MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 948ee2d018889c293979266e1199ad316dbc36fbea1b37a3ecb2fe9de9795c6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 948ee2d018889c293979266e1199ad316dbc36fbea1b37a3ecb2fe9de9795c6e
SHA3-384 hash: 9ddaac778ee24459a1f71d81c30602fa6db4a0de417feb20061c8ce47c0f3f1ab71578d80e748a4778007955b830f774
SHA1 hash: b3693cd678ec5b162ed4d38a243bc504ecf43686
MD5 hash: 47cffe66db5aa532463cb1f3f2e1ff76
humanhash: august-burger-lima-november
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'247'080 bytes
First seen:2023-01-01 09:29:47 UTC
Last seen:2023-01-01 13:55:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:t7daQ0Pkg18zFRN9qeWHxZw6eztYnWTAnbqzDb4Mdb7aOd4dkz6CDApAUquYx+rL:pd6KgVaNlatrf6uSHSqBBIN
Threatray 881 similar samples on MalwareBazaar
TLSH T16045283439FB502AB173EEAA8BE475DADA6FB3333B06646D105103464723A82DED153D
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:installler
Issuer:installler
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-01T07:53:28Z
Valid to:2024-01-01T07:53:28Z
Serial number: 3e14879112c27bb7ec27f3b6662030d2
Thumbprint Algorithm:SHA256
Thumbprint: 9527d1db651fe8a6d7d29f0fa00409b589c1874c367cc6714d65ad964e1e8b30
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://www.isurucabs.lk/Ads11.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-01 09:32:58 UTC
Tags:
opendir loader evasion stealer
Link:
https://app.any.run/tasks/faf0bc84-016a-443e-be05-c36c3d4ce194

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Sending a custom TCP request
Launching a process
Creating a file
Enabling autorun for a service
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63b1529e83a5ae8cb4a793bf/reports/12ab9d3b-decd-4e12-9c23-cf91ce19588d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/578323dc-27af-4c37-a226-3dc93a164c18
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1143813
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/948ee2d018889c293979266e1199ad316dbc36fbea1b37a3ecb2fe9de9795c6e/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-01 09:30:09 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
8 of 26 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sshofuayrcocsolzezxbdgnngfw3ynx35intpi7mwl7j32lzlrxa._file
Verdict:
malicious
Similar samples:
3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f
LgoogLoader
6f05a91cd30498cf1bc9b2e0058f1e3caa18b401b77d0a83b71a6df845430716
LgoogLoader
73a4ca1224bc4657443596157d3ce150bcd4b6dd32217f2467818c7efea4ee43
LgoogLoader
866056e13d99c7a721a0e66aef8c2526dd2b8b6cecc90b0583699a175eeb66b7
LgoogLoader
a4a93882eebffcb57433742517438c5d56a6d67470a674558f4db52ff4306c9a
LgoogLoader
a99c69752668a94268cdb482df74649d755fcf56ecd9f431b1cb03b816a593cc
LgoogLoader
a9cf955162a9164b63c70530a2ed72b02ab53f7b39a3a9ece842cd2bebfb117c
LgoogLoader
c7943ee404bd5a75c74a3570ed1c118fc190b0c03bd66f37c6495ef84b47ee27
LgoogLoader
d5f4b34691f83d4e43fca884fd61b14af4893be3843ec3d41ed1c38539b28f6d
LgoogLoader
e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3
LgoogLoader
+ 871 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader persistence
Link:
https://tria.ge/reports/230101-lgg49abd75/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Sets service image path in registry
Detects LgoogLoader payload
LgoogLoader
Unpacked files
SH256 hash:
948ee2d018889c293979266e1199ad316dbc36fbea1b37a3ecb2fe9de9795c6e
MD5 hash:
47cffe66db5aa532463cb1f3f2e1ff76
SHA1 hash:
b3693cd678ec5b162ed4d38a243bc504ecf43686
Link:
https://www.unpac.me/results/e4a12576-eee1-4846-9489-976a40e0191c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/948ee2d018889c293979266e1199ad316dbc36fbea1b37a3ecb2fe9de9795c6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2488375/

Comments