MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0583d720bbd996d5a06e930e3dd48a4e3e7f0a2f4c79078b84b13eee49a8d01e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LgoogLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	0583d720bbd996d5a06e930e3dd48a4e3e7f0a2f4c79078b84b13eee49a8d01e
SHA3-384 hash:	6d6cc5db25ae4f5a1954a48a8c51c91080e404d9e01e40d675fccfc98b739e1fcfe1465b4571018d57dfdc123fe997e2
SHA1 hash:	8c92b9b777d37064e2bc2ae2fdc76be704c0b715
MD5 hash:	6e11432b2f77efd7d18ac993c4bb348e
humanhash:	friend-low-texas-skylark
File name:	SecuriteInfo.com.Win64.PWSX-gen.9838.14214
Download:	download sample
Signature	LgoogLoader Create hunting rule
File size:	483'840 bytes
First seen:	2022-12-11 21:29:16 UTC
Last seen:	2022-12-12 01:44:39 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:d1rLcnhcLt6jqdh+Z8+awCNeKawwStGl:zL6ix6jAq8+/KaUA
Threatray	793 similar samples on MalwareBazaar
TLSH	T169A4DFDA23F971C7E541BDF625BA27DFC272A022288EDB8C53C03557A0A04BBADD1531
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	SecuriteInfoCom
Tags:	exe LgoogLoader

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/345265/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.9838.14214.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a service

Loading a system driver

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Changing a file

Using the Windows Management Instrumentation requests

Creating a file

Enabling autorun for a service

Blocking the User Account Control

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63964bdbf6e448d42df81bbf/reports/2bdb11fd-60a6-4091-903f-8369ab80a0c7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/3c4baf44-d2c4-4ba4-a8f1-f5301405a74f

Result

Threat name:

lgoogLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1132308

Signature

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Disables UAC (registry)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample is not signed and drops a device driver

Writes to foreign memory regions

Yara detected lgoogLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0583d720bbd996d5a06e930e3dd48a4e3e7f0a2f4c79078b84b13eee49a8d01e/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2022-12-11 21:27:36 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=awb5oif33glnlidosmhd3vekjy7h6crpjr4qpc4ewe7o4sni2apa._file

Verdict:

malicious

LgoogLoader

473e99cdf2dc25a6bf43a56e9b095639776294bea38321c079cceecb3678c28d

LgoogLoader

4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd

LgoogLoader

66bfc82c4f69f36538f7ff9f5949f72288805850f4b64980c17ec930c6baf224

LgoogLoader

6996549eb2f2333d7bd392c7de1b96823d36ab7d1de4b14a66273c1a691e4c1f

LgoogLoader

81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3

LgoogLoader

af740e72fdc536b935138fe6974e3c4a7bd9956ae6f47bb86273cf49365c62d2

LgoogLoader

ba62e3fda637027cae8196b25f6028a2403ea3be566d9e530b83fa69b515afc7

LgoogLoader

c00660379db4da598cf59eeb74ae9a686803cc4296cbde73a61c988cf87e1d44

LgoogLoader

fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea

LgoogLoader

+ 783 additional samples on MalwareBazaar

Result

Malware family:

lgoogloader

Score:

10/10

Tags:

family:lgoogloader downloader evasion persistence trojan

Link:

https://tria.ge/reports/221211-1cgegscc3w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Checks computer location settings

Windows security modification

Sets service image path in registry

Detects LgoogLoader payload

LgoogLoader

UAC bypass

Windows security bypass

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9969e5bc-ef85-4018-9b93-34b512aba786

Unpacked files

SH256 hash:

0583d720bbd996d5a06e930e3dd48a4e3e7f0a2f4c79078b84b13eee49a8d01e

MD5 hash:

6e11432b2f77efd7d18ac993c4bb348e

SHA1 hash:

8c92b9b777d37064e2bc2ae2fdc76be704c0b715

Link:

https://www.unpac.me/results/b8e980d8-d8ca-4a8e-a3cd-73d4b79e5ca6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0583d720bbd9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/0583d720bbd996d5a06e930e3dd48a4e3e7f0a2f4c79078b84b13eee49a8d01e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LgoogLoader

exe 0583d720bbd996d5a06e930e3dd48a4e3e7f0a2f4c79078b84b13eee49a8d01e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2454281/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/345265/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample