MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177
SHA3-384 hash: 8b6d03ff6e845c4f24bb7f35d51ae8cd5fc62560721f55ee69e9d5f14a97e74f4dd582e069b97469b61686b5fb8ca57b
SHA1 hash: 53ffd2f4d10bfba0740c62b90f6c7993876b554f
MD5 hash: 5eb9a3c33c81bdef437a63de75fc3b39
humanhash: aspen-mango-batman-papa
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'321'368 bytes
First seen:2022-12-22 22:11:10 UTC
Last seen:2022-12-22 23:31:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 21b6a4e9054e8bbad032c11f147ef0f3 (3 x LgoogLoader, 1 x ArkeiStealer, 1 x ManusCrypt)
ssdeep 24576:FMdR1a+CnpE+NSGZ1Ih0DN7kG1oPmz22G7743qSgvJR0exgl0PGT8zf4jtBRKrMP:WnOE+NSki+GlBBxvgTafotBFKvxxmH
Threatray 252 similar samples on MalwareBazaar
TLSH T11A555A06917BBA10E433FFB64478960F8E9367728DE5B15193CABD015CA3170A6CDBAC
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2b968ececccccc4c (1 x LgoogLoader, 1 x Rhadamanthys)
Reporter jstrosch
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:glues.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-28T06:36:16Z
Valid to:2023-02-26T06:36:15Z
Serial number: 04a495f7cb21dd72e60e737addef21d4421a
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8a4f2a0e3d85bf14794e73508813f65d41012e4f614995453ccd158bb07ff7fd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-12-22 22:12:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ba94db8-5c31-4618-b093-cc6f5fc60624

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349212/
Detection(s):
SecuriteInfo.com.Variant.Jaik.109106.16391.13778.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63a4d6334a44a7f110089cec/reports/7abf1643-5145-4434-aef4-bdfe23f58620/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb6663eb-5b7e-49ba-b61e-077de5e6ff27
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1139657
Signature
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 772387 Sample: file.exe Startdate: 22/12/2022 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for dropped file 2->40 42 Yara detected lgoogLoader 2->42 44 Yara detected AntiVM3 2->44 46 2 other signatures 2->46 8 file.exe 19 2->8         started        process3 dnsIp4 32 bitbucket.org 104.192.141.1, 443, 49720, 49723 AMAZON-02US United States 8->32 34 s3-w.us-east-1.amazonaws.com 54.231.193.137, 443, 49722, 49724 AMAZON-02US United States 8->34 36 3 other IPs or domains 8->36 26 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 8->26 dropped 56 Writes to foreign memory regions 8->56 58 Allocates memory in foreign processes 8->58 60 Injects a PE file into a foreign processes 8->60 13 fontview.exe 1 8->13         started        18 ngentask.exe 8->18         started        file5 signatures6 process7 dnsIp8 38 44software.org 80.76.51.101, 49732, 49734, 49739 CLOUDCOMPUTINGDE Bulgaria 13->38 28 C:\Users\user\AppData\...\nsis_uns2065f00.dll, PE32+ 13->28 dropped 62 Query firmware table information (likely to detect VMs) 13->62 64 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 13->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->66 68 4 other signatures 13->68 20 rundll32.exe 13->20         started        file9 signatures10 process11 dnsIp12 30 44software.org 20->30 48 System process connects to network (likely due to code injection or exploit) 20->48 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->50 52 Tries to steal Mail credentials (via file / registry access) 20->52 54 2 other signatures 20->54 24 WerFault.exe 20->24         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-12-22 22:12:07 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
14 of 39 (35.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qaupcv2vjf7gbl2pcxqlofyueos2wmobfnjjudyxqb6yibtf2f3q._file
Verdict:
malicious
Similar samples:
154ca9b65ed10747abd833a0ea2a7b5135742ea3fdad1f53f006216fc7950ebf
LgoogLoader
2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d
LgoogLoader
3aa290b067cbd23d42481b61c74ae57834293f9da2e8461e3df6e0629aecb597
LgoogLoader
590420a09891c0a91ecdc29942328e707cc3f0243f5c9907c96150eb15fe1052
LgoogLoader
6b955c6b75fd243f374ffffc38466f94889e3a5ccb3947babf4e79e8358db6fe
LgoogLoader
9f29109994932960f368925877a9beed7cd6e687686cc8131937e7bbe58384f4
LgoogLoader
c0178dc0e1f125da7b6bab419edc783fdff63a376019140e086e6bc10ec588bd
LgoogLoader
dabdfc50cc2a6bc20b098b7feee83bedf463d58e0a9f824831290acefddc703c
LgoogLoader
dc97a6f3209e48c6b45354965214110cc515209135483152672cc73f149cfbcf
LgoogLoader
e3ac933f39d5fa387a5f844d1d29379d88c4421aa72ac4e9b50d8bc1d5b40fa4
LgoogLoader
+ 242 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221222-14gvbsfc92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/68d31671-c8ae-4afa-8af7-ad35f1f34e27
Unpacked files
SH256 hash:
02e3101243da98ff210ef9a78b03bdae0b74de2223665fb0ab3d6be81c32eeb8
MD5 hash:
dfbeb70d2903ad21d726a98d66caeb40
SHA1 hash:
f5356d16d41d5b1a0614c9c6e1ec6db318875156
Link:
https://www.unpac.me/results/bbfa57ad-b75b-4137-9b59-16ba519536cf/
SH256 hash:
8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177
MD5 hash:
5eb9a3c33c81bdef437a63de75fc3b39
SHA1 hash:
53ffd2f4d10bfba0740c62b90f6c7993876b554f
Link:
https://www.unpac.me/results/bbfa57ad-b75b-4137-9b59-16ba519536cf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8028f1575549/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LgoogLoader

Executable exe 8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349212/

Comments