MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7943ee404bd5a75c74a3570ed1c118fc190b0c03bd66f37c6495ef84b47ee27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7943ee404bd5a75c74a3570ed1c118fc190b0c03bd66f37c6495ef84b47ee27
SHA3-384 hash: a0a3d38bb824d7937599706234ceb4955e4d9ec8a6256442d052d38fcfc0e0b520f22c38ff74f038f4c38c39e3e94240
SHA1 hash: 5ed51591fd5336543ccc892eb95592116f9a0930
MD5 hash: 5669a8941ffd83bae6f1ba0a81c8fd6a
humanhash: carbon-oregon-mountain-vermont
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'615'192 bytes
First seen:2022-12-30 07:23:15 UTC
Last seen:2022-12-30 19:48:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:8vfGjh7qQk0jZoNmjcP7DFSdphHNWiCRxzuVcEw2D4UnUNv5YJ6kZE+E8Ie2av65:lh9DjcypZVA1xwNLuAb6FBc2nWmL4o
Threatray 874 similar samples on MalwareBazaar
TLSH T10C757D243DFA8019F1B3EF699EE47596DA6FB6733B07A45D1050038A0A23E81DDD163E
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:hdgSS
Issuer:hdgSS
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-30T06:39:36Z
Valid to:2023-12-30T06:39:36Z
Serial number: 1855c5ab5ba13b0018ca5c5a52382ccc
Thumbprint Algorithm:SHA256
Thumbprint: 3f02bd14c86d7eca5c2c045a87567081e1ab3bf31cbafdcc93e9b31fd7d165e1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://www.isurucabs.lk/Ads11.exe

Intelligence

File Origin
# of uploads :
10
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7943ee404bd5a75c74a3570ed1c118fc190b0c03bd66f37c6495ef84b47ee27.dll
Verdict:
Suspicious activity
Analysis date:
2022-12-30 07:09:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b4c5de8-17dd-46a8-9bca-737589bc3483

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Launching a process
Creating a file
Enabling autorun for a service
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63ae921440e878e3042139dd/reports/5b7d146b-df2d-4ca5-adc0-fbb5121370ed/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0e5f5ad0-c8f9-4fcb-8ae4-b090c12a7567
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1143096
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Sample is not signed and drops a device driver
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7943ee404bd5a75c74a3570ed1c118fc190b0c03bd66f37c6495ef84b47ee27/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-30 07:24:10 UTC
File Type:
PE+ (.Net Exe)
AV detection:
4 of 26 (15.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6kd5zaexvnhlr2kgvyo2harr7azbmgahplg6n6gjfppqs2h5ytq._file
Verdict:
malicious
Similar samples:
3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f
LgoogLoader
6f05a91cd30498cf1bc9b2e0058f1e3caa18b401b77d0a83b71a6df845430716
LgoogLoader
73a4ca1224bc4657443596157d3ce150bcd4b6dd32217f2467818c7efea4ee43
LgoogLoader
866056e13d99c7a721a0e66aef8c2526dd2b8b6cecc90b0583699a175eeb66b7
LgoogLoader
8704ae52c171fda49a24e3d2b6fbbe3d2f1fad146c6fc50da13f926abfaec8a3
LgoogLoader
a4a93882eebffcb57433742517438c5d56a6d67470a674558f4db52ff4306c9a
LgoogLoader
a99c69752668a94268cdb482df74649d755fcf56ecd9f431b1cb03b816a593cc
LgoogLoader
a9cf955162a9164b63c70530a2ed72b02ab53f7b39a3a9ece842cd2bebfb117c
LgoogLoader
d5f4b34691f83d4e43fca884fd61b14af4893be3843ec3d41ed1c38539b28f6d
LgoogLoader
e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3
LgoogLoader
+ 864 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader persistence
Link:
https://tria.ge/reports/221230-h8ddlafb56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Sets service image path in registry
Detects LgoogLoader payload
LgoogLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1758f63d-c4d9-4139-9cbc-ec462beeaf0e
Unpacked files
SH256 hash:
c7943ee404bd5a75c74a3570ed1c118fc190b0c03bd66f37c6495ef84b47ee27
MD5 hash:
5669a8941ffd83bae6f1ba0a81c8fd6a
SHA1 hash:
5ed51591fd5336543ccc892eb95592116f9a0930
Link:
https://www.unpac.me/results/cc81ff06-5d52-4ae3-a146-a6fb20a615be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c7943ee404bd5a75c74a3570ed1c118fc190b0c03bd66f37c6495ef84b47ee27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2488375/

Comments