MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5433ab6651bf43c719571439a3b98dbd52212d1259a8e2adf28a3eae87f335dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LgoogLoader

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	5433ab6651bf43c719571439a3b98dbd52212d1259a8e2adf28a3eae87f335dd
SHA3-384 hash:	a1b615666c617c682431df2718ec8303b32ab7472003b7b63a92b41a0a7960b357b5f75133c2c3ef0f55b97001a6e6c0
SHA1 hash:	de2c4696d48aa8028d8748767b64757b637c2c9e
MD5 hash:	9f9af1c589d15c6c3d8fa82e6637dac8
humanhash:	saturn-floor-west-lactose
File name:	file
Download:	download sample
Signature	LgoogLoader Create hunting rule
File size:	1'424'872 bytes
First seen:	2022-11-21 08:28:04 UTC
Last seen:	2022-11-22 10:33:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b2dd0861dcc82a259d1c8907d9c316e9 (2 x LgoogLoader, 2 x ArkeiStealer)
ssdeep	24576:Oa7mZJIZ3S5nPTipBWrwR8CePLGptWZUI5Y4e9jgdxNJ55iZT7oo5BXBksP79WKs:OgtoPTipBWk6nPKpsZn5je9jgd7J55iY
TLSH	T19865E134E761F020FA560573A4C1432BF8BA96911FB1E58321CC2AF5D1E8AC5DAB7F46
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d0fcfcdcdcdcdcd4 (1 x LgoogLoader)
Reporter	andretavare5
Tags:	exe LgoogLoader signed

Code Signing Certificate

Organisation:	unsplash.com
Issuer:	GlobalSign Atlas R3 DV TLS CA 2022 Q3
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-09-27T17:42:11Z
Valid to:	2023-10-29T17:42:10Z
Serial number:	01465bca7b3eec596fea1a5d7c285934
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	bb60bf217407b6691c5076b9e226b6b464bee841d8bef91676392f4e10b19afe
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://myfileexe.s3.ap-northeast-3.amazonaws.com/Esayrar.exe

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-21 08:31:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a2ae5b84-52ce-4847-936b-0b3a8b260cb6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/336618/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.1077.5342.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

DNS request

Launching a process

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/637b36ce903ba0eaf36ccc84/reports/ad3ea90d-c90a-4ae3-a1ca-d42e593c4b70/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mustang Panda

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/76db1e9e-5dae-4af7-b6a3-98b6017aaf9c

Result

Threat name:

lgoogLoader

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1117907

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Machine Learning detection for sample

Writes to foreign memory regions

Yara detected lgoogLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5433ab6651bf43c719571439a3b98dbd52212d1259a8e2adf28a3eae87f335dd/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-21 08:29:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kqz2wzsrx5b4ogkxcq42homnxvjcclislguoflpsri7k5b7tgxoq._file

Verdict:

malicious

Result

Malware family:

lgoogloader

Score:

10/10

Tags:

family:lgoogloader downloader

Link:

https://tria.ge/reports/221121-kdj9rsfa6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Detects LgoogLoader payload

LgoogLoader

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3bf9e809-e0c2-4959-a20b-12fc78e85211

Unpacked files

SH256 hash:

dd79f224459daedf47f44cd409442a59f4e80e5d5aeeb16d02cfb111bb3847a8

MD5 hash:

250f259007d52431bf05eaaa88538a07

SHA1 hash:

5535a4ae56e1227c6388040265247cb6605f802d

Link:

https://www.unpac.me/results/0e6e228d-1eb4-4caa-a65e-ce4763ca9ffa/

SH256 hash:

5433ab6651bf43c719571439a3b98dbd52212d1259a8e2adf28a3eae87f335dd

MD5 hash:

9f9af1c589d15c6c3d8fa82e6637dac8

SHA1 hash:

de2c4696d48aa8028d8748767b64757b637c2c9e

Link:

https://www.unpac.me/results/0e6e228d-1eb4-4caa-a65e-ce4763ca9ffa/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5433ab6651bf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5433ab6651bf43c719571439a3b98dbd52212d1259a8e2adf28a3eae87f335dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/336618/

URLhaus

https://urlhaus.abuse.ch/url/2428339/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample