MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a48d0a440c75cc77f43f8639b282d5ff22d5ada4da08f7687f8bb1e64ab730fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a48d0a440c75cc77f43f8639b282d5ff22d5ada4da08f7687f8bb1e64ab730fe
SHA3-384 hash: 3a741cfe6fd5ff6467c88b06529ba45824288e7ca34306dbb2228eb383cf04d78f2108fc2b239a6f67ecff3f2cfb16de
SHA1 hash: fe0f628bd947454dfefa83bfc7e74ff87189d8f6
MD5 hash: 6a8f7c1b95ce34ec5e6106db6af53505
humanhash: orange-jupiter-princess-mockingbird
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'332'376 bytes
First seen:2022-11-23 12:24:03 UTC
Last seen:2023-08-27 08:56:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 17b2ad48aed5c3e9ae0df2624b0fa2b2 (2 x LgoogLoader, 1 x RemcosRAT, 1 x RedLineStealer)
ssdeep 24576:ogp/0E+Q3/dDFqToZOyt6aq9t9LI/P+fbHIsKgxe:oy3FDFpOyUbt9Mef8Me
Threatray 145 similar samples on MalwareBazaar
TLSH T1D555BFEE47820623C62124B7FB210F85F1EEDD130D9A8175B21D3B366B3599CF49E866
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10687972f198c0d0 (2 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:corebuilds.co
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2022-04-17T07:13:41Z
Valid to:2023-04-15T16:56:47Z
Serial number: 8e164cade59ab0bf
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: d8eddd55f0626dc3ecc895daa1b767dd500630a82a70b8fc6c5643004e7a9a9e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://185.246.221.114/files/ADS.exe

Intelligence

File Origin
# of uploads :
24
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-23 12:26:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57c9216f-30b1-411b-bcd1-daf9484f3959

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337591/
Detection(s):
SecuriteInfo.com.FileRepMalware.18824.29066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
DNS request
Launching a process
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/637e10e7559d07a06f46ff9e/reports/76ae1729-ed52-4b3e-944f-6c05d23fe872/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bfc9b5d-8097-43d8-8152-f998b64b1a69
Result
Threat name:
RedLine, lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1119683
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected lgoogLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 752396 Sample: file.exe Startdate: 23/11/2022 Architecture: WINDOWS Score: 100 28 api.ip.sb 2->28 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 9 other signatures 2->40 8 file.exe 19 2->8         started        signatures3 process4 dnsIp5 30 www.sssupersports.com 104.21.44.248, 443, 49716, 49717 CLOUDFLARENETUS United States 8->30 32 sgxz1sakyzssj0agzape.ycl8dwunsonwmipocb 8->32 20 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 8->20 dropped 22 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 8->22 dropped 24 C:\Users\user\AppData\...\library[1].bin, PE32 8->24 dropped 26 C:\Users\user\AppData\...\resource[1].bin, PE32+ 8->26 dropped 42 Writes to foreign memory regions 8->42 44 Allocates memory in foreign processes 8->44 46 Drops PE files with benign system names 8->46 48 2 other signatures 8->48 13 svchost.exe 3 8->13         started        16 ngentask.exe 8->16         started        file6 signatures7 process8 signatures9 50 Antivirus detection for dropped file 13->50 52 Multi AV Scanner detection for dropped file 13->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->54 62 3 other signatures 13->62 18 InstallUtil.exe 2 13->18         started        56 Contains functionality to infect the boot sector 16->56 58 Contain functionality to detect virtual machines 16->58 60 Contains functionality to inject code into remote processes 16->60 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a48d0a440c75cc77f43f8639b282d5ff22d5ada4da08f7687f8bb1e64ab730fe/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 12:25:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=usgquramoxghp5b7qy43fawv74rnllne3iepo2d7roy6msvxgd7a._file
Verdict:
malicious
Similar samples:
4f1f7b8e2fc6d9fb748e37d981d6e6cb9e5de29eab70eda27189da4e86bc8c88
LgoogLoader
515780fa8ff85a48d8c2e2d1f3d72d42fb22ab8d08cf7845b92a53ffdf60cfe6
LgoogLoader
61436285b70355a6e0239c982c9b4a12cf2061c5b9c1eb2f4ff97133c549e891
LgoogLoader
6aa8c7811e02d48797f51fd635e97060112122222638a725306ba6b690f691d1
LgoogLoader
78f4cb6ed265c721890f28d96e33ce8b2defae0d8c71eaafbbc75199ca270d23
LgoogLoader
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
LgoogLoader
e438b0686e14786fa975d2d724c0fb8615e868a1210c57e0323d537cbb08c665
LgoogLoader
e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea
LgoogLoader
f2f2fa1f2bfab812eb154d51fa5d22b303639f8a74442b9ef14e4be678fad1ee
LgoogLoader
+ 135 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221123-pk3f5seg3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Unpacked files
SH256 hash:
0926bacb537928a871955df7ffd80a95d95e13f3d45a8b586946124a4569a1ea
MD5 hash:
830805cb77ad611eb38cd8b58c76794c
SHA1 hash:
ea8e6b5122721b0137fe68f77b6d6f4f44f69772
Link:
https://www.unpac.me/results/ad2c9b4b-f8ff-40b4-9d94-d2da80a778f8/
SH256 hash:
a48d0a440c75cc77f43f8639b282d5ff22d5ada4da08f7687f8bb1e64ab730fe
MD5 hash:
6a8f7c1b95ce34ec5e6106db6af53505
SHA1 hash:
fe0f628bd947454dfefa83bfc7e74ff87189d8f6
Link:
https://www.unpac.me/results/ad2c9b4b-f8ff-40b4-9d94-d2da80a778f8/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a48d0a440c75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/a48d0a440c75cc77f43f8639b282d5ff22d5ada4da08f7687f8bb1e64ab730fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2431067/
Cape
Cape
https://www.capesandbox.com/analysis/337591/

Comments