MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 937e73c80582b2c880a5af198e6520e76e22c3e1ef2fe4a8278d0b49ec61ef86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 937e73c80582b2c880a5af198e6520e76e22c3e1ef2fe4a8278d0b49ec61ef86
SHA3-384 hash: ae27a6223f9797b96cf3ad107adc132ed378b930501816606cf57ec2a6553fc235a06337dac15047afa07b3eca8945ed
SHA1 hash: bf79406ca47883ee0af62c0234904440d043dfe3
MD5 hash: eb47e26ebfedc3dbe6789239ccefb34c
humanhash: papa-salami-twelve-aspen
File name:QueenOfTheBlackNudes.exe
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:24'159'629 bytes
First seen:2022-12-30 05:58:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 393216:OZAlUljz3kBEW/m3pc+/oTW8amuFKWD2NJ/2dOYG:OWlUljz3aKJCW8du92DvY
Threatray 38 similar samples on MalwareBazaar
TLSH T11737334BF3E108ECE8EC1337E88ED07167B1E86B4728D64B0BD524541ED7656AC3AE61
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter JaffaCakes118
Tags:exe LgoogLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QueenOfTheBlackNudes.exe
Verdict:
Malicious activity
Analysis date:
2022-12-30 06:00:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f563154f-f7dc-4194-bccb-ac14cd7d4a3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Detected-9978778-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Launching a process
Creating a window
Launching the process to change network settings
Сreating synchronization primitives
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63ae7decbf1064ac5b2d1f3c/reports/92f84992-3fb4-4fb7-b22c-354da7831135/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Discord Token Stealer, Luna Logger
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1143072
Signature
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Yara detected Discord Token Stealer
Yara detected Luna Logger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 775802 Sample: QueenOfTheBlackNudes.exe Startdate: 30/12/2022 Architecture: WINDOWS Score: 68 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected Discord Token Stealer 2->24 26 Yara detected Luna Logger 2->26 8 QueenOfTheBlackNudes.exe 501 2->8         started        process3 signatures4 28 May check the online IP address of the machine 8->28 11 QueenOfTheBlackNudes.exe 7 8->11         started        process5 dnsIp6 18 api4.ipify.org 64.185.227.156, 443, 49719 WEBNXUS United States 11->18 20 api.ipify.org 11->20 14 cmd.exe 1 11->14         started        process7 process8 16 conhost.exe 14->16         started       
Gathering data
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-12-30 05:59:57 UTC
File Type:
PE+ (Exe)
Extracted files:
4011
AV detection:
9 of 26 (34.62%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sn7hhsafqkzmraffv4my4zja45xcfq7b54x6jkbhrufut3db56da._file
Verdict:
unknown
Similar samples:
08da286f669199a5c2b131f66614bbb3718b159e48885f4a2b1c9af718256dd0
LgoogLoader
12a23889a21d1682c204c2530270c5e80d0666f00382ee14bed50babf68daa83
LgoogLoader
20632d113408af16371070219ed4e9f260a3cc23db39fcddce2580ebf6669b5f
LgoogLoader
29a0ec2958b900db46598043791f3b672c7c62cf3d0ebd44444c208d057d05ce
LgoogLoader
329d77b0ab5af0e568b9d56e3c3f7afc4266bf2cea0bd816ed4e67d4c9a09692
LgoogLoader
61b16d71a76f83cef63d079b0735cd0a1cee24f1119063e28ef1f227f2bb27c4
LgoogLoader
6ae3599bcbb951c7fe73ab6060a654b5ced2e83cf3ff15038bec95743232425e
LgoogLoader
88214cd533e440416cb5fec9e1a419ad952cd3524274110eaa8ce8e1dbcd826a
LgoogLoader
c6af2ec456ad02b9eb3faf9fd9384d3dc43a55e7b1a58eec4440ee4bde1e99ce
LgoogLoader
d18e18eeee28b729ec305ddbafd393f3b36a8e5d6a3ba66d8c6d0eb6a1a210d0
LgoogLoader
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
pyinstaller upx
Link:
https://tria.ge/reports/221230-gn77ssac91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Loads dropped DLL
UPX packed file
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e1b4c43-8731-461b-aacb-702934de6442
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/937e73c80582b2c880a5af198e6520e76e22c3e1ef2fe4a8278d0b49ec61ef86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:shad0w_beacon_16June
Create hunting rule
Author:SBousseaden
Description:Shad0w beacon compressed
Reference:https://github.com/bats3c/shad0w

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LgoogLoader

Executable exe 937e73c80582b2c880a5af198e6520e76e22c3e1ef2fe4a8278d0b49ec61ef86

(this sample)

  
Delivery method
Distributed via web download

Comments