download: | AAAMZ1uciHS1GLDaVA9lJNzDa |
Full analysis: | https://app.any.run/tasks/e8ae3f66-1bf0-4f1c-8e9d-c9645ae72a35 |
Verdict: | Malicious activity |
Threats: | Loda is a remote access trojan (RAT) that has been in active use among multiple threat actors since 2016. The malware’s functionality includes stealing passwords and other sensitive information, keylogging, capturing screenshots, and delivering other malicious payloads. Loda is typically distributed as part of phishing email campaigns. |
Analysis date: | March 22, 2019, 09:28:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 0ABF0BD96A40A05EFA58AED5D6929ABA |
SHA1: | 0E92896636B0ED726C925AD3653E31C1289F5EFE |
SHA256: | 352851C653B97548EF7DE217EDB2CCB133C2CEFB47BBB3EEA7B3906739458DC3 |
SSDEEP: | 24576:mtXE+s3WaqEwRvftQos3BsYJ/9esG4euRhLwnpenc20xGS4jxV15PQ:UgqLRvffsRs2/EnuRh8npenc20kn1V1O |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | / |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2019:03:18 10:13:27 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\AAAMZ1uciHS1GLDaVA9lJNzDa.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3208 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42178\DOCU-MENT-0349439059934-340934-43-PDF.zip | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2236 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3208.42382\DOCU-MENT-0349439059934-340934-43-PDF.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3208.42382\DOCU-MENT-0349439059934-340934-43-PDF.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3004 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | DOCU-MENT-0349439059934-340934-43-PDF.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
2260 | "C:\Windows\System32\schtasks.exe" /create /tn makecab /tr "C:\Users\admin\AppData\Local\Temp\VSSVC\BdeSysprep.exe" /sc minute /mo 1 /F | C:\Windows\System32\schtasks.exe | — | DOCU-MENT-0349439059934-340934-43-PDF.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3108 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4056 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3060 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.42178\DOCU-MENT-0349439059934-340934-43-PDF.zip | compressed | |
MD5:E6DE1E710483A38CD40AC0E4140888D9 | SHA256:D63FD72E5CDEFD8560B069C4507C6C02EB130A0819A41E64B1939836B686D55E | |||
3108 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:A1E9C98EEE3588B8BC17A233736CDE00 | SHA256:47D27B9B955DF692B3A4ECAA21C4422BAB7DE477C256E0823BF04767447F03D3 | |||
3108 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3108 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UOI5HOD4\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3208 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3208.42382\DOCU-MENT-0349439059934-340934-43-PDF.exe | executable | |
MD5:C8BC43E79E71023D4FBB73F09C3CC50E | SHA256:E4A0EA3D3C6CA0A9CC94A44AD36965860F58E068E0183C5CAFA6EEAD2365433D | |||
3108 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FG5YYDPL\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3108 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3108 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
3004 | RegAsm.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@ipapi[1].txt | text | |
MD5:B70A203BD05A261F7C0606221FC6A323 | SHA256:924379F3AFDA434A5314859C24DD23A901440B1F863510B5454E3A2564AD65E5 | |||
3004 | RegAsm.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\json[1] | text | |
MD5:2B1A23FEA84D8DAB830D787C11CCA042 | SHA256:03BC0447886FC881C0A822F01E9DA6942681F86854124D114613D8D744E411E8 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3004 | RegAsm.exe | 104.25.210.99:443 | ipapi.co | Cloudflare Inc | US | shared |
3004 | RegAsm.exe | 192.253.242.196:5000 | monopak.dns-cloud.net | SoftLayer Technologies Inc. | AU | malicious |
Domain | IP | Reputation |
---|---|---|
ipapi.co |
| shared |
monopak.dns-cloud.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) |
3004 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loda Logger CnC Request |
3004 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Loda Logger CnC Beacon |
Process | Message |
---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|