MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db879678592ef06f80666d6e86759df9ebdf0fd7349af580a8a9c1f1cf7eee36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LgoogLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db879678592ef06f80666d6e86759df9ebdf0fd7349af580a8a9c1f1cf7eee36
SHA3-384 hash: 4413d94bd513515673ac575a67232ef2c99aecd76c8620f67ea2d0815568da0a95ae3d84ef7f69416006fa58b2dce2a7
SHA1 hash: c3a075f1b63eaf0f35ce30353953b57bff9bcf60
MD5 hash: 113dcfaa5eae025a32dc8af96ed2464b
humanhash: harry-king-earth-hamper
File name:file
Download: download sample
Signature LgoogLoader
Create hunting rule
File size:1'630'360 bytes
First seen:2022-11-30 14:51:46 UTC
Last seen:2022-12-01 07:56:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 65e2071a6dbd1bcc77513fd1371485e4 (3 x LgoogLoader, 1 x SystemBC)
ssdeep 24576:jWHlXD9v6gtKZHYKz7sWcfJDUOrycdodbuPD6dgKved6Fv3FUsA5:ulXD3kZHHAWgbrUFuPuvbqsA5
Threatray 39 similar samples on MalwareBazaar
TLSH T1A475F19CC4A550A9E67F7077317A9B4198221770C3BB50DFC6C262B4FA6EE71C97022B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0c8e2b29ae8c4cc (1 x LgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:mamba.net
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-09T13:15:06Z
Valid to:2023-01-07T13:15:05Z
Serial number: 031d4a436b6f82fd6e30a68de3ef8fcb7ff4
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 6137c26a9eb1578ae5aa1b24b7b4c8227c3f48a9b5012e14c4698bcafcbb2427
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_657159023?hash=jhkzRy8IK7DThnKTAZ231lrmy7huSbOJOwZNMayNKtP&dl=G43DANZVGAYDSNY:1669815407:6BlEOrZKrJnFp8Yo6coKYo5nLshoyfPp3z5QB1I5cdg&api=1&no_preview=1#adan

Intelligence

File Origin
# of uploads :
18
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-01 01:19:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/41de2564-111d-456d-aebe-25c9b3250802

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/340163/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Creating a file in the %temp% directory
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63876e15559d07a06f48cc66/reports/23f7265f-afd1-4bd6-ab84-31caf81875ca/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e6204f5-5cc7-4e63-86f6-1464c16bb6bd
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1124073
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db879678592ef06f80666d6e86759df9ebdf0fd7349af580a8a9c1f1cf7eee36/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-11-30 14:19:19 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3odzm6czf3yg7adgnvxim5m57hv56d6xgsnplafivha7dt365y3a._file
Verdict:
malicious
Similar samples:
4f1f7b8e2fc6d9fb748e37d981d6e6cb9e5de29eab70eda27189da4e86bc8c88
LgoogLoader
5433ab6651bf43c719571439a3b98dbd52212d1259a8e2adf28a3eae87f335dd
LgoogLoader
61436285b70355a6e0239c982c9b4a12cf2061c5b9c1eb2f4ff97133c549e891
LgoogLoader
7e20c52b5f40ae6bdfaa67996aa35a93c3ff1e1a197ba6b582fac1555af6d0f9
LgoogLoader
a48d0a440c75cc77f43f8639b282d5ff22d5ada4da08f7687f8bb1e64ab730fe
LgoogLoader
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
LgoogLoader
d66e9a4ad9b98c270c0b6ef1ab205ab8b3de44d42c694893570e6a7f4cfd8560
LgoogLoader
e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea
LgoogLoader
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221130-r8rewsda8s/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d6c9a312-3b5f-4fe3-b148-588ba85311ed
Unpacked files
SH256 hash:
db1e3236287090c6c8416873776fb2b60c3ecf03f79b57d8dfffc0fc72726700
MD5 hash:
d3ce348c9ba7d3b371e8a902ab4ee17b
SHA1 hash:
aaa5db4b5724ef0922df01610e831d30b5cb619b
Link:
https://www.unpac.me/results/cf18ce0e-b863-4702-883c-f2a17f06ec80/
SH256 hash:
db879678592ef06f80666d6e86759df9ebdf0fd7349af580a8a9c1f1cf7eee36
MD5 hash:
113dcfaa5eae025a32dc8af96ed2464b
SHA1 hash:
c3a075f1b63eaf0f35ce30353953b57bff9bcf60
Link:
https://www.unpac.me/results/cf18ce0e-b863-4702-883c-f2a17f06ec80/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db879678592e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db879678592ef06f80666d6e86759df9ebdf0fd7349af580a8a9c1f1cf7eee36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/340163/

Comments