MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05ca799597bc2895bc89e038fe831082a2bbcaf8d6014bbba91afb9f71836884. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05ca799597bc2895bc89e038fe831082a2bbcaf8d6014bbba91afb9f71836884
SHA3-384 hash: 71789e80ef4e4206b99e337c262da46ecd6c1788acfc44fc4fdc21c80b520894de9a86879428a54cb81722254705be51
SHA1 hash: 56f77023ef10d9336811a7eb1859099f02e15a9d
MD5 hash: eb1a66c723387a6f13538d5dc974a309
humanhash: quebec-alanine-aspen-sixteen
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'561'128 bytes
First seen:2022-12-06 10:16:33 UTC
Last seen:2022-12-06 12:02:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 94f4081d3f3457127565d33ec8d950d8 (1 x LgoogLoader, 1 x RemcosRAT)
ssdeep 24576:pEHJw8MWHrKNx5z12yOx0Q8cDmdpCxn+1emD4P267fOLsmgdc0ov81TtOi4H:iG02x5zQKrCxn+AK4Tfnmg3FtOt
Threatray 55 similar samples on MalwareBazaar
TLSH T18475230AD7A95B30D6E21774A4AAC3906E39FC30B3698F97358306775EF77C02998706
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0d4a68e9adac4cc (1 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:www.wiley.com
Issuer:DigiCert TLS RSA SHA256 2020 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-11T00:00:00Z
Valid to:2023-11-21T23:59:59Z
Serial number: 0fafd8d91668bd873d0a7e5abd46a0e9
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 1aa19632a0541c6f544a07daf4474b054ab178e1134717140cee16aeb7fb244a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://myexes.s3.ap-northeast-1.amazonaws.com/Adsme.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-06 10:17:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/931c43ac-278e-4959-bb48-58aa66d96367

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343358/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638f16a09a505ad9423da030/reports/00b3e454-1c1d-43f9-b6ad-b3310ef5eb26/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7138300b-4523-4635-86b7-ff445b3aa3de
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1128798
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05ca799597bc2895bc89e038fe831082a2bbcaf8d6014bbba91afb9f71836884/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-12-06 10:17:11 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=axfhtfmxxqujlpej4a4p5ayqqkrlxsxy2yauxo5jdl5z64mdncca._file
Verdict:
malicious
Similar samples:
44192d53830cd0b58bd4c3213649104f23f5c5cb2d4f1168d2d07654e841b907
LgoogLoader
5433ab6651bf43c719571439a3b98dbd52212d1259a8e2adf28a3eae87f335dd
LgoogLoader
6b6fb52a435554c131a8d186a61c0c199964c0e4a8a0c4d173bfe5b0e7543578
LgoogLoader
7a5647b5e4aca4354ceac0ab494086ecf14ccfaef3075110ca5fde952982e88d
LgoogLoader
8391de874c21ac03bf02c2e6fa7feabc06b2421df1ca6820cc38ad911b060937
LgoogLoader
89129a297232b33e9caa53adbd927bffa9a6e1a2905f21e01b17f4fd374a2c27
LgoogLoader
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
LgoogLoader
be7096119b86de54f3a82c8059e372396169c30d2300d4ec768f4065e4b1b9a7
LgoogLoader
c6dcdfa5821f7fb5a836ec2157742c9b117745584b82ed3f03d6987ce93d9b05
LgoogLoader
+ 45 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221206-mbc4sabh81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ee1e003a-9989-449a-a2c7-5a47672af6ea
Unpacked files
SH256 hash:
2b022189e025bd47d55e901d783590fca6fb2c4cae31a136e4e34a2c9b0fde97
MD5 hash:
fcd250eeb188a8841776260b2c217b6d
SHA1 hash:
79e2507cd6384ef1e18729c70eca5ce2bea47799
Link:
https://www.unpac.me/results/ffb0c9c9-7d0b-4d6b-95df-3289751f8a82/
SH256 hash:
05ca799597bc2895bc89e038fe831082a2bbcaf8d6014bbba91afb9f71836884
MD5 hash:
eb1a66c723387a6f13538d5dc974a309
SHA1 hash:
56f77023ef10d9336811a7eb1859099f02e15a9d
Link:
https://www.unpac.me/results/ffb0c9c9-7d0b-4d6b-95df-3289751f8a82/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/05ca799597bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/05ca799597bc2895bc89e038fe831082a2bbcaf8d6014bbba91afb9f71836884

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/343358/

Comments