MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4184d4b8d72dd7c39855ec4b2916603118219bae7d2adcf6c5e31ab88466cc35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4184d4b8d72dd7c39855ec4b2916603118219bae7d2adcf6c5e31ab88466cc35
SHA3-384 hash: 1d4694099996a803aab76840578c4cb083785581d5ec895bf08a7384a150fd8d7df43473bd0a374b59642d76dc70b4ab
SHA1 hash: 3458b05ed17c74eaf61f35865307893b293f5f05
MD5 hash: ffa8a36dc38c17542114e782072ecf5c
humanhash: five-alpha-kilo-november
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'221'544 bytes
First seen:2022-11-25 12:01:35 UTC
Last seen:2022-11-25 17:56:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 865328ec6e8c931f31b423bc1dffe934 (2 x LgoogLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep 24576:/cj8L3fhzLOzf0sLpHh7zlnM5TsbdfARgol4Bmv8:/cj87fNkf0+R45odoR1+mv8
Threatray 730 similar samples on MalwareBazaar
TLSH T1D245BE357A035662C2B0DB3EBE562893B77B0D7837A300593202405E796BFD9EE875E1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f09cb4aca8ccd4cc (1 x RedLineStealer, 1 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:lightweight.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-23T01:34:00Z
Valid to:2023-01-21T01:33:59Z
Serial number: 03bd4d35d83158d19f0c08eb37233d489710
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5010cc430b01bed559dc77cefa27497ffe0e7129254f1f081d87a969fc31727b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_656806739?hash=zFcSJWapOk96GuboBXRSfzxONyWK8NYFDWKdSfMeZHw&dl=G43DANZVGAYDSNY:1669372282:3Eiq1WkxYQgi6fdl1Z2SmVpPWwBJraqBebnzl1z0vY8&api=1&no_preview=1#adan

Intelligence

File Origin
# of uploads :
7
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2022-11-25 12:04:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/438b610d-025d-4cf5-b7e1-e027d4deffae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338433/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.11559.8368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6380aebc94f9bac087b34fa8/reports/b7fe2ecb-c63e-4a03-9521-cd07b2443379/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fb8599f-ddb8-4287-a0d1-b6ed00ddab60
Result
Threat name:
RedLine, lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121107
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected lgoogLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753824 Sample: file.exe Startdate: 25/11/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 9 other signatures 2->42 7 file.exe 19 2->7         started        process3 dnsIp4 32 www.sssupersports.com 104.21.44.248, 443, 49702, 49703 CLOUDFLARENETUS United States 7->32 34 jorldxegjak.wldbdbqex 7->34 22 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 7->22 dropped 24 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 7->24 dropped 26 C:\Users\user\AppData\...\resource[1].bin, PE32+ 7->26 dropped 28 C:\Users\user\AppData\...\library[1].bin, PE32 7->28 dropped 44 Found stalling execution ending in API Sleep call 7->44 46 Writes to foreign memory regions 7->46 48 Allocates memory in foreign processes 7->48 50 3 other signatures 7->50 12 svchost.exe 1 7->12         started        15 ngentask.exe 7->15         started        17 ngentask.exe 7->17         started        file5 signatures6 process7 signatures8 52 Multi AV Scanner detection for dropped file 12->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->54 56 Machine Learning detection for dropped file 12->56 58 2 other signatures 12->58 19 jsc.exe 2 12->19         started        process9 dnsIp10 30 109.206.243.58, 49710, 81 AWMLTNL Germany 19->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4184d4b8d72dd7c39855ec4b2916603118219bae7d2adcf6c5e31ab88466cc35/
Threat name:
Win32.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 12:02:17 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igcnjogxfxl4hgcv5rfssftagemcdg5opuvnz5wf4mnlrbdgzq2q._file
Verdict:
malicious
Similar samples:
1ee453a94d90e6bd3615d306d7139c3abb5b7ea4f9f817a10218606c4aadcddf
LgoogLoader
35dfcc3167da89c032e4efcd6f50a9d71a49fd8f63899fa8aea63c0b6229bedd
LgoogLoader
544ccf26cf0038cc8d76b952e349f3e49db27e4d2cdc89ea72fa2fb8e8996038
LgoogLoader
66242b095b2cfb53b52d1743a42aaa9fd94c6b53f58869c4b1c9d893a541e3a6
LgoogLoader
7265ba924abcc035e8263873f5ed19842a0ad724b408fb816e7c1b64768b0cf0
LgoogLoader
8401c053dfd509441c73c2d06619fbeff3794da4c86b59f4f7de80db539e062f
LgoogLoader
8755b249212ed03acf40d6c02894ec5a48f62312d7f4dfb802cb17886d8c922f
LgoogLoader
a7dc1d7849adc86bc322f33ae8316be94e572df4442da18826330c2bdc124152
LgoogLoader
ca240b4fd7c8b8dc492d92070641e46fd4dd125a7e9d394d7d1bba7e83cabfca
LgoogLoader
e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3
LgoogLoader
+ 720 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221125-n7fefsfc28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c7d6e999-e8c9-4db4-97b0-3a93cc43968f
Unpacked files
SH256 hash:
5f3d974dbfb9011ab4d02306ef7e88002880ad3f9fbaa746048f5770aa96c181
MD5 hash:
1467914383aa88008271868987f6830c
SHA1 hash:
91f817871968255634d8313b221ac8a8fb8494e5
Link:
https://www.unpac.me/results/8b889a5d-4475-4c08-9f23-d4ee382eb5ef/
SH256 hash:
4184d4b8d72dd7c39855ec4b2916603118219bae7d2adcf6c5e31ab88466cc35
MD5 hash:
ffa8a36dc38c17542114e782072ecf5c
SHA1 hash:
3458b05ed17c74eaf61f35865307893b293f5f05
Link:
https://www.unpac.me/results/8b889a5d-4475-4c08-9f23-d4ee382eb5ef/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4184d4b8d72d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4184d4b8d72dd7c39855ec4b2916603118219bae7d2adcf6c5e31ab88466cc35

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/338433/

Comments