MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ae50705d897b5c7a148bfe6241b8c1e50d8bd836ea1af326264128d58ced7c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ae50705d897b5c7a148bfe6241b8c1e50d8bd836ea1af326264128d58ced7c7
SHA3-384 hash: 1c3902126a6651e9fd59be4f387773d9a87c2d7101d758059a201f08ce256973d4b26ba9fcd39d6efdce00861a6b387f
SHA1 hash: 1395229ac07dee931ed049d5a63dc490f9b78772
MD5 hash: 4ad9a98c98523e13ee2b5316be2127fe
humanhash: mockingbird-butter-two-carbon
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'992'096 bytes
First seen:2022-12-28 14:46:23 UTC
Last seen:2022-12-29 02:23:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fe01f9f8334b2fe85e327d2dedbba869 (2 x ManusCrypt, 2 x LgoogLoader, 1 x RedLineStealer)
ssdeep 49152:gAT0MWlGhrnyAgIiNqetUpqjLIL041YqVozQu:gAwMWlGhrnptiUxVozZ
Threatray 79 similar samples on MalwareBazaar
TLSH T16895CFCAFF41F500E4868E7879A2F6DFBC60B43D2A936482A14718F3D1E4CE49975798
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0cc96969686f4f0 (1 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:time-les.si
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-13T13:11:51Z
Valid to:2023-03-13T13:11:50Z
Serial number: 0309d972f05bac35baca02cd759248fea2a6
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 2d26e26f24fbbcfea708f004cd6fcf32aa9aa3e8b4c89437263a782bc716ed03
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://www.isurucabs.lk/Ads11.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-28 14:47:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e56252b-a8bb-4de7-9fb1-ecddac490896

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.24128.812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63ac56e7fc9525ae8a44b7ad/reports/9adcf4f2-a53c-442b-add2-82cc5385cf9c/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c25d2af-a721-4368-b781-c2fc4419b0ef
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1142105
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ae50705d897b5c7a148bfe6241b8c1e50d8bd836ea1af326264128d58ced7c7/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-12-28 13:17:09 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlsqoboys624pikix7tcig4mdzinrpmdn2q26mtcmqji2wgo27dq._file
Verdict:
malicious
Similar samples:
36c4671ed74faa58deb5e4beeb3e5a2dea396af537cf24e2faf3b08d35b088d3
LgoogLoader
4aba54c660a656f5bb5b75ea11029217bdf96c931c21d1143042ac3278ac6e43
LgoogLoader
51bca1340951634cd5bdb488290a162c521945fb0cf52c360b9420c8a3cfd9e4
LgoogLoader
5e445100682a5982df3301b2631e3be0d503df870175d50cf0faa3e374e742fd
LgoogLoader
6b6fb52a435554c131a8d186a61c0c199964c0e4a8a0c4d173bfe5b0e7543578
LgoogLoader
7a5647b5e4aca4354ceac0ab494086ecf14ccfaef3075110ca5fde952982e88d
LgoogLoader
8391de874c21ac03bf02c2e6fa7feabc06b2421df1ca6820cc38ad911b060937
LgoogLoader
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
LgoogLoader
be7096119b86de54f3a82c8059e372396169c30d2300d4ec768f4065e4b1b9a7
LgoogLoader
dc97a6f3209e48c6b45354965214110cc515209135483152672cc73f149cfbcf
LgoogLoader
+ 69 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader
Link:
https://tria.ge/reports/221228-r5vm5sdf8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detects LgoogLoader payload
LgoogLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/24602cb1-b0ef-4585-9120-d6b8ad5f86c6
Unpacked files
SH256 hash:
fa42e38e3a3c4a5f39e1835a157749ddba9632c2da322463ce952a4e3cdeb687
MD5 hash:
0195dab6b80ee32c0da547f1ba54090b
SHA1 hash:
508bf6cf5abe8a2cda57db1bbf353665b01d667b
Link:
https://www.unpac.me/results/03e40873-7913-42c9-b66b-5331db8894ac/
SH256 hash:
4ae50705d897b5c7a148bfe6241b8c1e50d8bd836ea1af326264128d58ced7c7
MD5 hash:
4ad9a98c98523e13ee2b5316be2127fe
SHA1 hash:
1395229ac07dee931ed049d5a63dc490f9b78772
Link:
https://www.unpac.me/results/03e40873-7913-42c9-b66b-5331db8894ac/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ae50705d897/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/4ae50705d897b5c7a148bfe6241b8c1e50d8bd836ea1af326264128d58ced7c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2488375/

Comments