MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89e38e3faf20476d7e207d39fccffbe8c09b370f1fdbeca0d70caa0326077503. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

lgoogLoader

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	89e38e3faf20476d7e207d39fccffbe8c09b370f1fdbeca0d70caa0326077503
SHA3-384 hash:	46c965ac9b0e34a54ca4248577b2b9b278825e4f39870694140f891885983860796fca6eac472b7a3ce5ad1bdc5f5c36
SHA1 hash:	42ab5f6d836670f02d4a3813066be93cae9a3e4b
MD5 hash:	4f7ede8ca578845562f7fdbbc413f980
humanhash:	low-edward-venus-charlie
File name:	file
Download:	download sample
Signature	lgoogLoader Create hunting rule
File size:	1'838'496 bytes
First seen:	2022-11-11 18:47:36 UTC
Last seen:	2022-11-12 19:35:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a474abaebc5d0adef07154b9e44ae03b (1 x lgoogLoader, 1 x ArkeiStealer)
ssdeep	49152:S2jRwGaV31gVYYhdauCFNlOTfw5C6HQe/Zvq98Jb+GNcBvG:SoDg36Y689CTwC6HQGZvq98JbwBO
TLSH	T13A8502538E13DAE3E64F68795638EECE593DB85EFC3DD84D89E63361CC014984440E9A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0ccdcc4f4c8d4cc (1 x lgoogLoader)
Reporter	andretavare5
Tags:	exe LgoogLoader signed

Code Signing Certificate

Organisation:	synthesis.com
Issuer:	R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-09-29T18:13:49Z
Valid to:	2022-12-28T18:13:48Z
Serial number:	03e4cc02542459b73e5f191e4187d42b149c
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	f4ee8bb77dd0ddcfe1cc281c79ae4e4cd9022af9bbe31b81e209ef9dbc6ebd34
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://myfileexe.s3.ap-northeast-3.amazonaws.com/oKiIPGoTVDhU.exe

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-11 18:52:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d7226452-9d42-41ac-bcf4-0187d7202529

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/332570/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.18855.32110.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Enabling the 'hidden' option for files in the %temp% directory

Launching a process

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/636e98e57662ecf10839c384/reports/4a45f2aa-c3f3-4e63-af0d-21d86b7c0bad/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sathurbot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75d940c5-feaa-4d57-a6fe-0934cb96f4d8

Result

Threat name:

lgoogLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1111460

Signature

Allocates memory in foreign processes

Found evasive API chain (may stop execution after checking mutex)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected lgoogLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89e38e3faf20476d7e207d39fccffbe8c09b370f1fdbeca0d70caa0326077503/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-11-11 18:48:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 25 (52.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rhry4p5pebdw27rapu47zt735dajwnypd7n6zigxbsvagjqhoubq._file

Verdict:

malicious

Result

Malware family:

lgoogloader

Score:

10/10

Tags:

family:lgoogloader downloader

Link:

https://tria.ge/reports/221111-xftmfahh84/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Downloads MZ/PE file

Detects LgoogLoader payload

LgoogLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/294392c5-932b-464a-8503-47d8cdf0b40e

Unpacked files

SH256 hash:

7796d8c044b5eab14721dedc9a9c6d2ca7c25ae9cd0428a246794d316dd89aa4

MD5 hash:

c7361668fc301585241ff8d78c730350

SHA1 hash:

89a6603bbb9391a72e9c31363fa18cfaa76a9069

Link:

https://www.unpac.me/results/7d64f4f7-03f2-4faf-aa22-13f7cfd8c28d/

SH256 hash:

cb175fbbb9ac80e4e90ab0a4fdc83959d3385c11e8dfea7dcbeeba2677bdc763

MD5 hash:

8c69f4994f259322483082df84efb40f

SHA1 hash:

8bc6eb516d7871c1c20db4328ec44d724dc4b1f3

Link:

https://www.unpac.me/results/7d64f4f7-03f2-4faf-aa22-13f7cfd8c28d/

SH256 hash:

89e38e3faf20476d7e207d39fccffbe8c09b370f1fdbeca0d70caa0326077503

MD5 hash:

4f7ede8ca578845562f7fdbbc413f980

SHA1 hash:

42ab5f6d836670f02d4a3813066be93cae9a3e4b

Link:

https://www.unpac.me/results/7d64f4f7-03f2-4faf-aa22-13f7cfd8c28d/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/89e38e3faf20/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/89e38e3faf20476d7e207d39fccffbe8c09b370f1fdbeca0d70caa0326077503

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2406865/

Cape

https://www.capesandbox.com/analysis/332570/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample