MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b6fb52a435554c131a8d186a61c0c199964c0e4a8a0c4d173bfe5b0e7543578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b6fb52a435554c131a8d186a61c0c199964c0e4a8a0c4d173bfe5b0e7543578
SHA3-384 hash: 7dd335dd225081b2469f9dab95f461490f663e9204ce8362740883e7f38c26708b58f8aab30eee00cd69ee30a1dd1da9
SHA1 hash: dba343350c28630f234e77b81497b2b783f679a7
MD5 hash: 7bb76c34be5ab0c304dec72950212972
humanhash: blue-idaho-shade-island
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'652'376 bytes
First seen:2022-11-30 12:44:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 65e2071a6dbd1bcc77513fd1371485e4 (3 x LgoogLoader, 1 x SystemBC)
ssdeep 49152:5DbpDg1uqcbm/Va8Q0wBaKpaDarahIKVuAL3zDZ:5DVDg8pL8Q0wkKpyIK/rzN
Threatray 143 similar samples on MalwareBazaar
TLSH T12C75CF64A492C0B4D96C0E3C42BD2DADC236AE82372B91D70ED962B4E1F8D5E543731F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 63d94c244460613e (2 x SystemBC, 1 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:mamba.net
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-09T13:15:06Z
Valid to:2023-01-07T13:15:05Z
Serial number: 031d4a436b6f82fd6e30a68de3ef8fcb7ff4
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 335cc075827be688cd6f710540c0cdc38dbbe9586e0b22b76361f29ce81a7bb6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_657121224?hash=fnhvNgjbjPB7bPl5zFnYma7wxTPnRurZZ0HxpeyDAss&dl=G43DANZVGAYDSNY:1669751013:Vpvpd1IK3C23R99BlHYpJkQg9oVVUzmeZNYbKo8eq4P&api=1&no_preview=1#adan

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-30 12:46:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5a38d3d-fe5b-4cc8-abb8-3dd7c084f127

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/340121/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13070.19218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6387505000c584752ee2bf94/reports/52273d63-d6ae-4ac5-926c-bcebf5b922da/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d4b5643-8378-45b1-9389-36e0be298df6
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1123981
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b6fb52a435554c131a8d186a61c0c199964c0e4a8a0c4d173bfe5b0e7543578/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-11-29 20:02:47 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnx3kksdkvkmcmni2gdkmhamdgmwjqhevcqmjultx7s3bz2ugv4a._file
Verdict:
malicious
Similar samples:
44192d53830cd0b58bd4c3213649104f23f5c5cb2d4f1168d2d07654e841b907
LgoogLoader
5433ab6651bf43c719571439a3b98dbd52212d1259a8e2adf28a3eae87f335dd
LgoogLoader
61436285b70355a6e0239c982c9b4a12cf2061c5b9c1eb2f4ff97133c549e891
LgoogLoader
7b9c1aa81aef60c0b403ff3859fc4c6be0b48fb56e1a4456f42ed0da84941993
LgoogLoader
7e20c52b5f40ae6bdfaa67996aa35a93c3ff1e1a197ba6b582fac1555af6d0f9
LgoogLoader
8391de874c21ac03bf02c2e6fa7feabc06b2421df1ca6820cc38ad911b060937
LgoogLoader
be7096119b86de54f3a82c8059e372396169c30d2300d4ec768f4065e4b1b9a7
LgoogLoader
db879678592ef06f80666d6e86759df9ebdf0fd7349af580a8a9c1f1cf7eee36
LgoogLoader
+ 133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221130-py3daseb91/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ce537182-1673-4c46-968b-4b8ac8f37bc3
Unpacked files
SH256 hash:
6567df169b1754e85f65fd722f47669f17ad4e202f646c9fe0e93e9d488b648d
MD5 hash:
6bc57052c0590f1d9c311701f19e8e39
SHA1 hash:
f8fba0c693d62677c3ae4c9c1e47138c440c8406
Link:
https://www.unpac.me/results/1d9ca73f-fa0e-46f6-87ec-9b1f1eee6bda/
SH256 hash:
6b6fb52a435554c131a8d186a61c0c199964c0e4a8a0c4d173bfe5b0e7543578
MD5 hash:
7bb76c34be5ab0c304dec72950212972
SHA1 hash:
dba343350c28630f234e77b81497b2b783f679a7
Link:
https://www.unpac.me/results/1d9ca73f-fa0e-46f6-87ec-9b1f1eee6bda/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b6fb52a4355/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b6fb52a435554c131a8d186a61c0c199964c0e4a8a0c4d173bfe5b0e7543578

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/340121/

Comments