MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36c4671ed74faa58deb5e4beeb3e5a2dea396af537cf24e2faf3b08d35b088d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LgoogLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	36c4671ed74faa58deb5e4beeb3e5a2dea396af537cf24e2faf3b08d35b088d3
SHA3-384 hash:	c045369424b8bf12d49ffc8595ab44fff6d3e263fcd2d896874e5b66f780c2c6cb66e3a7da3fee8bbd6b9d13c86544f4
SHA1 hash:	b6cba305bfae5401585256716f5edcfdec000652
MD5 hash:	adb6b242b9d6674ed4a534958ac8d0a2
humanhash:	triple-moon-king-vegan
File name:	file
Download:	download sample
Signature	LgoogLoader Create hunting rule
File size:	1'523'096 bytes
First seen:	2022-12-12 03:24:53 UTC
Last seen:	2022-12-12 13:06:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	545349dda8d13c4ab678a9966d7c7a40 (6 x LgoogLoader)
ssdeep	12288:YyHHv2e7NjcG/ItNDYfEzCmBko6sDhGjJMpWeqQ/fUfeZgALMYF3qcV2aCqHHPfp:xFRjOYsuypqmLFFaYtHHHLnzbKgIKR
Threatray	16'127 similar samples on MalwareBazaar
TLSH	T1B865D036E5B0CCA2DA47C63552628692CC2DD945DB169EE32C0C46A5E2DCF97E3B3343
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e8d492c8d2b2cccc (1 x ArkeiStealer, 1 x RedLineStealer, 1 x LgoogLoader)
Reporter	andretavare5
Tags:	exe LgoogLoader

andretavare5

Sample downloaded from http://80.76.51.212/files/Adsme.exe

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/345309/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Launching a process

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a file

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/63969f11a2c2485912c7ff9e/reports/107db40a-98cc-4e44-a792-6ab9bd7f515a/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mustang Panda

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b339e79-d810-4c54-90e2-1dd300f797f8

Result

Threat name:

RedLine, lgoogLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1132383

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected lgoogLoader

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36c4671ed74faa58deb5e4beeb3e5a2dea396af537cf24e2faf3b08d35b088d3/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g3cgohwxj6vfrxvv4s7owps2fxvds2xvg7hsjyx26oyi2nnqrdjq._file

Verdict:

malicious

LgoogLoader

25dd0395643f85483595e7968be30b9ab55572f220b52b49ecea6ac3dfaef824

LgoogLoader

7a5647b5e4aca4354ceac0ab494086ecf14ccfaef3075110ca5fde952982e88d

LgoogLoader

b6d11912ccaa3ef1bc9886e58bac7d31db936a4964d115469dee958ad266bcc7

LgoogLoader

cae45a48ed911a6b09c3d948019146afe2f1f0c97c07703e067d954d73281f45

LgoogLoader

d08b59352d10ca03662860fd6f74d4d275e51a019335c50b264abe9e71c900af

LgoogLoader

de2762eb266c1486dd5beb3f7716597924bb8cc97f94f04b77f9a9a246d7dbd2

LgoogLoader

dfd88d1b834dac64cb82037099eff4e0d062011c712b7d413041a801ba0ac0ae

LgoogLoader

e83e4db6d226391445db6e931939e2a0da67e8c4428bb2512034e166b9ca5414

LgoogLoader

f4bd2a3966e470792f0aa53b98c53c8b1f22c4d5256f561c8b0d22f477e4a0cd

LgoogLoader

+ 16'117 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221212-dymgasch6w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Program crash

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/839302dd-d673-42bc-91bc-ad1cb21a283e

Unpacked files

SH256 hash:

09e11bd330b38f49f9cf9ee36deacfdf04ff52dc9034b188bbc80881f041092d

MD5 hash:

84f3f90f61da09fda2e5557642f21f6e

SHA1 hash:

89656f1fa6ea57671a58f5bcd1fc514552df7150

Link:

https://www.unpac.me/results/eee28e32-9c2d-4417-b9f6-7bfabd75c79c/

SH256 hash:

36c4671ed74faa58deb5e4beeb3e5a2dea396af537cf24e2faf3b08d35b088d3

MD5 hash:

adb6b242b9d6674ed4a534958ac8d0a2

SHA1 hash:

b6cba305bfae5401585256716f5edcfdec000652

Link:

https://www.unpac.me/results/eee28e32-9c2d-4417-b9f6-7bfabd75c79c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36c4671ed74f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/36c4671ed74faa58deb5e4beeb3e5a2dea396af537cf24e2faf3b08d35b088d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/345309/

URLhaus

https://urlhaus.abuse.ch/url/2454281/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample