MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b9c1aa81aef60c0b403ff3859fc4c6be0b48fb56e1a4456f42ed0da84941993. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


lgoogLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b9c1aa81aef60c0b403ff3859fc4c6be0b48fb56e1a4456f42ed0da84941993
SHA3-384 hash: 461473793321968d13490743f016c7656afc1bfdad3ea3a2cde4b64c7d43b763a986ca21c0857c2279b1b6f376823642
SHA1 hash: edc73c5dc90b72a91371bce3520626544520d377
MD5 hash: a7bfdce2dc701de7cc9ee15e43e50eb8
humanhash: ack-west-arizona-florida
File name:file
Download: download sample
Signature lgoogLoader
Create hunting rule
File size:2'000'792 bytes
First seen:2022-11-10 11:14:33 UTC
Last seen:2022-11-11 13:42:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b128da42edc801068b5469911b24a324 (3 x lgoogLoader, 1 x RemcosRAT, 1 x RedLineStealer)
ssdeep 24576:QjfXeoeW/TbbzMZllvkHr/PWNO595OYWGt6LCPcznv8WXD/A92l5AQj2DgTm4b1h:Qq2LDMCDhT5jPnP1y+Sv2AJp5aI5y4
Threatray 11 similar samples on MalwareBazaar
TLSH T18895F15892434521D7E15EF8BBFC4ACA56F21C62FA02E9D72B2F283F3D76462118419F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2c6c2e8bcdc69b2 (1 x lgoogLoader, 1 x Adware.Koutodoor)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:4ever.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-11T09:40:24Z
Valid to:2023-01-09T09:40:23Z
Serial number: 047d80a5afe23c26f01674b5d4a01fb6c4d0
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3305fe0845d08d84e438be7ce48fc77e0ab48435c03995af5deed1e60d9ccce9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://myfileexe.s3.ap-northeast-3.amazonaws.com/oKiIPGoTVDhU.exe

Intelligence

File Origin
# of uploads :
20
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-10 11:17:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ccce22d8-dd9f-4673-94d6-917512402455

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331858/
Detection(s):
SecuriteInfo.com.Adware.004b94d01.21628.10188.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a custom TCP request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50917/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/636cdd3737a53af3a7f54dac/reports/979f8591-b40c-4993-a7b3-dd4ddf254891/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5472245-cb0e-4bda-86de-a97455ee22a0
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1110317
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b9c1aa81aef60c0b403ff3859fc4c6be0b48fb56e1a4456f42ed0da84941993/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-10 11:15:11 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=poobvka255qmbnad744ft7cmnpqljd5vnyneivxuf3invbeudgjq._file
Verdict:
malicious
Similar samples:
303bd4a9a4f522900dcb9af3030f9683b64cb904e12e75ed06723c43215ef438
lgoogLoader
322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
lgoogLoader
32e8bb7e05049dcc6ffad8ff029468246734dd8adb01af52a55ddc1488b397c3
lgoogLoader
515780fa8ff85a48d8c2e2d1f3d72d42fb22ab8d08cf7845b92a53ffdf60cfe6
lgoogLoader
84b57d3d7fdabaebcd85cf01dbf14b9cb94e08fe081abcb60b218c1298c55995
lgoogLoader
8aa42c477d96d5cf3a5d9ea88ebc6e82d8db7970f85fd03924447040e2758a96
lgoogLoader
bc5e3b9e7638a68bbb36387281fedc1bedb12d67575b9242a47c0bf0c8f3c265
lgoogLoader
e1c911c9ca01ebd5d0293caf5662277d251276dfaf1dcdb3dc581718ad319330
lgoogLoader
fea97bcd0bcd24fae553aa9152a410e3e6064edbd8011c3b2d9fcee40cc430f8
lgoogLoader
+ 1 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader
Link:
https://tria.ge/reports/221110-ncj46abcbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detects LgoogLoader payload
LgoogLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/98d2a99e-5229-4f4a-8859-1276f17d3fb0
Unpacked files
SH256 hash:
948086134b19b2ed79e8e6c5a5bb4d6c92e2647697cae608f5fcbf94852f70e2
MD5 hash:
122b3f27cd8ca9da03363de10d2e421b
SHA1 hash:
d7786bf571f9aa02e76a466f91d749e44cb0dcd4
Link:
https://www.unpac.me/results/f1a0d146-3443-4861-8d5b-83f283694176/
SH256 hash:
aa391fd1dfd59fc4355814ebfa6904a912dfa9346fb2e43248cf721177641309
MD5 hash:
b0ae7e50c36e55442819a357b44cdf14
SHA1 hash:
12c6666b384930c4780eb904b8f4cfc42f100800
Link:
https://www.unpac.me/results/f1a0d146-3443-4861-8d5b-83f283694176/
SH256 hash:
7b9c1aa81aef60c0b403ff3859fc4c6be0b48fb56e1a4456f42ed0da84941993
MD5 hash:
a7bfdce2dc701de7cc9ee15e43e50eb8
SHA1 hash:
edc73c5dc90b72a91371bce3520626544520d377
Link:
https://www.unpac.me/results/f1a0d146-3443-4861-8d5b-83f283694176/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b9c1aa81aef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/7b9c1aa81aef60c0b403ff3859fc4c6be0b48fb56e1a4456f42ed0da84941993

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/331858/
  
URLhaus
https://urlhaus.abuse.ch/url/2406865/

Comments