MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 882e136d6bd175d0d2a1d0ff6abf17cdfc9344cc3773e69e32dd469e16cffc15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 882e136d6bd175d0d2a1d0ff6abf17cdfc9344cc3773e69e32dd469e16cffc15
SHA3-384 hash: 0bd53cf26c85ae59192c4c2858cc9ac7d0d27b0fcf52d51a754f50b748a86bad2b52e415f3255827ba472d8c77591035
SHA1 hash: 36d09f1b2a75ca70f0d64444624ba352ee6dd967
MD5 hash: e7b38726c24dc3618a39948a8990133d
humanhash: sink-georgia-tennessee-april
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'422'578 bytes
First seen:2022-12-20 08:34:21 UTC
Last seen:2022-12-21 17:09:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa5b88b6bb86e914d34b43be035dc81 (4 x RecordBreaker, 3 x Arechclient2, 3 x RedLineStealer)
ssdeep 24576:EWmAFubSsdt9Mcpq2V8kr8kHAYvMuwypdzuHlFBd4kpqG:42sdRpq2pDgYvMuwybSTd4kpV
Threatray 3 similar samples on MalwareBazaar
TLSH T180651236F1C1D877D0720E7D8DAAD3E4627DB3102E1C694FB1E50B4D8E3A1925A6D28B
TrID 41.9% (.EXE) InstallShield setup (43053/19/16)
13.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
12.7% (.SCR) Windows screen saver (13097/50/3)
9.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
6.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon d496aa8eaaaa96cc (1 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader


Avatar
andretavare5
Sample downloaded from https://vk.com/doc16081047_653376471?hash=dycsxFWblCmmEEfqzqYza7FEMOFIZwh8McKwZ16eoWT&dl=GE3DAOBRGA2DO:1671522633:rnCrJRzImuYj9qWEcbhrxvgiS7uGAcUsaHHtwy7OK6k&api=1&no_preview=1#adan

