MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac1bbc53ec6158d8dfa191b81292c96d8fb106d4ea196a6bef55027e0702b6f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac1bbc53ec6158d8dfa191b81292c96d8fb106d4ea196a6bef55027e0702b6f9
SHA3-384 hash: c7c01d1c7d949413649cdbc42b539ce5362ce9fb238942f15d5db1981162ddfb206bfca12a9898fb2f1453335be6a264
SHA1 hash: 48b6325d5841bc5a6ae380c39104a7a98c413d8e
MD5 hash: 46730ad8136ced0a6d87b92807313281
humanhash: golf-kitten-california-mirror
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:493'056 bytes
First seen:2022-11-28 10:06:15 UTC
Last seen:2022-11-28 13:07:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:xpn/rxLpFSL9Vhw5E/ZOkIQzFnzLHLrDzR3+PnPpaGXKoF:xZddsPD/QIzFnrr10lF
Threatray 689 similar samples on MalwareBazaar
TLSH T1DFA42305D170AB53D2B1EBB1CB9D77AFC428E38F171FC1A20B5A481C4CA33C5566EA96
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe LgoogLoader


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_657006406?hash=lmgpc4qvqF0Pu5Jn0L3WioxSeRCqOL7FF21YxxvLTMP&dl=G43DANZVGAYDSNY:1669628292:4GP3TdPmYm89At4PkZZBzklA31YUCcapgRpIOJjR1JT&api=1&no_preview=1#adan

Intelligence

File Origin
# of uploads :
6
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-11-28 10:08:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc065fa4-5d6a-4a20-944e-38ed0c681621

