MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8080f28eb2c4e6406a8df0f3ed8c1f42f8bb038a35398e13d29c618ade13d06e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8080f28eb2c4e6406a8df0f3ed8c1f42f8bb038a35398e13d29c618ade13d06e
SHA3-384 hash: 4e6c50bf36d9312ed8a8530c97c793db896bdd03b39cced6a9150b1bfe436d35c57752609aa4e7adf85518ac31c6b4c1
SHA1 hash: 83c4893ea4e7bbe82cd5b9ad197e37462e9c43c6
MD5 hash: 64611ca692664bc54b040e4b01c38ff4
humanhash: paris-table-hawaii-summer
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:411'648 bytes
First seen:2023-06-11 12:33:32 UTC
Last seen:2023-06-12 00:49:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:8mXHmM0YFSJrXx0ooARRMkAHFIxobrvZkJv6SjaFvVmuLyRpPS68urGh3Lzs/vqH:Z10YMmooARiXCFT2Fp6SQaofZAf
TLSH T16394F8667B1044F3CC2916F5A83B89A0777B7D7EE578024922DCB3495FF72A64822783
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe LgoogLoader


Avatar
andretavare5
Sample downloaded from http://85.217.144.228/files/123.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
279
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-11 12:35:55 UTC
Tags:
opendir loader gcleaner
Link:
https://app.any.run/tasks/9b7bc207-1553-46d6-bd0a-7075e5e16682

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397784/
Detection(s):
SecuriteInfo.com.Variant.Tedy.381850.30738.11443.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Creating a window
Searching for the window
Enabling autorun for a service
Forced shutdown of a system process
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6485bf3bc6414862d2065ccb/reports/fabdd6f0-7d0a-4ff7-807f-a4a52922e9d9/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/8080f28eb2c4e6406a8df0f3ed8c1f42f8bb038a35398e13d29c618ade13d06e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1227922a-bb43-47b0-95bc-b78e310a2623
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1252544
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected lgoogLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8080f28eb2c4e6406a8df0f3ed8c1f42f8bb038a35398e13d29c618ade13d06e/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-11 12:34:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
10
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcapfdvsyttea2un6dz63da7il4lwa4kgu4y4e6strqyvxqt2bxa._file
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader persistence
Link:
https://tria.ge/reports/230611-prrm8ahg61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Sets service image path in registry
Detects LgoogLoader payload
LgoogLoader
Unpacked files
SH256 hash:
8080f28eb2c4e6406a8df0f3ed8c1f42f8bb038a35398e13d29c618ade13d06e
MD5 hash:
64611ca692664bc54b040e4b01c38ff4
SHA1 hash:
83c4893ea4e7bbe82cd5b9ad197e37462e9c43c6
Link:
https://www.unpac.me/results/e421757f-ccc3-4cd3-879e-fba924d5af76/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8080f28eb2c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8080f28eb2c4e6406a8df0f3ed8c1f42f8bb038a35398e13d29c618ade13d06e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2627614/
Cape
Cape
https://www.capesandbox.com/analysis/397784/

Comments