Intelligence

File Origin
# of uploads :
33
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-20 08:37:23 UTC
Tags:
installer opendir loader evasion
Link:
https://app.any.run/tasks/8b18ff10-a0b9-4aa0-9619-fea0e059ad8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348263/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Moving a file to the %temp% subdirectory
Running batch commands
Launching a process
Launching cmd.exe command interpreter
Creating a file
Launching a service
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/810dfa22-8c4d-425e-b9e8-1150dce88f06
Result
Threat name:
Fabookie, ManusCrypt, RedLine, Socelars,
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.bank.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1137766
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Detected VMProtect packer
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Obfuscated command line found
Overwrites Mozilla Firefox settings
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Fabookie
Yara detected lgoogLoader
Yara detected ManusCrypt
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 770495 Sample: file.exe Startdate: 20/12/2022 Architecture: WINDOWS Score: 100 117 g.agametog.com 2->117 119 MTsQqdMmebV.MTsQqdMmebV 2->119 121 3 other IPs or domains 2->121 145 Snort IDS alert for network traffic 2->145 147 Multi AV Scanner detection for domain / URL 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 12 other signatures 2->151 15 file.exe 9 2->15         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 111 C:\Users\user\AppData\Local\...ngine.exe, PE32 15->111 dropped 20 Engine.exe 503 15->20         started        23 rundll32.exe 18->23         started        process6 signatures7 153 Contains functionality to detect sleep reduction / modifications 20->153 25 cmd.exe 1 20->25         started        155 Writes to foreign memory regions 23->155 157 Allocates memory in foreign processes 23->157 159 Creates a thread in another existing process (thread injection) 23->159 28 svchost.exe 23->28 injected 30 svchost.exe 23->30 injected 32 svchost.exe 23->32 injected 34 3 other processes 23->34 process8 signatures9 181 Obfuscated command line found 25->181 183 Uses ping.exe to sleep 25->183 185 Uses cmd line tools excessively to alter registry or file data 25->185 191 2 other signatures 25->191 36 cmd.exe 3 25->36         started        40 conhost.exe 25->40         started        187 Sets debug register (to hijack the execution of another thread) 28->187 189 Modifies the context of a thread in another process (thread injection) 28->189 42 svchost.exe 28->42         started        45 consent.exe 28->45         started        process10 dnsIp11 91 C:\Users\user\AppData\...\Promotion.exe.pif, PE32 36->91 dropped 161 Obfuscated command line found 36->161 163 Uses ping.exe to sleep 36->163 47 Promotion.exe.pif 36->47         started        50 powershell.exe 11 36->50         started        52 powershell.exe 11 36->52         started        54 2 other processes 36->54 135 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 42->135 137 208.95.112.1 TUT-ASUS United States 42->137 139 172.67.161.69 CLOUDFLARENETUS United States 42->139 93 C:\Users\user\AppData\...\cookies.sqlite.db, SQLite 42->93 dropped 95 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 42->95 dropped 97 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 42->97 dropped 99 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 42->99 dropped 165 Query firmware table information (likely to detect VMs) 42->165 167 Installs new ROOT certificates 42->167 169 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 42->169 173 2 other signatures 42->173 171 Writes to foreign memory regions 45->171 file12 signatures13 process14 signatures15 207 Machine Learning detection for dropped file 47->207 209 Found API chain indicative of debugger detection 47->209 211 Writes to foreign memory regions 47->211 213 Injects a PE file into a foreign processes 47->213 56 ftp.exe 46 47->56         started        process16 dnsIp17 129 51.159.62.7 OnlineSASFR France 56->129 131 23.160.193.16 NETINF-PRIMARY-ASUS United States 56->131 133 5 other IPs or domains 56->133 101 C:\Users\user\AppData\Local\Temp\...\CAMSju, PE32 56->101 dropped 103 C:\Users\user\AppData\Local\Temp\...\uKIwRU, PE32 56->103 dropped 105 C:\Users\user\AppData\Local\Temp\...\uJAyva, PE32 56->105 dropped 107 11 other malicious files 56->107 dropped 60 JoGHiC 56->60         started        63 uJAyva 56->63         started        66 CAMSju 56->66         started        69 dlxXDa 4 56->69         started        file18 process19 dnsIp20 193 Multi AV Scanner detection for dropped file 60->193 195 Detected unpacking (creates a PE file in dynamic memory) 60->195 197 Early bird code injection technique detected 60->197 205 4 other signatures 60->205 71 wuauclt.exe 60->71         started        113 C:\Users\user\AppData\Local\...\Install.exe, PE32 63->113 dropped 74 Install.exe 63->74         started        123 148.251.234.83 HETZNER-ASDE Germany 66->123 125 149.28.253.196 AS-CHOOPAUS United States 66->125 199 Antivirus detection for dropped file 66->199 201 Machine Learning detection for dropped file 66->201 127 xv.yxzgamen.com 188.114.96.3, 49846, 80 CLOUDFLARENETUS European Union 69->127 115 C:\Users\user\AppData\Local\Temp\db.dll, PE32 69->115 dropped 203 Creates processes via WMI 69->203 77 conhost.exe 69->77         started        file21 signatures22 process23 file24 175 Writes to foreign memory regions 71->175 177 Allocates memory in foreign processes 71->177 179 Injects a PE file into a foreign processes 71->179 79 wuauclt.exe 71->79         started        109 C:\Users\user\AppData\Local\...\Install.exe, PE32 74->109 dropped 81 Install.exe 74->81         started        signatures25 process26 file27 87 C:\Users\user\AppData\Local\...\jIjNIAM.exe, PE32 81->87 dropped 89 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 81->89 dropped 141 Antivirus detection for dropped file 81->141 143 Modifies Group Policy settings 81->143 85 forfiles.exe 81->85         started        signatures28 process29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/882e136d6bd175d0d2a1d0ff6abf17cdfc9344cc3773e69e32dd469e16cffc15/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2022-12-20 08:35:10 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=raxbg3ll2f25buvb2d7wvpyxzx6jgrgmg5z6nhrs3vdj4fwp7qkq._file
Verdict:
unknown
Similar samples:
a5567142d952005e19ec38cd6a974357dcd092a235cff10e6d86caced948eb6b
LgoogLoader
d74bf0394de0ad2adcfd7ecc96711bac682f3749f8953701eefc596b8c11dd36
LgoogLoader
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader upx
Link:
https://tria.ge/reports/221220-kg1qxscb6z/
Behaviour
Checks processor information in registry
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Detects LgoogLoader payload
LgoogLoader
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f1326c66-454a-4edf-ad16-a8eb0a1f83d9
Unpacked files
SH256 hash:
0132c185e69550ae7fa93410b2898ef4b2d43b793bd40ccc98dd4ee9111b4f5c
MD5 hash:
3f32dd4e028f3041d35652d956742db9
SHA1 hash:
a212613b5efba77395ca764e5ab586269fbac79d
Link:
https://www.unpac.me/results/39e7f2a3-14c2-4a36-84e1-bc09eb9d88ec/
SH256 hash:
18479a0a722d7346505ac27b20a8c4ea6ac8b087010a6ed02aeb5833c9d9e7ff
MD5 hash:
8085a7221b1ca6dc5be44e029c7eb9e7
SHA1 hash:
2bffedeea6da345f53d3c27b112b0a3fbc5bb22c
Link:
https://www.unpac.me/results/39e7f2a3-14c2-4a36-84e1-bc09eb9d88ec/
SH256 hash:
1f0e489f7c3e429cf3f9fd646b37f70a4cee92d782e9e6c3de2e4877acab05aa
MD5 hash:
6adb4a40719a11471c2b455041ae5e0e
SHA1 hash:
244138c707f5f2b30736c16071203762bffba108
Link:
https://www.unpac.me/results/39e7f2a3-14c2-4a36-84e1-bc09eb9d88ec/
SH256 hash:
882e136d6bd175d0d2a1d0ff6abf17cdfc9344cc3773e69e32dd469e16cffc15
MD5 hash:
e7b38726c24dc3618a39948a8990133d
SHA1 hash:
36d09f1b2a75ca70f0d64444624ba352ee6dd967
Link:
https://www.unpac.me/results/39e7f2a3-14c2-4a36-84e1-bc09eb9d88ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/882e136d6bd175d0d2a1d0ff6abf17cdfc9344cc3773e69e32dd469e16cffc15

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/348263/

Comments