MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76ceea32c047b1b705dc7c4dd5e077d8d95061eade40ef8ddf53b269151cfb3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76ceea32c047b1b705dc7c4dd5e077d8d95061eade40ef8ddf53b269151cfb3f
SHA3-384 hash: d758be20d2fb00cce2235b3cb393ed48734b6b5bc02042f08571841344418ddba882822cd24710c739c59fb2af4ea7c8
SHA1 hash: 2a1be8e21f9c8363c6988bbc6cba104deaf7e746
MD5 hash: 76cf8a3101f5ad89d746a014daa6a612
humanhash: triple-king-zebra-nevada
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'284'008 bytes
First seen:2022-11-25 19:03:49 UTC
Last seen:2022-11-26 01:19:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 865328ec6e8c931f31b423bc1dffe934 (2 x LgoogLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep 24576:ywnDDSyB/u0P1KxAsYeakvzbgYiqpiN8jQLMPNuyuLwlDywbXY:ywd/u04x7tUwkmbM
Threatray 721 similar samples on MalwareBazaar
TLSH T18955AEA1EF8F1B71C7B50631E014D288B6424AFA9F462F4397FEAF5653A2E607900774
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0ccaea6aaa6f0f0 (1 x LgoogLoader, 1 x Vidar)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:lightweight.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-23T01:34:00Z
Valid to:2023-01-21T01:33:59Z
Serial number: 03bd4d35d83158d19f0c08eb37233d489710
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: d9f6aa083b26fcea38f6895c74e58deaeae3e6dffae14e38c64e4269ce77512d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_656841746?hash=BEWZzz4R8mKBiJ0crqNAX3y1wMtkOfKuyoqYLdFk96T&dl=G43DANZVGAYDSNY:1669399455:CnxR75kvQzzEQoZ7GQzHX1lHmEHEGJw5iygjI6Lbbcz&api=1&no_preview=1adan

Intelligence

File Origin
# of uploads :
7
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2022-11-25 19:05:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a74ad180-c8d5-43c8-8b7c-350964c9f22b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338575/
Detection(s):
SecuriteInfo.com.Variant.Jaik.105197.4970.10448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Сreating synchronization primitives
Forced shutdown of a system process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638111a65be128ac718eded8/reports/fc1cfc4e-998d-4f5e-923a-8ce6444ce76a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c229700-898e-46b5-a5f2-93edebd68654
Result
Threat name:
RedLine, lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121332
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Drops PE files with benign system names
Found stalling execution ending in API Sleep call
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected lgoogLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 754049 Sample: file.exe Startdate: 25/11/2022 Architecture: WINDOWS Score: 100 30 api.ip.sb 2->30 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 8 other signatures 2->42 8 file.exe 19 2->8         started        signatures3 process4 dnsIp5 32 www.sssupersports.com 172.67.206.152, 443, 49707, 49708 CLOUDFLARENETUS United States 8->32 34 cckdckyl5sx4kijlr7eb.1nwphwxqco08svj 8->34 22 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 8->22 dropped 24 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\...\resource[1].bin, PE32+ 8->26 dropped 28 C:\Users\user\AppData\...\library[1].bin, PE32 8->28 dropped 44 Found stalling execution ending in API Sleep call 8->44 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 3 other signatures 8->50 13 svchost.exe 1 8->13         started        16 ngentask.exe 8->16         started        18 ngentask.exe 8->18         started        file6 signatures7 process8 signatures9 52 Multi AV Scanner detection for dropped file 13->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->54 56 Machine Learning detection for dropped file 13->56 64 2 other signatures 13->64 20 jsc.exe 2 13->20         started        58 Contains functionality to infect the boot sector 16->58 60 Contain functionality to detect virtual machines 16->60 62 Contains functionality to inject code into remote processes 16->62 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76ceea32c047b1b705dc7c4dd5e077d8d95061eade40ef8ddf53b269151cfb3f/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 19:04:10 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
9 of 41 (21.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3houmwai6y3obo4prg5lydx3dmvaypk3zao7do7kozgsfi47m7q._file
Verdict:
malicious
Similar samples:
1ee453a94d90e6bd3615d306d7139c3abb5b7ea4f9f817a10218606c4aadcddf
LgoogLoader
35dfcc3167da89c032e4efcd6f50a9d71a49fd8f63899fa8aea63c0b6229bedd
LgoogLoader
4184d4b8d72dd7c39855ec4b2916603118219bae7d2adcf6c5e31ab88466cc35
LgoogLoader
4da7f43fa70121be771a3049f7c19e864332e5311f14ee1eac2ea25d5349df31
LgoogLoader
544ccf26cf0038cc8d76b952e349f3e49db27e4d2cdc89ea72fa2fb8e8996038
LgoogLoader
66242b095b2cfb53b52d1743a42aaa9fd94c6b53f58869c4b1c9d893a541e3a6
LgoogLoader
8401c053dfd509441c73c2d06619fbeff3794da4c86b59f4f7de80db539e062f
LgoogLoader
8755b249212ed03acf40d6c02894ec5a48f62312d7f4dfb802cb17886d8c922f
LgoogLoader
a7dc1d7849adc86bc322f33ae8316be94e572df4442da18826330c2bdc124152
LgoogLoader
ca240b4fd7c8b8dc492d92070641e46fd4dd125a7e9d394d7d1bba7e83cabfca
LgoogLoader
+ 711 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221125-xqxrvabg3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/39386658-47c3-4c72-85c3-cc6151963e0a
Unpacked files
SH256 hash:
9917a4ff5a84b2124e76c79aed79cd1d643d5e865a16c6257b9760adcc45069c
MD5 hash:
ae9cdcd28b7d28793f7da4211782fd02
SHA1 hash:
e64fa40abd81a49419e95d3323fa41423681d180
Link:
https://www.unpac.me/results/3bc31575-cf14-460c-bb57-ebf93aa5053c/
SH256 hash:
76ceea32c047b1b705dc7c4dd5e077d8d95061eade40ef8ddf53b269151cfb3f
MD5 hash:
76cf8a3101f5ad89d746a014daa6a612
SHA1 hash:
2a1be8e21f9c8363c6988bbc6cba104deaf7e746
Link:
https://www.unpac.me/results/3bc31575-cf14-460c-bb57-ebf93aa5053c/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/76ceea32c047/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/76ceea32c047b1b705dc7c4dd5e077d8d95061eade40ef8ddf53b269151cfb3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/338575/

Comments