MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d66e9a4ad9b98c270c0b6ef1ab205ab8b3de44d42c694893570e6a7f4cfd8560. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d66e9a4ad9b98c270c0b6ef1ab205ab8b3de44d42c694893570e6a7f4cfd8560
SHA3-384 hash: ea8f490ee553eb87a5b605fb26276c6c87baaca2b5de607ef26f20d336916576ffc0bf0576fdf486581e5a1a8da02c1c
SHA1 hash: b04b59f8e41de1891e496b3c6639f6a6600d3b30
MD5 hash: e314a8908a2423bc4bdbf9a60a546cce
humanhash: oklahoma-washington-india-blue
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'295'784 bytes
First seen:2022-11-26 20:33:55 UTC
Last seen:2022-11-27 15:58:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f2a7669845a558af78441959111ad23e (2 x LgoogLoader, 1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 24576:wEGuWhuR1E3+6m249Mm+v/IZovQ2qn3MFxV8kLNQ3IIs52PV4AWUTt:ssRMm249M7v/0qon3Kak/LpAh5
Threatray 709 similar samples on MalwareBazaar
TLSH T1DA55D088F9EC79E1E0716FB0AFA063B1CB9DB2334D03585523A882D5ADBC5195F2749C
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 02d0a0e090d40480 (1 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:lightweight.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-23T01:34:00Z
Valid to:2023-01-21T01:33:59Z
Serial number: 03bd4d35d83158d19f0c08eb37233d489710
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 2682387b0915b66026ca6a0a74a6760ed52bd8539bbcbbc1ef0a3b2b5aa1e429
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_656914997?hash=9XG6FDnfIlsie58mRejfuWzAJo3BZtcmFdZ35Ft5LTs&dl=G43DANZVGAYDSNY:1669491793:wTM5AWNrVkOIdOj8W78IqprzHZZDX25cHTeCQzQ3WGT&api=1&no_preview=1#adan

Intelligence

File Origin
# of uploads :
19
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-26 20:34:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65df4649-69c1-41d3-8c4b-face9ada3529

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338861/
Detection(s):
SecuriteInfo.com.BScope.Exploit.Shellcode.23529.5337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Unauthorized injection to a recently created process
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6382783e5be128ac718f015f/reports/3f274b5c-04a8-4a3b-9b4a-2a226f82a9bd/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWalker Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d271c3c4-71f3-4976-9b0c-fb2fb35b8360
Result
Threat name:
RedLine, lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121699
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected lgoogLoader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 754416 Sample: file.exe Startdate: 26/11/2022 Architecture: WINDOWS Score: 100 28 www.sssupersports.com 2->28 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 7 other signatures 2->44 8 file.exe 19 2->8         started        signatures3 process4 dnsIp5 34 www.sssupersports.com 104.21.44.248, 443, 49707, 49708 CLOUDFLARENETUS United States 8->34 36 epuvp8dqmbocm38gj.a59fwgfurnpym6x 8->36 22 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 8->22 dropped 24 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\...\library[1].bin, PE32 8->26 dropped 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Drops PE files with benign system names 8->54 56 2 other signatures 8->56 13 svchost.exe 1 8->13         started        16 ngentask.exe 8->16         started        file6 signatures7 process8 signatures9 58 Machine Learning detection for dropped file 13->58 60 Writes to foreign memory regions 13->60 62 Injects a PE file into a foreign processes 13->62 18 InstallUtil.exe 15 4 13->18         started        64 Contains functionality to infect the boot sector 16->64 66 Contain functionality to detect virtual machines 16->66 68 Contains functionality to inject code into remote processes 16->68 process10 dnsIp11 30 109.206.243.58, 49714, 81 AWMLTNL Germany 18->30 32 api.ip.sb 18->32 46 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->46 48 Tries to harvest and steal browser information (history, passwords, etc) 18->48 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d66e9a4ad9b98c270c0b6ef1ab205ab8b3de44d42c694893570e6a7f4cfd8560/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 20:34:12 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zxjuswzxggcodaln3y2wic2xcz54rgufruure2xbzvh6th5qvqa._file
Verdict:
malicious
Similar samples:
022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece
LgoogLoader
33a234f3faa0307efb4e286af5df42a3a71ce440f9be28075d7ec9c669e81df7
LgoogLoader
3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f
LgoogLoader
4184d4b8d72dd7c39855ec4b2916603118219bae7d2adcf6c5e31ab88466cc35
LgoogLoader
76ceea32c047b1b705dc7c4dd5e077d8d95061eade40ef8ddf53b269151cfb3f
LgoogLoader
ca240b4fd7c8b8dc492d92070641e46fd4dd125a7e9d394d7d1bba7e83cabfca
LgoogLoader
db9bb4ecdc01a72d728f9fc7e522848ba7afe64bfa27516f0505a179db2f7345
LgoogLoader
e82920cb9b7cf1077cdddabb9b56e84c70653f836ef85ea4d4a700501ccd12a3
LgoogLoader
+ 699 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221126-zce1zsce66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a6f258b6-1a33-4238-b0b1-18dfb285b7f8
Unpacked files
SH256 hash:
22d29dd5170bd1fa9fade3c9a3a65dcb339d595e3b4a0b77f0f703a228147a41
MD5 hash:
c8e65b34b238a6e3629b10ebd0e46880
SHA1 hash:
47058884873f8f8ec6dfb7745739b76a509b8d9d
Link:
https://www.unpac.me/results/f6cbb31e-13f7-412f-9520-3c7dfba24d31/
SH256 hash:
d66e9a4ad9b98c270c0b6ef1ab205ab8b3de44d42c694893570e6a7f4cfd8560
MD5 hash:
e314a8908a2423bc4bdbf9a60a546cce
SHA1 hash:
b04b59f8e41de1891e496b3c6639f6a6600d3b30
Link:
https://www.unpac.me/results/f6cbb31e-13f7-412f-9520-3c7dfba24d31/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d66e9a4ad9b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/d66e9a4ad9b98c270c0b6ef1ab205ab8b3de44d42c694893570e6a7f4cfd8560

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/338861/

Comments