MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6df252545bbc45b36e5ee493692d83376552ab9424d37e4c31deeec0e7ed190b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6df252545bbc45b36e5ee493692d83376552ab9424d37e4c31deeec0e7ed190b
SHA3-384 hash: bca9f482ed6cace1243d6ae3fea64e6880a7db66afe1eeb9b48493adb03a724380beaacda31dac24d49721b1c6be2d7a
SHA1 hash: 772244ed273c8420f4732cca1323471a2c07b74d
MD5 hash: 6e55c04d2c37fcca497c2b2e70a110c6
humanhash: mexico-quiet-sodium-tango
File name:6e55c04d2c37fcca497c2b2e70a110c6.exe
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:486'912 bytes
First seen:2022-12-12 17:24:55 UTC
Last seen:2022-12-12 18:30:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:vEDEyuTQX1TF4RHonVJmJpB7YSS0lahf9nJjNOgCVEzmMC:vE4TmTFGH2V0pB7ZLaLJjNOgCSzmM
Threatray 800 similar samples on MalwareBazaar
TLSH T134A4F16C2376E970E7760279D2C9671043C35B2AE3E1625FE539EA87207E383533749A
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe LgoogLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6e55c04d2c37fcca497c2b2e70a110c6.exe
Verdict:
Malicious activity
Analysis date:
2022-12-12 17:34:49 UTC
Tags:
opendir loader evasion
Link:
https://app.any.run/tasks/73bcfb5f-a119-40bd-8944-4f78c0d91847

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345588/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64197016.29160.26722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Enabling autorun for a service
Blocking the User Account Control
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639763f29a505ad9423f3d3a/reports/edafd5f3-41b0-4afd-ad42-9833d301de6a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/67e62603-8eb3-404b-bfda-c13735b7f788
Result
Threat name:
Fabookie, ManusCrypt, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.bank.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1132913
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Detected VMProtect packer
Disables UAC (registry)
Early bird code injection technique detected
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loads a driver with an invalid driver name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Chrome's extension installation force list
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites Mozilla Firefox settings
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Windows Update Standalone Installer command line found (may be used to bypass UAC)
Writes to foreign memory regions
Yara detected Fabookie
Yara detected ManusCrypt
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 765638 Sample: xer2iZF2nM.exe Startdate: 12/12/2022 Architecture: WINDOWS Score: 100 115 g.agametog.com 2->115 117 aaa.apiaaaeg.com 2->117 119 7 other IPs or domains 2->119 169 Snort IDS alert for network traffic 2->169 171 Multi AV Scanner detection for domain / URL 2->171 173 Malicious sample detected (through community Yara rule) 2->173 175 15 other signatures 2->175 13 xer2iZF2nM.exe 5 3 2->13         started        17 rundll32.exe 2->17         started        19 svchost.exe 2->19         started        21 2 other processes 2->21 signatures3 process4 file5 111 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 13->111 dropped 113 C:\Users\user\AppData\...\xer2iZF2nM.exe.log, CSV 13->113 dropped 207 Writes to foreign memory regions 13->207 209 Adds a directory exclusion to Windows Defender 13->209 211 Disables UAC (registry) 13->211 213 2 other signatures 13->213 23 CasPol.exe 35 13->23         started        27 powershell.exe 27 13->27         started        29 rundll32.exe 3 17->29         started        32 WerFault.exe 19->32         started        signatures6 process7 dnsIp8 121 23.160.193.16 NETINF-PRIMARY-ASUS United States 23->121 123 cdn.discordapp.com 162.159.129.233 CLOUDFLARENETUS United States 23->123 125 4 other IPs or domains 23->125 87 C:\Users\user\AppData\Local\Temp\...\kEpvNF, PE32 23->87 dropped 89 C:\Users\user\AppData\Local\Temp\...\nZDxfd, PE32 23->89 dropped 91 C:\Users\user\AppData\Local\Temp\...\cwCMwk, PE32+ 23->91 dropped 93 7 other malicious files 23->93 dropped 34 cwCMwk 23->34         started        37 LwbAbf 23->37         started        40 nZDxfd 23->40         started        51 2 other processes 23->51 43 conhost.exe 27->43         started        199 Contains functionality to infect the boot sector 29->199 201 Contains functionality to inject threads in other processes 29->201 203 Contains functionality to inject code into remote processes 29->203 205 5 other signatures 29->205 45 svchost.exe 29->45 injected 47 svchost.exe 29->47 injected 49 svchost.exe 29->49 injected 53 13 other processes 29->53 file9 signatures10 process11 dnsIp12 149 Multi AV Scanner detection for dropped file 34->149 151 Detected unpacking (creates a PE file in dynamic memory) 34->151 153 Early bird code injection technique detected 34->153 167 4 other signatures 34->167 55 wuauclt.exe 34->55         started        83 C:\Users\user\AppData\Local\...\LwbAbf.tmp, PE32 37->83 dropped 155 Obfuscated command line found 37->155 58 LwbAbf.tmp 37->58         started        127 148.251.234.83 HETZNER-ASDE Germany 40->127 129 149.28.253.196 AS-CHOOPAUS United States 40->129 157 Antivirus detection for dropped file 40->157 159 Machine Learning detection for dropped file 40->159 61 WerFault.exe 40->61         started        161 Sets debug register (to hijack the execution of another thread) 45->161 163 Modifies the context of a thread in another process (thread injection) 45->163 64 svchost.exe 45->64         started        66 consent.exe 45->66         started        131 aaa.apiaaaeg.com 45.66.159.18 ENZUINC-US Russian Federation 51->131 133 star-mini.c10r.facebook.com 157.240.201.35 FACEBOOKUS United States 51->133 135 2 other IPs or domains 51->135 85 C:\Users\user\AppData\Local\Temp\db.dll, PE32 51->85 dropped 165 Creates processes via WMI 51->165 68 conhost.exe 51->68         started        file13 signatures14 process15 dnsIp16 177 Early bird code injection technique detected 55->177 179 Writes to foreign memory regions 55->179 181 Allocates memory in foreign processes 55->181 183 Injects a PE file into a foreign processes 55->183 70 wusa.exe 55->70         started        72 wuauclt.exe 55->72         started        95 C:\Windows\unins000.exe (copy), PE32 58->95 dropped 97 C:\Windows\is-1NO01.tmp, PE32 58->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->99 dropped 185 Modifies Chrome's extension installation force list 58->185 141 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 61->141 143 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 64->143 145 208.95.112.1 TUT-ASUS United States 64->145 147 104.21.34.132 CLOUDFLARENETUS United States 64->147 101 C:\Users\user\AppData\...\cookies.sqlite.db, SQLite 64->101 dropped 103 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 64->103 dropped 105 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 64->105 dropped 107 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 64->107 dropped 187 Query firmware table information (likely to detect VMs) 64->187 189 Installs new ROOT certificates 64->189 191 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 64->191 193 2 other signatures 64->193 file17 signatures18 process19 process20 74 mmc.exe 70->74         started        dnsIp21 137 40.119.148.38 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 74->137 139 127.0.0.1 unknown unknown 74->139 109 C:\Users\user\AppData\Roaming\6Z0x12.sys, PE32+ 74->109 dropped 195 Adds a directory exclusion to Windows Defender 74->195 197 Sample is not signed and drops a device driver 74->197 79 powershell.exe 74->79         started        file22 signatures23 process24 process25 81 conhost.exe 79->81         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6df252545bbc45b36e5ee493692d83376552ab9424d37e4c31deeec0e7ed190b/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 08:17:16 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxzfevc3xrc3g3s64sjwslmdg5svfk4uetjx4tbr33xmbz7ndefq._file
Verdict:
malicious
Similar samples:
30b9abba303c9e7186148b7a36e0f6c8ba15fba0a266fd4bae27690219231cad
LgoogLoader
45823c5ed289f2ceb30eb5324fd1e7e6b782806ac33188cf98b79ecb42e35648
LgoogLoader
473e99cdf2dc25a6bf43a56e9b095639776294bea38321c079cceecb3678c28d
LgoogLoader
4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd
LgoogLoader
66bfc82c4f69f36538f7ff9f5949f72288805850f4b64980c17ec930c6baf224
LgoogLoader
81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3
LgoogLoader
af740e72fdc536b935138fe6974e3c4a7bd9956ae6f47bb86273cf49365c62d2
LgoogLoader
ba62e3fda637027cae8196b25f6028a2403ea3be566d9e530b83fa69b515afc7
LgoogLoader
c00660379db4da598cf59eeb74ae9a686803cc4296cbde73a61c988cf87e1d44
LgoogLoader
fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea
LgoogLoader
+ 790 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader evasion persistence trojan
Link:
https://tria.ge/reports/221212-vzabsseg61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
Windows security modification
Sets service image path in registry
Detects LgoogLoader payload
LgoogLoader
UAC bypass
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e7353f11-9812-4cf9-850a-438ec044e121
Unpacked files
SH256 hash:
6df252545bbc45b36e5ee493692d83376552ab9424d37e4c31deeec0e7ed190b
MD5 hash:
6e55c04d2c37fcca497c2b2e70a110c6
SHA1 hash:
772244ed273c8420f4732cca1323471a2c07b74d
Link:
https://www.unpac.me/results/9c332188-e0b6-4526-bd61-aa36947c37f5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6df252545bbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6df252545bbc45b36e5ee493692d83376552ab9424d37e4c31deeec0e7ed190b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LgoogLoader

Executable exe 6df252545bbc45b36e5ee493692d83376552ab9424d37e4c31deeec0e7ed190b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2453122/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/345588/

Comments