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339371/
Detection(s):
SecuriteInfo.com.Malware.PDB-57.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Using the Windows Management Instrumentation requests
Creating a file
Enabling autorun for a service
Blocking the User Account Control
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638488475be128ac718f40f5/reports/6d56926d-a139-452b-a09d-00b1846dfcf8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b00d53fb-b5f1-4d96-9714-e92f2d288e74
Result
Threat name:
ManusCrypt, SmokeLoader, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.bank.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122402
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disables UAC (registry)
Drops PE files with benign system names
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loads a driver with an invalid driver name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Obfuscated command line found
Overwrites Mozilla Firefox settings
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Download and Execute IEX
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected ManusCrypt
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755119 Sample: file.exe Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 197 Malicious sample detected (through community Yara rule) 2->197 199 Antivirus detection for URL or domain 2->199 201 Antivirus detection for dropped file 2->201 203 14 other signatures 2->203 11 file.exe 5 5 2->11         started        15 rundll32.exe 2->15         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 process3 file4 133 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 11->133 dropped 135 C:\Users\user\AppData\Local\...\file.exe.log, CSV 11->135 dropped 233 Writes to foreign memory regions 11->233 235 Adds a directory exclusion to Windows Defender 11->235 237 Disables UAC (registry) 11->237 239 2 other signatures 11->239 21 CasPol.exe 58 11->21         started        25 powershell.exe 27 11->25         started        27 rundll32.exe 15->27         started        30 WerFault.exe 17->30         started        signatures5 process6 dnsIp7 145 185.79.156.69 TCIIR Iran (ISLAMIC Republic Of) 21->145 147 151.115.10.1 OnlineSASFR United Kingdom 21->147 149 11 other IPs or domains 21->149 99 C:\Users\user\AppData\Local\Temp\...\JLqXXm, PE32 21->99 dropped 101 C:\Users\user\AppData\Local\Temp\...\dahzbL, PE32 21->101 dropped 103 C:\Users\user\AppData\Local\Temp\...\fbbhVf, PE32+ 21->103 dropped 105 17 other malicious files 21->105 dropped 32 HsfDIx 21->32         started        36 dahzbL 21->36         started        38 Ybratc 21->38         started        48 4 other processes 21->48 40 conhost.exe 25->40         started        225 Contains functionality to infect the boot sector 27->225 227 Contains functionality to inject threads in other processes 27->227 229 Writes to foreign memory regions 27->229 231 4 other signatures 27->231 42 svchost.exe 27->42 injected 44 svchost.exe 27->44 injected 46 svchost.exe 27->46 injected 51 5 other processes 27->51 file8 signatures9 process10 dnsIp11 95 C:\Users\user\AppData\Local\...\HsfDIx.tmp, PE32 32->95 dropped 173 Multi AV Scanner detection for dropped file 32->173 175 Obfuscated command line found 32->175 53 HsfDIx.tmp 32->53         started        177 Contains functionality to inject code into remote processes 36->177 179 Injects a PE file into a foreign processes 36->179 57 dahzbL 36->57         started        60 Conhost.exe 36->60         started        181 Detected unpacking (changes PE section rights) 38->181 183 Detected unpacking (overwrites its own PE header) 38->183 185 Machine Learning detection for dropped file 38->185 187 Drops PE files with benign system names 38->187 62 Ybratc 38->62         started        189 Sets debug register (to hijack the execution of another thread) 42->189 191 Modifies the context of a thread in another process (thread injection) 42->191 64 svchost.exe 42->64         started        139 148.251.234.83 HETZNER-ASDE Germany 48->139 141 157.240.247.35 FACEBOOKUS United States 48->141 143 4 other IPs or domains 48->143 97 C:\Users\user\AppData\Local\Temp\db.dll, PE32 48->97 dropped 193 Antivirus detection for dropped file 48->193 195 Creates processes via WMI 48->195 66 cmd.exe 1 48->66         started        68 cmd.exe 1 48->68         started        70 WerFault.exe 48->70         started        72 conhost.exe 48->72         started        file12 signatures13 process14 dnsIp15 151 68.232.34.200 EDGECASTUS United States 53->151 153 13.224.103.16 AMAZON-02US United States 53->153 163 2 other IPs or domains 53->163 107 C:\Users\user\...\unins000.exe (copy), PE32 53->107 dropped 109 C:\Users\user\...\packetcrypt.dll (copy), PE32+ 53->109 dropped 111 C:\Users\user\...\nvrtc64_100_0.dll (copy), PE32+ 53->111 dropped 123 37 other files (36 malicious) 53->123 dropped 74 vc_redist.x64.exe 53->74         started        205 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 57->205 207 Maps a DLL or memory area into another process 57->207 209 Checks if the current machine is a virtual machine (disk enumeration) 57->209 211 Creates a thread in another existing process (thread injection) 57->211 77 explorer.exe 57->77 injected 113 C:\Windows\rss\csrss.exe, PE32 62->113 dropped 213 Creates an autostart registry key pointing to binary in C:\Windows 62->213 155 208.95.112.1 TUT-ASUS United States 64->155 157 172.67.161.69 CLOUDFLARENETUS United States 64->157 159 34.142.181.181 ATGS-MMD-ASUS United States 64->159 115 C:\Users\user\AppData\...\cookies.sqlite.db, SQLite 64->115 dropped 117 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 64->117 dropped 119 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 64->119 dropped 121 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 64->121 dropped 215 Query firmware table information (likely to detect VMs) 64->215 217 Installs new ROOT certificates 64->217 219 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 64->219 223 2 other signatures 64->223 221 Uses ping.exe to check the status of other devices and networks 66->221 81 PING.EXE 66->81         started        83 conhost.exe 66->83         started        85 powershell.exe 14 16 68->85         started        87 conhost.exe 68->87         started        161 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 70->161 file16 signatures17 process18 dnsIp19 129 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 74->129 dropped 89 vc_redist.x64.exe 74->89         started        165 93.184.220.29 EDGECASTUS European Union 77->165 167 192.168.11.1 unknown unknown 77->167 131 C:\Users\user\AppData\Roaming\gtjajss, PE32 77->131 dropped 241 Benign windows process drops PE files 77->241 243 Hides that the sample has been downloaded from the Internet (zone.identifier) 77->243 169 127.0.0.1 unknown unknown 81->169 171 217.12.206.79 GREENFLOID-ASUA Ukraine 85->171 file20 signatures21 process22 file23 125 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 89->125 dropped 127 C:\Windows\Temp\...\wixstdba.dll, PE32 89->127 dropped 92 VC_redist.x64.exe 89->92         started        process24 file25 137 C:\ProgramData\...\VC_redist.x64.exe, PE32 92->137 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac1bbc53ec6158d8dfa191b81292c96d8fb106d4ea196a6bef55027e0702b6f9/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 10:07:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqn3yu7mmfmnrx5bsg4bfewjnwh3cbwu5imwu27pkubh4bycw34q._file
Verdict:
malicious
Similar samples:
17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd
LgoogLoader
34607326603ce36c63cde3c1a556390d7d3430220ba5cdb3477b75d1f3b21184
LgoogLoader
55cf18f4491e2db87c5612b2501dbbd3acd9c6460b1863ab56f5d9209cbecbdc
LgoogLoader
c4a2d1a93c9da2d51ae8d0ef88b1dbf6fecd931714d9a09221c4f928f6861ce3
LgoogLoader
d1ca3f8fb1acd28ee6ce1227880e74fca8aa908ca373931a5180f3cb76bb8fe1
LgoogLoader
dd1d02c072a5644dbbbcadc2a8b6195cd420b55a6f8ec2309d0e1682f434bdff
LgoogLoader
def9b4590e2daf9efa8ce75908a776997c3e434dda942b58c8ece1994a4ec8e2
LgoogLoader
fc4f03fc4b6d9495dfee1c7e31788915bc3d2bb25eb007f2fc4cbefaf2793491
LgoogLoader
+ 679 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader evasion persistence trojan
Link:
https://tria.ge/reports/221128-l5mpmsag61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
Windows security modification
Sets service image path in registry
Detects LgoogLoader payload
LgoogLoader
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
ac1bbc53ec6158d8dfa191b81292c96d8fb106d4ea196a6bef55027e0702b6f9
MD5 hash:
46730ad8136ced0a6d87b92807313281
SHA1 hash:
48b6325d5841bc5a6ae380c39104a7a98c413d8e
Link:
https://www.unpac.me/results/3ab41607-ccf6-4e00-bf99-31fb530126bb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac1bbc53ec61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ac1bbc53ec6158d8dfa191b81292c96d8fb106d4ea196a6bef55027e0702b6f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/339371/

Comments