MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2078a05b80b0f4ef9eeea5c477eea06704efd792203e2614c5ceabf24e09324c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2078a05b80b0f4ef9eeea5c477eea06704efd792203e2614c5ceabf24e09324c
SHA3-384 hash: 3707035cd5f63c65dd457ad802561590e22a2fc181f45452f4fc2a726eed26d57c94912356525adeb796659e5bd60a6e
SHA1 hash: 140afe2a67935c924acb8544d57133f33c6d942d
MD5 hash: 0772d96197ee4b3d5cbb3b5624aeb353
humanhash: mexico-freddie-mango-johnny
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:479'232 bytes
First seen:2022-12-13 17:26:04 UTC
Last seen:2022-12-13 18:53:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:EKXAkq5tuO6HQBVQjj7lNUEBdRSwKmIm7AiOJI7rQWlF3vi+aq353K7mPE7J9:EaAkq5tuO6HQBVQjj7lNUEBdUwKmIm7a
Threatray 813 similar samples on MalwareBazaar
TLSH T125A4DF66417ABB71CCD24F33979113FB4A17A85B5F2E3047F10EB166AE3219B8891783
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter andretavare5
Tags:exe LgoogLoader


Avatar
andretavare5
Sample downloaded from http://80.76.51.212/files/Adsme.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-13 17:27:51 UTC
Tags:
opendir loader evasion
Link:
https://app.any.run/tasks/b79001ab-5d4f-4cbc-9cbe-9a4dfe8d9561

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345974/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Using the Windows Management Instrumentation requests
Creating a file
Enabling autorun for a service
Blocking the User Account Control
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6398b5e60c6473d1671ae1be/reports/5814fdbd-8055-48ed-97a4-e87c954d3722/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1c2965ae-423e-4a15-b652-d85c169986d8
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1133635
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Disables UAC (registry)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample is not signed and drops a device driver
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2078a05b80b0f4ef9eeea5c477eea06704efd792203e2614c5ceabf24e09324c/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 17:27:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eb4kaw4awd2o7hxouxchp3vam4co7v4sea7cmfgfz2v7etqjgjga._file
Verdict:
malicious
Similar samples:
050020309e83e6c1d019c99322d534fd93756e925cd4b1da02ced90f528cc3d3
LgoogLoader
533afea70b1fd1d2bc1bc9ade167aa251bdfaca969dbda48b240a17e01891986
LgoogLoader
81f88183029a59901067dd41d3b5fccdfbfc71600c6ac5cc259b83031cdb2b50
LgoogLoader
a99c69752668a94268cdb482df74649d755fcf56ecd9f431b1cb03b816a593cc
LgoogLoader
ba4f6fbd034bef02cb7a118b6b51e5ac65e0e9c7fa340c099ec5588dfc463c6c
LgoogLoader
d5f4b34691f83d4e43fca884fd61b14af4893be3843ec3d41ed1c38539b28f6d
LgoogLoader
e66a3a8ec788ee743a53778ce3adaeb98d15c691a4e15a361c644b5e98e2f60c
LgoogLoader
ec8a8ba728acaac222c46de8a8ddc8b9821ee8de92ebd73a1db6f2ba12f429a3
LgoogLoader
+ 803 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader evasion persistence trojan
Link:
https://tria.ge/reports/221213-vzwvsshh7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
Windows security modification
Sets service image path in registry
Detects LgoogLoader payload
LgoogLoader
UAC bypass
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c6b6a56f-fa4c-48af-90b3-33ced14fd265
Unpacked files
SH256 hash:
2078a05b80b0f4ef9eeea5c477eea06704efd792203e2614c5ceabf24e09324c
MD5 hash:
0772d96197ee4b3d5cbb3b5624aeb353
SHA1 hash:
140afe2a67935c924acb8544d57133f33c6d942d
Link:
https://www.unpac.me/results/b3f9c92a-f25a-48c5-9c82-a518b7d4b305/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2078a05b80b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/2078a05b80b0f4ef9eeea5c477eea06704efd792203e2614c5ceabf24e09324c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2454281/
Cape
Cape
https://www.capesandbox.com/analysis/345974/

Comments