MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cfc4dfd10e4a160e8d70e9a8178288daff0ec49e39dd5f45f9ea553b94b4a8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LgoogLoader

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	6cfc4dfd10e4a160e8d70e9a8178288daff0ec49e39dd5f45f9ea553b94b4a8f
SHA3-384 hash:	998a9008fe2d0138c467a7d2e81597bb5b1ea5ac94a29c2ab0ee15519dfc2b8ea522440cd9d30120b3966a0bd1395dfd
SHA1 hash:	a9f0b00f0f237557338a7fdad9be320aff5c914b
MD5 hash:	2bfb1210836df1f8cd8ad0b23a4e751b
humanhash:	beryllium-winter-orange-ack
File name:	file
Download:	download sample
Signature	LgoogLoader Create hunting rule
File size:	710'008 bytes
First seen:	2023-01-20 11:33:57 UTC
Last seen:	2023-01-20 15:15:28 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:dM7vTkRj+7mrsHXoVjFlXWRFrvUo9qU7wL/K0ifFAdEB3aB/Ksq/Ksd/KsS:di2j+UQ4FFYrvMQS//kUQ3gidi
Threatray	978 similar samples on MalwareBazaar
TLSH	T127E4F1C2325896A3FE6C86B593B38D7012633F5D4EA6EBCE5CD6359211F33428019E5B
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	9aa28a92b6a08e8e (5 x LgoogLoader, 2 x Formbook, 2 x AgentTesla)
Reporter	andretavare5
Tags:	exe LgoogLoader signed

Code Signing Certificate

Organisation:	open candy Ltd
Issuer:	open candy Ltd
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-01-20T02:04:35Z
Valid to:	2024-01-20T02:04:35Z
Serial number:	c660a39d0b385058e77db1d93844dfb5
Thumbprint Algorithm:	SHA256
Thumbprint:	aa994a08d284006219061b8cae70e72ffd5fa0a6d311347b9707ea11fd5cd85c
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://www.isurucabs.lk/SAM.exe

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-01-20 11:35:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/66aedba8-b17e-42c7-843a-9807f041d18d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/354916/

Detection(s):

SecuriteInfo.com.Variant.Tedy.275813.28057.27255.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a service

Loading a system driver

Launching a process

Creating a file

Enabling autorun for a service

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

msiexec.exe overlay packed

Link:

https://www.filescan.io/uploads/63ca7c2b2b351a3d0ea7144e/reports/dcff8beb-dd8b-4d04-8ed0-2534fc0a2149/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5deeeb6d-e192-4e53-ae36-88108577ee51

Result

Threat name:

lgoogLoader

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1155472

Signature

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample is not signed and drops a device driver

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected lgoogLoader

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6cfc4dfd10e4a160e8d70e9a8178288daff0ec49e39dd5f45f9ea553b94b4a8f/

Threat name:

Win64.Trojan.Privateloader

Status:

Malicious

First seen:

2023-01-20 07:26:42 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

8 of 39 (20.51%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nt6e37iq4sqwb2gxb2nic6birwx7b3cj4oo5l5c7t2svhokljkhq._file

Verdict:

malicious

LgoogLoader

65a2b3cf112d50e941051116e68b736239d521bf7611e143ae1c83f93716f6f5

LgoogLoader

67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea

LgoogLoader

6fb65aaabd2d911fb31722cbd1d41399ded20e0e1dfef8907b7c9317727d398f

LgoogLoader

9ef8d74a3ef84feb99d45e04e084fb628c091f8fa3b81b42faacc235ab2e753e

LgoogLoader

c6135818ddc5d31afa68f42f21e1da3e19f879096298ccb84f68803847235004

LgoogLoader

f1ec2da9572ec46cf6937a8e51b0e188f5778d2c6cf47be6fe098a7dc8de87a9

LgoogLoader

f2529dae29184e925055095be10ac75fb92247ddb367f0b589fc5d7a88285369

LgoogLoader

fcfe4c075c3b67f661de261a2f05ce34d1b9b150c286c67a3da085b006ae7b3c

LgoogLoader

+ 968 additional samples on MalwareBazaar

Result

Malware family:

lgoogloader

Score:

10/10

Tags:

family:lgoogloader downloader persistence

Link:

https://tria.ge/reports/230120-npeefaff3s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Sets service image path in registry

Detects LgoogLoader payload

LgoogLoader

Unpacked files

SH256 hash:

6cfc4dfd10e4a160e8d70e9a8178288daff0ec49e39dd5f45f9ea553b94b4a8f

MD5 hash:

2bfb1210836df1f8cd8ad0b23a4e751b

SHA1 hash:

a9f0b00f0f237557338a7fdad9be320aff5c914b

Link:

https://www.unpac.me/results/5b0a8715-3653-4333-bbad-f7bcd752f274/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6cfc4dfd10e4a160e8d70e9a8178288daff0ec49e39dd5f45f9ea553b94b4a8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2509599/

Cape

https://www.capesandbox.com/analysis/354916/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample