MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b
SHA3-384 hash:	ee8324475ca1d28e5df05f3b3c915c9b74aacdbe512640109f51166129c320787366bd0d2611e724e92c17671417453c
SHA1 hash:	47fd2695b6da26f6444799d442662b982d70f783
MD5 hash:	daf761fb9aaa34a9c2120003694d88a3
humanhash:	single-item-december-nebraska
File name:	file
Download:	download sample
Signature	LgoogLoader Alert Create hunting rule
File size:	30'720 bytes
First seen:	2023-06-06 13:48:31 UTC
Last seen:	2023-06-06 14:34:48 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	768:uwVMApolbUGPPMdwdunhdH15FIU/ogyejq:bVLoljn8nhj5FF1jq
Threatray	1'575 similar samples on MalwareBazaar
TLSH	T168D20800A3F98767EAFB4BF64871124447BA7ABB7936E75D0DC460DB1A637404A01BA3
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	jstrosch
Tags:	.NET exe LgoogLoader MSIL X64

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

306

Origin country :

US

Vendor Threat Intelligence

ANY.RUN redline

Malware family:

redline

Alert

Create hunting rule

ID:

1

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-06 13:53:44 UTC

Tags:

opendir gcleaner loader stealer rat redline smoke trojan evasion

Link:

https://app.any.run/tasks/305722cf-c2c1-46f7-85a3-4ab546918cdc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/396163/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67395159.24366.19907.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a service

Loading a system driver

Launching a process

Creating a file

Enabling autorun for a service

Forced shutdown of a system process

Sending an HTTP GET request to an infection source

Unauthorized injection to a system process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/647f3958ea2d2f23b9e83b22/reports/6c8ed1d2-b88a-4ccd-adb2-cdbfc1ebb83a/overview

Hybrid Analysis Trojan.Generic

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Generic Malware

Malware family:

Generic Malware

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ac5c658e-879a-48ec-a2e9-fdcc20144acd

Joe Sandbox lgoogLoader

Result

Threat name:

lgoogLoader

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1249677

Signature

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample is not signed and drops a device driver

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected lgoogLoader

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b/

ReversingLabs TitaniumCloud Win64.Trojan.Pwsx

Threat name:

Win64.Trojan.Pwsx

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-05 13:21:31 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

2

AV detection:

14 of 24 (58.33%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ddkikcqqqextwtmgggjz2ru3iha5grfh7kjallgddmtf2bqafenq._file

Threatray malicious

Verdict:

malicious

Similar samples:

2267fac6e4bcace94d9ed232cc4ba7e128424e80c5730ea38f23610c11bdc168

LgoogLoader

28ff484ca36b3a1f5d7f59a25e947e9a6b12ca34214f9bcfca01cee5745e6b6a

LgoogLoader

34a6cb7776062b6a981d8f2b1fd7e6e7fc6fb9c5253f57a06cef1903569fd532

LgoogLoader

36f8d4d85b7d03fdbd622909d93638fa20bbdcc1e832591b82dbe7f710ab0be0

LgoogLoader

6159a8ba420cbed9d0ca9abb371cd8b1e600c0e2fd7763f32cec6917605d51d9

LgoogLoader

71defd1bab3b3bd4a693f866c84d74f9b96a5b52347b3fad352dce152a67dcbd

LgoogLoader

9ef8d74a3ef84feb99d45e04e084fb628c091f8fa3b81b42faacc235ab2e753e

LgoogLoader

d69974ab2591e06f55c58786be3fc436fe992c501dd37724869747e2369c909d

LgoogLoader

dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59

LgoogLoader

fb8fdb08cf7984a3bac0cc7daeea3790a92306467543cf556945fc479a165dd8

LgoogLoader

+ 1'565 additional samples on MalwareBazaar

Hatching Triage lgoogloader

Result

Malware family:

lgoogloader

Alert

Create hunting rule

Score:

  10/10

Tags:

family:lgoogloader downloader persistence

Link:

https://tria.ge/reports/230606-q4n9asdh88/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Sets service image path in registry

Detects LgoogLoader payload

LgoogLoader

UnpacMe

Unpacked files

SH256 hash:

18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b

MD5 hash:

daf761fb9aaa34a9c2120003694d88a3

SHA1 hash:

47fd2695b6da26f6444799d442662b982d70f783

Link:

https://www.unpac.me/results/aaf87cf2-fa5e-4219-bd99-3815b2f2fbec/

VMRay SmokeLoader

Malware family:

SmokeLoader

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/18d4850a1081/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Suspicious File

Threat name:

Suspicious File

Score:

0.49

Link:

https://yomi.yoroi.company/submissions/18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LgoogLoader

exe 18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b

(this sample)

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2627632/

Cape

https://www.capesandbox.com/analysis/396163/