MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1099a94d3847925fa30d83ce653a8b6e88e36ee7748998da5358a1b4ff623af8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Koutodoor


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1099a94d3847925fa30d83ce653a8b6e88e36ee7748998da5358a1b4ff623af8
SHA3-384 hash: f427dd3d6d2c53f78aff54afd9dda3754a1ef08d19bc7a4a43a015e1cc7a00d42bdfe0a95c6255e705098fcddc94754c
SHA1 hash: 47bdf79debf1169477e7e4ca8ac2ca9a552054cc
MD5 hash: e72e839a260dedf1b168826fa435eed8
humanhash: three-happy-high-failed
File name:file
Download: download sample
Signature Adware.Koutodoor
Create hunting rule
File size:1'903'032 bytes
First seen:2022-12-31 02:09:10 UTC
Last seen:2022-12-31 19:24:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d0f857fd687e8814292f61f040cd561 (1 x Adware.Koutodoor)
ssdeep 49152:5MIMgtH8iWr5BJwbL74qA8FBnohjTaA59Zqhh06uuuuuuuHtN5:pMgtcdtwbFTnVS
Threatray 82 similar samples on MalwareBazaar
TLSH T11595BEA3E7989980D919527692ACC302CFC4CA90410E467284F7FBEC5DFFED0DA5A356
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f1ccf8d4d4d4cccc (1 x Adware.Koutodoor)
Reporter andretavare5
Tags:Adware.Koutodoor exe


Avatar
andretavare5
Sample downloaded from http://www.isurucabs.lk/Ads11.exe

Intelligence

File Origin
# of uploads :
23
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-31 02:12:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3c84a27-f601-4697-a0ad-0ffd0c2d4de2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.4215.12797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63af99fc40e878e304216d11/reports/5ad043ce-8910-46c2-b911-f8d1948e9fbc/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50733f73-3ce8-487b-ad9c-681199b64096
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1143379
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1099a94d3847925fa30d83ce653a8b6e88e36ee7748998da5358a1b4ff623af8/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-12-31 03:20:40 UTC
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ccm2stjyi6jf7iynqphgkouln2eog3xhosezrwstlcq3j73chl4a._file
Verdict:
malicious
Similar samples:
0d4089a9c33b6e2fbe05823f34c4c1bd1247a3438d9e0e5727a3aaf135accbac
Adware.Koutodoor
300590c1d48c020440d2ac22e2dc14dd65c7455870f7a02dc2968a787b7c341b
Adware.Koutodoor
4f1f7b8e2fc6d9fb748e37d981d6e6cb9e5de29eab70eda27189da4e86bc8c88
Adware.Koutodoor
78f4cb6ed265c721890f28d96e33ce8b2defae0d8c71eaafbbc75199ca270d23
Adware.Koutodoor
a48d0a440c75cc77f43f8639b282d5ff22d5ada4da08f7687f8bb1e64ab730fe
Adware.Koutodoor
cbb8c2cc3ac88bbd575fc3153fc67f43dde566fda8e7c244c0f50d1333f7c3f8
Adware.Koutodoor
d75c5569713f3210181864af552f1580387269c9673f84ef0e12a4ced8b66cc1
Adware.Koutodoor
db879678592ef06f80666d6e86759df9ebdf0fd7349af580a8a9c1f1cf7eee36
Adware.Koutodoor
e83e4db6d226391445db6e931939e2a0da67e8c4428bb2512034e166b9ca5414
Adware.Koutodoor
f2f2fa1f2bfab812eb154d51fa5d22b303639f8a74442b9ef14e4be678fad1ee
Adware.Koutodoor
+ 72 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader
Link:
https://tria.ge/reports/221231-clpv8acc2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detects LgoogLoader payload
LgoogLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d3ea4db2-43ba-447f-9329-073a06837367
Unpacked files
SH256 hash:
f3494a37b9a9596b6169beac52f848ae53329dd2f59ba2fd2a0c8cc0dd046442
MD5 hash:
261018316f09f6ad62f615ebd5cf333a
SHA1 hash:
1cf5036b2184746fb61d8f28e8cc2684e622cb85
Link:
https://www.unpac.me/results/47fa0d4f-d502-496f-8a9f-ed3825691c66/
SH256 hash:
1099a94d3847925fa30d83ce653a8b6e88e36ee7748998da5358a1b4ff623af8
MD5 hash:
e72e839a260dedf1b168826fa435eed8
SHA1 hash:
47bdf79debf1169477e7e4ca8ac2ca9a552054cc
Link:
https://www.unpac.me/results/47fa0d4f-d502-496f-8a9f-ed3825691c66/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1099a94d3847/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/1099a94d3847925fa30d83ce653a8b6e88e36ee7748998da5358a1b4ff623af8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2488375/

Comments