MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27acd486acf23809f4792ed977bef8cd765d16a37fafe2a4e050284423bce11b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27acd486acf23809f4792ed977bef8cd765d16a37fafe2a4e050284423bce11b
SHA3-384 hash: dff114f2b10ae73f67b36810385606316b4ccd57ba08bea1a47cb96d9aac9473aadcd3aa5dd00ea02d8425cf8f3ab8c9
SHA1 hash: b202b77493a3821a97cb08538590be106e5bb551
MD5 hash: cd2704f93fec8af2b68204e9cdbd624e
humanhash: queen-massachusetts-arizona-river
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:841'360 bytes
First seen:2022-11-06 16:04:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 12288:0zLJtMwl1o8fRsbJnf7DQ1JOsZIdlYJcTT4l/kqKN7/UFaXyEjxo1TUI0yjSJKY9:0BFl1NOsZMlYa34lsqEayz23BjSwY9
Threatray 76 similar samples on MalwareBazaar
TLSH T15505129B90865077D48653B01C9E22A331A53DE05325A39F919BFE5DA0B13F2133B2EF
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d496b296b6b296c4 (1 x LgoogLoader)
Reporter jstrosch
Tags:exe LgoogLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-06 16:07:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4dc2eb4f-5b8b-4618-838a-28cd508bc58a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329475/
Detection(s):
SecuriteInfo.com.Backdoor.Win32.Agent.myukqd.4645.24206.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49282/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll overlay packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6367db2fa8436570d7409edf/reports/76e46cd8-9e0c-4d61-9879-5170a47a801d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/07dd2d2d-da93-4ddd-8940-019af194bf0a
Result
Threat name:
ManusCrypt, SmokeLoader, Socelars, lgoog
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.spre.phis.bank.expl.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1106654
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected VMProtect packer
DLL reload attack detected
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Chrome's extension installation force list
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites Mozilla Firefox settings
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Download and Execute IEX
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected lgoogLoader
Yara detected ManusCrypt
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 739315 Sample: file.exe Startdate: 06/11/2022 Architecture: WINDOWS Score: 100 173 www.mxnzvc.xyz 2->173 175 www.grilloo.net 2->175 177 15 other IPs or domains 2->177 243 Snort IDS alert for network traffic 2->243 245 Multi AV Scanner detection for domain / URL 2->245 247 Malicious sample detected (through community Yara rule) 2->247 249 17 other signatures 2->249 14 file.exe 1 5 2->14         started        16 msiexec.exe 2->16         started        20 rundll32.exe 2->20         started        22 3 other processes 2->22 signatures3 process4 file5 24 cmd.exe 1 14->24         started        27 TapiUnattend.exe 14->27         started        115 a4b757.rbf (copy), PE32+ 16->115 dropped 117 a4b756.rbf (copy), PE32+ 16->117 dropped 119 a4b755.rbf (copy), PE32+ 16->119 dropped 121 31 other malicious files 16->121 dropped 215 Infects executable files (exe, dll, sys, html) 16->215 29 rundll32.exe 20->29         started        signatures6 process7 signatures8 251 Obfuscated command line found 24->251 253 Uses ping.exe to sleep 24->253 255 Drops PE files with a suspicious file extension 24->255 257 Uses ping.exe to check the status of other devices and networks 24->257 31 cmd.exe 2 24->31         started        35 conhost.exe 24->35         started        37 PING.EXE 1 24->37         started        259 Writes to foreign memory regions 29->259 261 Allocates memory in foreign processes 29->261 263 Creates a thread in another existing process (thread injection) 29->263 39 svchost.exe 29->39 injected 41 svchost.exe 29->41 injected process9 file10 171 C:\Users\user\AppData\...\Highways.exe.pif, PE32 31->171 dropped 207 Obfuscated command line found 31->207 209 Uses ping.exe to sleep 31->209 43 Highways.exe.pif 1 31->43         started        47 PING.EXE 1 31->47         started        49 tasklist.exe 1 31->49         started        54 4 other processes 31->54 211 Sets debug register (to hijack the execution of another thread) 39->211 213 Modifies the context of a thread in another process (thread injection) 39->213 51 svchost.exe 39->51         started        signatures11 process12 dnsIp13 143 C:\Users\user\AppData\Local\...\sFoAPmMsG.dll, PE32 43->143 dropped 265 DLL reload attack detected 43->265 267 Found API chain indicative of sandbox detection 43->267 269 Renames NTDLL to bypass HIPS 43->269 271 Injects a PE file into a foreign processes 43->271 56 Highways.exe.pif 49 43->56         started        60 Highways.exe.pif 43->60         started        62 vc_redist.x64.exe 47->62         started        179 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 51->179 181 208.95.112.1 TUT-ASUS United States 51->181 183 172.67.161.69 CLOUDFLARENETUS United States 51->183 145 C:\Users\user\AppData\...\cookies.sqlite.db, SQLite 51->145 dropped 147 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 51->147 dropped 149 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 51->149 dropped 151 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 51->151 dropped 273 Query firmware table information (likely to detect VMs) 51->273 275 Installs new ROOT certificates 51->275 277 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 51->277 279 2 other signatures 51->279 file14 signatures15 process16 dnsIp17 189 grilloo.net 159.8.122.140 SOFTLAYERUS United States 56->189 191 privacy-tools-for-you-453.com 34.106.70.53, 49849, 80 GOOGLEUS United States 56->191 193 8 other IPs or domains 56->193 131 C:\Users\user\AppData\Local\Temp\...\MTIGRA, PE32+ 56->131 dropped 133 C:\Users\user\AppData\Local\Temp\...\PhsECR, PE32 56->133 dropped 135 C:\Users\user\AppData\Local\Temp\...\bKuKjo, PE32 56->135 dropped 141 12 other malicious files 56->141 dropped 64 Bgahvf 2 56->64         started        68 bKuKjo 56->68         started        70 PhsECR 56->70         started        74 3 other processes 56->74 137 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 62->137 dropped 139 C:\Windows\Temp\...\wixstdba.dll, PE32 62->139 dropped 72 VC_redist.x64.exe 62->72         started        file18 process19 dnsIp20 123 C:\Users\user\AppData\Local\...\Bgahvf.tmp, PE32 64->123 dropped 217 Multi AV Scanner detection for dropped file 64->217 219 Obfuscated command line found 64->219 77 Bgahvf.tmp 64->77         started        221 Machine Learning detection for dropped file 68->221 223 Injects a PE file into a foreign processes 68->223 81 bKuKjo 68->81         started        125 C:\Users\user\AppData\Local\...\PhsECR.tmp, PE32 70->125 dropped 84 PhsECR.tmp 70->84         started        127 C:\ProgramData\...\VC_redist.x64.exe, PE32 72->127 dropped 195 aaa.apiaaaeg.com 45.66.159.18 ENZUINC-US Russian Federation 74->195 197 star-mini.c10r.facebook.com 157.240.20.35 FACEBOOKUS United States 74->197 199 2 other IPs or domains 74->199 129 C:\Users\user\AppData\Local\Temp\db.dll, PE32 74->129 dropped 225 Antivirus detection for dropped file 74->225 227 Creates processes via WMI 74->227 86 cmd.exe 74->86         started        88 cmd.exe 74->88         started        90 cmd.exe 74->90         started        92 conhost.exe 74->92         started        file21 signatures22 process23 dnsIp24 201 18.64.119.128 MIT-GATEWAYSUS United States 77->201 203 d2l7sw81k13yby.cloudfront.net 18.155.153.28 AMAZON-02US United States 77->203 205 aka.ms 104.73.150.198 AKAMAI-ASUS United States 77->205 153 C:\Users\user\...\xmrBridge.dll (copy), PE32+ 77->153 dropped 155 C:\Users\user\...\unins000.exe (copy), PE32 77->155 dropped 157 C:\Users\user\...\nvrtc64_100_0.dll (copy), PE32+ 77->157 dropped 165 31 other files (30 malicious) 77->165 dropped 94 vc_redist.x64.exe 77->94         started        229 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 81->229 231 Maps a DLL or memory area into another process 81->231 233 Checks if the current machine is a virtual machine (disk enumeration) 81->233 235 Creates a thread in another existing process (thread injection) 81->235 97 explorer.exe 5 1 81->97 injected 159 C:\Windows\unins000.exe (copy), PE32 84->159 dropped 161 C:\Windows\is-PL8N1.tmp, PE32 84->161 dropped 163 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 84->163 dropped 237 Modifies Chrome's extension installation force list 84->237 100 powershell.exe 86->100         started        103 conhost.exe 86->103         started        105 PING.EXE 88->105         started        107 conhost.exe 88->107         started        109 cmd.exe 90->109         started        111 conhost.exe 90->111         started        file25 signatures26 process27 dnsIp28 167 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 94->167 dropped 169 C:\Users\user\AppData\Roaming\wbhbcbc, PE32 97->169 dropped 239 Benign windows process drops PE files 97->239 241 Hides that the sample has been downloaded from the Internet (zone.identifier) 97->241 185 62.233.57.51 DivisionWRSBE unknown 100->185 187 127.0.0.1 unknown unknown 105->187 113 conhost.exe 109->113         started        file29 signatures30 process31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27acd486acf23809f4792ed977bef8cd765d16a37fafe2a4e050284423bce11b/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-06 16:05:09 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6wnjbvm6i4at5dzf3mxppxyzv3f2fvdp6x6fjhakaueii544enq._file
Verdict:
unknown
Similar samples:
5c19fb2da50d67ae379047a6a30c01a418aefc98956d0d1662404742e9d84878
LgoogLoader
661a812991c0211d5a20990080bb5160888835d80a99a4cebe2f895b948be62d
LgoogLoader
713ecd61ef27c081ca2c5aab8bc73a87fe277987a53746731e1aa14c54062953
LgoogLoader
717957544dcfbf0a92f33a1ab039d4197fd7c4b21615ec2fa9a730ef74e24c85
LgoogLoader
763bbf36766a12f4c3b16c73ee7dc8a083dc43ed98b9be9bcff931ca2a7478a5
LgoogLoader
7fe10c2e9e135621141b2d02b3aabda8aad3f852ff1f016ab8278efb8ab24b18
LgoogLoader
8f754e2bfa013020f14d498b5ade5c139163e31dae1ec34975381efeff30f2e3
LgoogLoader
b4b8d49ce8ac2c756f6d65399e71a15fc46814f4aee055bcc99cbb7d1d50cd88
LgoogLoader
+ 66 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader persistence
Link:
https://tria.ge/reports/221106-tjg62aaeb8/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Detects LgoogLoader payload
LgoogLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9fe8ceb9-dd41-4f8b-884e-17ae36462c6a
Unpacked files
SH256 hash:
c08159a512e78460e8904b4c0bbf05f0a55ca0043884ed8678dcfb0b461d9bb1
MD5 hash:
7ef6732afe8c285e6f1974316982b265
SHA1 hash:
809d00bbe07717a76018276f67352647782851ae
Link:
https://www.unpac.me/results/ab55b080-a93d-4a0d-aaec-43c33fd2f1e1/
SH256 hash:
27acd486acf23809f4792ed977bef8cd765d16a37fafe2a4e050284423bce11b
MD5 hash:
cd2704f93fec8af2b68204e9cdbd624e
SHA1 hash:
b202b77493a3821a97cb08538590be106e5bb551
Link:
https://www.unpac.me/results/ab55b080-a93d-4a0d-aaec-43c33fd2f1e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27acd486acf23809f4792ed977bef8cd765d16a37fafe2a4e050284423bce11b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LgoogLoader

Executable exe 27acd486acf23809f4792ed977bef8cd765d16a37fafe2a4e050284423bce11b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/329475/
  
URLhaus
https://urlhaus.abuse.ch/url/2402509/

Comments