MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6dcdfa5821f7fb5a836ec2157742c9b117745584b82ed3f03d6987ce93d9b05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6dcdfa5821f7fb5a836ec2157742c9b117745584b82ed3f03d6987ce93d9b05
SHA3-384 hash: b6608f2fa9679fcc01e14b4d79e7c89905376e318c6f9a9ce3501b658f7348672601f99d9b1f3676c941db84bf089504
SHA1 hash: 96c85dfef569a01d225103fe834fb3f36aac7739
MD5 hash: 27ef7bbf755267538f37c066c56bff49
humanhash: earth-sink-hydrogen-lithium
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'574'096 bytes
First seen:2022-12-05 22:36:47 UTC
Last seen:2022-12-06 08:35:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c69529633147fae61949183715b7d49d (1 x LgoogLoader, 1 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 24576:tMnBHBm0Q0n2ra5jcJFX73lqs7EzkF0Nz9tJToJ8m8VnIW01U0flLRW:tMkW2mEXVEzkK9tK81j01U0XW
Threatray 57 similar samples on MalwareBazaar
TLSH T1D2752301B7B18446C5BB3A3445BA4BA02A3F7C717BB9878723C5F9A91EB17E00D64367
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0d8a8ece8b0c4c4 (2 x ArkeiStealer, 2 x RedLineStealer, 2 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:www.startech.com
Issuer:DigiCert SHA2 Extended Validation Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-06T00:00:00Z
Valid to:2023-08-18T23:59:59Z
Serial number: 05c171e14a1330e1892ba2a1d097b3e3
Intelligence: 11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: c06c8839092a35e588f966edd21a87259f8da9fc74039700a4335b674c9dec04
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://myexes.s3.ap-northeast-1.amazonaws.com/Adsme.exe

Intelligence

File Origin
# of uploads :
15
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-05 22:38:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4efb133-ae1e-4855-a426-e821a5c14a1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343099/
Detection(s):
SecuriteInfo.com.Unwanted-Program.004d2a1d1.27494.3985.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638e72909a505ad9423d8289/reports/5c2ef70a-f52e-4adb-95f0-e5daf3042f4b/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e04afc7-01d7-48c8-808f-31e01bd75a1a
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1128490
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6dcdfa5821f7fb5a836ec2157742c9b117745584b82ed3f03d6987ce93d9b05/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2022-12-05 20:28:02 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3on7jmcd573lkbw5qqvo5bmtmixorkyjobo2pyd22mhz2j5tmcq._file
Verdict:
malicious
Similar samples:
44192d53830cd0b58bd4c3213649104f23f5c5cb2d4f1168d2d07654e841b907
LgoogLoader
5433ab6651bf43c719571439a3b98dbd52212d1259a8e2adf28a3eae87f335dd
LgoogLoader
6b6fb52a435554c131a8d186a61c0c199964c0e4a8a0c4d173bfe5b0e7543578
LgoogLoader
7a5647b5e4aca4354ceac0ab494086ecf14ccfaef3075110ca5fde952982e88d
LgoogLoader
8391de874c21ac03bf02c2e6fa7feabc06b2421df1ca6820cc38ad911b060937
LgoogLoader
89129a297232b33e9caa53adbd927bffa9a6e1a2905f21e01b17f4fd374a2c27
LgoogLoader
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
LgoogLoader
be7096119b86de54f3a82c8059e372396169c30d2300d4ec768f4065e4b1b9a7
LgoogLoader
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221205-2jslrsgd9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Unpacked files
SH256 hash:
9afe754f200f3a83dbeb45b0ab08ff43bec2cf1190f966c5e978560a2f40c536
MD5 hash:
03b9bfb60bf4a1c54837c1159e7606e8
SHA1 hash:
87abfc6dda4a7c2c527c850aa16995e216f0821e
Link:
https://www.unpac.me/results/91250d02-b692-4bf6-9e40-0a1b79842ff7/
SH256 hash:
c6dcdfa5821f7fb5a836ec2157742c9b117745584b82ed3f03d6987ce93d9b05
MD5 hash:
27ef7bbf755267538f37c066c56bff49
SHA1 hash:
96c85dfef569a01d225103fe834fb3f36aac7739
Link:
https://www.unpac.me/results/91250d02-b692-4bf6-9e40-0a1b79842ff7/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6dcdfa5821f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/c6dcdfa5821f7fb5a836ec2157742c9b117745584b82ed3f03d6987ce93d9b05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/343099/

Comments