MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32e8bb7e05049dcc6ffad8ff029468246734dd8adb01af52a55ddc1488b397c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


lgoogLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32e8bb7e05049dcc6ffad8ff029468246734dd8adb01af52a55ddc1488b397c3
SHA3-384 hash: 3dc45a2f37b148326dc16e44f43ba01379102a0cac5d299b5a1ba97501d4d7794c392f2ab341518af973928cdf9260f5
SHA1 hash: bb87ee24c2f5dab5e45ea7b1a6ad64b71d24a05a
MD5 hash: f08a70c92e68dc657a8656ab72a7c6a3
humanhash: freddie-item-cat-hotel
File name:file
Download: download sample
Signature lgoogLoader
Create hunting rule
File size:1'927'120 bytes
First seen:2022-11-07 17:32:25 UTC
Last seen:2022-11-08 12:50:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash acd487c90519a8665aaec252b24b2244 (3 x RedLineStealer, 1 x AsyncRAT, 1 x lgoogLoader)
ssdeep 24576:lccAGuOBebaF2uA3ZiTWvPfPSmhxUqd94QwXrDnd9t0MeaGCUevN7627Ji:23QsuAp53nS6RXwX3dYMeaNUiNxk
Threatray 9 similar samples on MalwareBazaar
TLSH T175951257F0429C11FEAB3378163289B096A9FAE4A7EF907604F61F60B5747B2E114F21
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0b595c3c5848613e (1 x lgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:domainmarket.com
Issuer:Amazon
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-27T00:00:00Z
Valid to:2023-01-24T23:59:59Z
Serial number: 01865477c83493a64683d30c97faac58
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7e2059b7358a7ef30ae8fa293ab6ab6f64ca943fc8729516c8813a2c64a1948b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://cdn.discordapp.com/attachments/1038875522370900151/1038881013633392751/0leue2CkFDJe.exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-07 17:35:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/957256fb-13f9-44f9-83ed-9cc6c8eb2a01

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330098/
Detection(s):
SecuriteInfo.com.Variant.Jaik.102656.14440.32759.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49744/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CallSleep
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63695282a56eb5e483c50e2f/reports/cbce5cb5-67cc-47bb-afae-5761bc2cf482/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/333e2432-2b6f-481d-9bc4-174ea0e8e98a
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1107503
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32e8bb7e05049dcc6ffad8ff029468246734dd8adb01af52a55ddc1488b397c3/
Threat name:
Win32.Trojan.LgoogLoader
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 17:33:12 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=glulw7qfaso4y3723d7qffdierttjxmk3ma26uvflxobjcfts7bq._file
Verdict:
malicious
Similar samples:
024eb21bd037fb35d9a56affa3a4e845585b963f65a4dfdbc5eaa93d5ef950a0
lgoogLoader
303bd4a9a4f522900dcb9af3030f9683b64cb904e12e75ed06723c43215ef438
lgoogLoader
322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
lgoogLoader
51e380e872b007b342e94119d6665cc15ce492964c82799117e50e2f103a5ac3
lgoogLoader
8aa42c477d96d5cf3a5d9ea88ebc6e82d8db7970f85fd03924447040e2758a96
lgoogLoader
9cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
lgoogLoader
fea97bcd0bcd24fae553aa9152a410e3e6064edbd8011c3b2d9fcee40cc430f8
lgoogLoader
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader
Link:
https://tria.ge/reports/221107-v4vhjaccdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detects LgoogLoader payload
LgoogLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a443da8c-a306-457b-9d06-271fa9236522
Unpacked files
SH256 hash:
954c73fef3c476969ee54701f4b5f114fe124169975fae364543ee41fe6f5faa
MD5 hash:
d0bab370d07c0f04a2c1056b447fc6c6
SHA1 hash:
165d0a8be3d92d8e8bafac501f4a54b1202d86ec
Link:
https://www.unpac.me/results/d307ec1a-19ed-4be9-b56f-85cdf4b395bd/
SH256 hash:
c4c15fedeedb9188440c98d393a86a6775f996f6ca135d339be8c23d8e4f533e
MD5 hash:
fb2f9547a57e0cd4e208efbd58864cc9
SHA1 hash:
9d73fb1796bdc9e0066bebef1a4b574cacac6086
Link:
https://www.unpac.me/results/d307ec1a-19ed-4be9-b56f-85cdf4b395bd/
SH256 hash:
32e8bb7e05049dcc6ffad8ff029468246734dd8adb01af52a55ddc1488b397c3
MD5 hash:
f08a70c92e68dc657a8656ab72a7c6a3
SHA1 hash:
bb87ee24c2f5dab5e45ea7b1a6ad64b71d24a05a
Link:
https://www.unpac.me/results/d307ec1a-19ed-4be9-b56f-85cdf4b395bd/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/32e8bb7e0504/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/32e8bb7e05049dcc6ffad8ff029468246734dd8adb01af52a55ddc1488b397c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/330098/
  
URLhaus
https://urlhaus.abuse.ch/url/2403518/

Comments