MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e128ec938bbb7fc4c2c9444ad21ffe9e2dee5fdc74ec9bf91d9663df77c49d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LgoogLoader

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	2e128ec938bbb7fc4c2c9444ad21ffe9e2dee5fdc74ec9bf91d9663df77c49d4
SHA3-384 hash:	685373bf374825563f51d9fe6f5e03959b8e29e9ff92a1afa29cdf3dc3f118f4ad44f23b7319c8d9e63b0f61cc7d94f5
SHA1 hash:	65f1728196f6f06822303e5bda411e81f187300c
MD5 hash:	9c6060a57dcb1d94a69b638424279a8b
humanhash:	princess-colorado-tennessee-angel
File name:	file
Download:	download sample
Signature	LgoogLoader Create hunting rule
File size:	414'208 bytes
First seen:	2022-12-29 12:16:50 UTC
Last seen:	2022-12-29 13:28:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fac846dab23365b53d36031310c47cac (5 x RedLineStealer, 1 x LgoogLoader)
ssdeep	12288:NtNr2UjL5S7XJZqx+6FunjCTR6Hyk2JnkBJ:nN6IG6xbFu2F6SkSn0
Threatray	187 similar samples on MalwareBazaar
TLSH	T16394CFC17C929032E876253209F496F85D3DB92107A75FFBE7840B6D4E342D2AB3199B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe LgoogLoader

andretavare5

Sample downloaded from http://www.isurucabs.lk/Ads11.exe

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-12-29 12:21:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/90c1250c-3278-498d-a1d5-cee65d1639f3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Babar.83470.28726.22004.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63ad8545a70bef46551c1250/reports/70898a62-98f5-46b6-8092-ef4fe6b09d23/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Conti

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/48833973-1375-464e-a70f-b00a6f8663b0

Result

Threat name:

lgoogLoader

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1142693

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contain functionality to detect virtual machines

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected lgoogLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e128ec938bbb7fc4c2c9444ad21ffe9e2dee5fdc74ec9bf91d9663df77c49d4/

Threat name:

Win32.Downloader.LgoogLoader

Status:

Malicious

First seen:

2022-12-29 12:17:09 UTC

File Type:

PE (Exe)

AV detection:

15 of 39 (38.46%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fyji5sjyxo37ytbmsrck2ip75hrn5zp5y5hmtp4r3ftd3534jhka._file

Verdict:

malicious

LgoogLoader

44192d53830cd0b58bd4c3213649104f23f5c5cb2d4f1168d2d07654e841b907

LgoogLoader

4aba54c660a656f5bb5b75ea11029217bdf96c931c21d1143042ac3278ac6e43

LgoogLoader

4ae50705d897b5c7a148bfe6241b8c1e50d8bd836ea1af326264128d58ced7c7

LgoogLoader

51bca1340951634cd5bdb488290a162c521945fb0cf52c360b9420c8a3cfd9e4

LgoogLoader

5e445100682a5982df3301b2631e3be0d503df870175d50cf0faa3e374e742fd

LgoogLoader

61436285b70355a6e0239c982c9b4a12cf2061c5b9c1eb2f4ff97133c549e891

LgoogLoader

7a5647b5e4aca4354ceac0ab494086ecf14ccfaef3075110ca5fde952982e88d

LgoogLoader

8391de874c21ac03bf02c2e6fa7feabc06b2421df1ca6820cc38ad911b060937

LgoogLoader

dc97a6f3209e48c6b45354965214110cc515209135483152672cc73f149cfbcf

LgoogLoader

+ 177 additional samples on MalwareBazaar

Result

Malware family:

lgoogloader

Score:

10/10

Tags:

family:lgoogloader downloader

Link:

https://tria.ge/reports/221229-pf3aksda36/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Detects LgoogLoader payload

LgoogLoader

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5ad20cec-c7c8-4398-a46e-9294e3882817

Unpacked files

SH256 hash:

92d915e191cab4f76a6c094e86a9e979c63c60a923ce42c0b1a5886426680d0f

MD5 hash:

254fe64b8bcbeaf561e135fad218aa10

SHA1 hash:

9ae836ecfe7abb21a97ebfbfec4ebb11a99da8e7

Link:

https://www.unpac.me/results/0ca70cd7-4dd6-4bca-b3e8-3b38d46ac239/

SH256 hash:

ceb192ff08bda7b4cb12d2f55806be2e5038e0701a8304dc210e9348a4d50b34

MD5 hash:

2b1c72b8354a9ce3204548c7cb0fc24e

SHA1 hash:

7790b7ade96afde27a5c1887394891932b5780e6

Link:

https://www.unpac.me/results/0ca70cd7-4dd6-4bca-b3e8-3b38d46ac239/

SH256 hash:

72f06deec9a667bf1a334956bb4a25571f50368db4217b97c8e2431c84bd8981

MD5 hash:

490b2f2f8feb91e3fee8d58650c3e84d

SHA1 hash:

282747ab7f16cba42491ec2e147958ed51cf031d

Link:

https://www.unpac.me/results/0ca70cd7-4dd6-4bca-b3e8-3b38d46ac239/

SH256 hash:

2e128ec938bbb7fc4c2c9444ad21ffe9e2dee5fdc74ec9bf91d9663df77c49d4

MD5 hash:

9c6060a57dcb1d94a69b638424279a8b

SHA1 hash:

65f1728196f6f06822303e5bda411e81f187300c

Link:

https://www.unpac.me/results/0ca70cd7-4dd6-4bca-b3e8-3b38d46ac239/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2e128ec938bb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2e128ec938bbb7fc4c2c9444ad21ffe9e2dee5fdc74ec9bf91d9663df77c49d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2488375/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample