MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0dcf56a1d4cdd036f873875f4baa5052ab8084178496a72fe4c4c8c404c4071. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0dcf56a1d4cdd036f873875f4baa5052ab8084178496a72fe4c4c8c404c4071
SHA3-384 hash: e3c11feccb489d0c09adf7a7af491d722ed6ffc31d4f95ab6852eb821a0ce5ba84646fa4ea825d0c2e50f91a03d7e145
SHA1 hash: a877a0668967b4ff12fe567c9021d54a8542f565
MD5 hash: 2aef15cea5fdcc9628588d7dfc6381fb
humanhash: burger-football-west-freddie
File name:2aef15cea5fdcc9628588d7dfc6381fb.exe
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'597'808 bytes
First seen:2022-12-30 15:22:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:O7RK/BxxSNTtzl/R7TTNTHjw1dC0w71WtQztt1cMsPMN0nJtHb6MUdjwyZt/bJ+c:/IBjjcz3ROp7eyahyTYKj
Threatray 875 similar samples on MalwareBazaar
TLSH T17F757D243AFA5019F1B3EF699FE47596DA6FF6733B07A41D1050038A0B23A81DDD163A
TrID 40.9% (.EXE) Win64 Executable (generic) (10523/12/4)
19.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.0% (.ICL) Windows Icons Library (generic) (2059/9)
7.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:Installrox
Issuer:Installrox
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-30T05:05:17Z
Valid to:2023-12-30T05:05:17Z
Serial number: bbd8fb62dc8d24bf91d3e2cf4b2bff04
Thumbprint Algorithm:SHA256
Thumbprint: 19a8dd25252eb35d40f80c7b61acf963e3362cc7c99176f7617d8907c80fe34c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2aef15cea5fdcc9628588d7dfc6381fb.exe
Verdict:
No threats detected
Analysis date:
2022-12-30 15:25:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8e70df1b-c5e4-4557-ad6f-4e5e50f983bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Using the Windows Management Instrumentation requests
Creating a file
Enabling autorun for a service
Blocking the User Account Control
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63af025cb9b1c173751ffbfc/reports/47e85293-6159-42d1-a3e4-6ff5bcfc8fbe/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/70767901-50b7-4346-8c04-12f0fde5bfee
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1143232
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Disables UAC (registry)
Injects a PE file into a foreign processes
Sample is not signed and drops a device driver
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0dcf56a1d4cdd036f873875f4baa5052ab8084178496a72fe4c4c8c404c4071/
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-12-30 10:13:32 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dopk2q5jtoqg34hhb27jovfauvlqccbpbewu4x6jrgiyqcmibyq._file
Verdict:
malicious
Similar samples:
121d73f51ed5133c97cbcbaba07d1d538cf68dba063189b5ff5aafae11e65fc4
LgoogLoader
2078a05b80b0f4ef9eeea5c477eea06704efd792203e2614c5ceabf24e09324c
LgoogLoader
533afea70b1fd1d2bc1bc9ade167aa251bdfaca969dbda48b240a17e01891986
LgoogLoader
81f88183029a59901067dd41d3b5fccdfbfc71600c6ac5cc259b83031cdb2b50
LgoogLoader
ba4f6fbd034bef02cb7a118b6b51e5ac65e0e9c7fa340c099ec5588dfc463c6c
LgoogLoader
c00660379db4da598cf59eeb74ae9a686803cc4296cbde73a61c988cf87e1d44
LgoogLoader
c7943ee404bd5a75c74a3570ed1c118fc190b0c03bd66f37c6495ef84b47ee27
LgoogLoader
e66a3a8ec788ee743a53778ce3adaeb98d15c691a4e15a361c644b5e98e2f60c
LgoogLoader
+ 865 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader evasion persistence trojan
Link:
https://tria.ge/reports/221230-ssg2ysbb2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
Windows security modification
Sets service image path in registry
Detects LgoogLoader payload
LgoogLoader
UAC bypass
Windows security bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f1fe8d49-f5eb-4ffa-bb25-67f7d512e98c
Unpacked files
SH256 hash:
d0dcf56a1d4cdd036f873875f4baa5052ab8084178496a72fe4c4c8c404c4071
MD5 hash:
2aef15cea5fdcc9628588d7dfc6381fb
SHA1 hash:
a877a0668967b4ff12fe567c9021d54a8542f565
Link:
https://www.unpac.me/results/8e7a351a-31a3-43cb-8f77-1010dddab5c4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0dcf56a1d4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d0dcf56a1d4cdd036f873875f4baa5052ab8084178496a72fe4c4c8c404c4071

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LgoogLoader

Executable exe d0dcf56a1d4cdd036f873875f4baa5052ab8084178496a72fe4c4c8c404c4071

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2488375/
  
Delivery method
Distributed via web download

Comments