bde6a2

Comments