MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


lgoogLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea
SHA3-384 hash: f19ecbc1281868ef738cc8cbe24da73a7ebbc68ad5ed97829705261d60f9f926857a36dfe892f5c71bea1816eaadf64e
SHA1 hash: d1990c913ad915f686cd75ccf5e90899dd5b4f46
MD5 hash: ccea090c93d4e5a9ce01e59a76465842
humanhash: connecticut-five-twelve-grey
File name:file
Download: download sample
Signature lgoogLoader
Create hunting rule
File size:939'456 bytes
First seen:2022-11-09 21:50:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 24576:SfW4gCZbETPFezWurQbdE6EJlumtoySle9:IW4gCe7Fez/0LEX8vW
Threatray 79 similar samples on MalwareBazaar
TLSH T19615123728E96925DBC237750BE6E027D67CF9702B326653931329D8DC39BE43A38149
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 84b0e06060a42408 (1 x lgoogLoader)
Reporter jstrosch
Tags:exe LgoogLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-09 21:53:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1f21c3fa-7c39-40e0-9e44-bec8ea5f47fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331482/
Detection(s):
SecuriteInfo.com.Backdoor.Win32.Agent.myukqd.4645.24206.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll overlay packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/636c20c882dd9f2e26533855/reports/bf074181-0632-4a55-817f-cfce92ce72b5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/09c5f3e9-6f82-4b5a-8626-d59c35981b97
Result
Threat name:
ManusCrypt, SmokeLoader, Socelars, lgoog
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spre.phis.bank.spyw.expl.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109769
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Detected VMProtect packer
DLL reload attack detected
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found stalling execution ending in API Sleep call
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Chrome's extension installation force list
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites Mozilla Firefox settings
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Download and Execute IEX
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected lgoogLoader
Yara detected ManusCrypt
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 742443 Sample: file.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 175 www.mxnzvc.xyz 2->175 177 www.grilloo.net 2->177 179 16 other IPs or domains 2->179 245 Multi AV Scanner detection for domain / URL 2->245 247 Malicious sample detected (through community Yara rule) 2->247 249 Antivirus detection for URL or domain 2->249 251 16 other signatures 2->251 15 file.exe 1 5 2->15         started        17 msiexec.exe 2->17         started        21 rundll32.exe 2->21         started        23 3 other processes 2->23 signatures3 process4 file5 25 cmd.exe 1 15->25         started        28 TapiUnattend.exe 15->28         started        121 b92031.rbf (copy), PE32+ 17->121 dropped 123 b92030.rbf (copy), PE32+ 17->123 dropped 125 b9202f.rbf (copy), PE32+ 17->125 dropped 127 31 other malicious files 17->127 dropped 243 Infects executable files (exe, dll, sys, html) 17->243 30 rundll32.exe 21->30         started        signatures6 process7 signatures8 253 Obfuscated command line found 25->253 255 Uses ping.exe to sleep 25->255 257 Drops PE files with a suspicious file extension 25->257 259 Uses ping.exe to check the status of other devices and networks 25->259 32 cmd.exe 2 25->32         started        36 PING.EXE 1 25->36         started        39 conhost.exe 25->39         started        261 Writes to foreign memory regions 30->261 263 Allocates memory in foreign processes 30->263 265 Creates a thread in another existing process (thread injection) 30->265 41 svchost.exe 30->41 injected 43 svchost.exe 30->43 injected 45 svchost.exe 30->45 injected process9 dnsIp10 113 C:\Users\user\AppData\...nsures.exe.pif, PE32 32->113 dropped 223 Obfuscated command line found 32->223 225 Uses ping.exe to sleep 32->225 47 Ensures.exe.pif 1 32->47         started        51 tasklist.exe 1 32->51         started        53 tasklist.exe 1 32->53         started        58 4 other processes 32->58 181 192.168.11.1 unknown unknown 36->181 227 Sets debug register (to hijack the execution of another thread) 41->227 229 Modifies the context of a thread in another process (thread injection) 41->229 55 svchost.exe 41->55         started        file11 signatures12 process13 dnsIp14 161 C:\Users\user\AppData\...\IPIAoDyRvEJcn.dll, PE32 47->161 dropped 207 DLL reload attack detected 47->207 209 Detected unpacking (creates a PE file in dynamic memory) 47->209 211 Found stalling execution ending in API Sleep call 47->211 219 6 other signatures 47->219 60 Ensures.exe.pif 49 47->60         started        183 208.95.112.1 TUT-ASUS United States 55->183 185 104.21.34.132 CLOUDFLARENETUS United States 55->185 187 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 55->187 163 C:\Users\user\AppData\...\cookies.sqlite.db, SQLite 55->163 dropped 165 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 55->165 dropped 167 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 55->167 dropped 169 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 55->169 dropped 213 Query firmware table information (likely to detect VMs) 55->213 215 Installs new ROOT certificates 55->215 217 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 55->217 221 2 other signatures 55->221 file15 signatures16 process17 dnsIp18 201 grilloo.net 159.8.122.140, 443, 49852, 49855 SOFTLAYERUS United States 60->201 203 23.160.193.16 NETINF-PRIMARY-ASUS United States 60->203 205 7 other IPs or domains 60->205 151 C:\Users\user\AppData\Local\Temp\...\JsiaVb, PE32 60->151 dropped 153 C:\Users\user\AppData\Local\Temp\...\iteRKR, PE32 60->153 dropped 155 C:\Users\user\AppData\Local\Temp\...\BsEPNb, PE32 60->155 dropped 157 12 other malicious files 60->157 dropped 64 MdwUGO 60->64         started        68 JsiaVb 60->68         started        70 TZFRzG 60->70         started        72 3 other processes 60->72 file19 process20 dnsIp21 115 C:\Users\user\AppData\Local\...\MdwUGO.tmp, PE32 64->115 dropped 231 Multi AV Scanner detection for dropped file 64->231 233 Obfuscated command line found 64->233 75 MdwUGO.tmp 64->75         started        235 Machine Learning detection for dropped file 68->235 237 Injects a PE file into a foreign processes 68->237 79 JsiaVb 68->79         started        117 C:\Users\user\AppData\Local\...\TZFRzG.tmp, PE32 70->117 dropped 82 TZFRzG.tmp 70->82         started        189 157.240.20.35 FACEBOOKUS United States 72->189 191 star-mini.c10r.facebook.com 185.60.216.35, 443, 49866, 49867 FACEBOOKUS Ireland 72->191 193 2 other IPs or domains 72->193 119 C:\Users\user\AppData\Local\Temp\db.dll, PE32 72->119 dropped 239 Antivirus detection for dropped file 72->239 241 Creates processes via WMI 72->241 84 cmd.exe 72->84         started        86 cmd.exe 72->86         started        88 conhost.exe 72->88         started        file22 signatures23 process24 dnsIp25 195 18.66.112.67 MIT-GATEWAYSUS United States 75->195 197 d2l7sw81k13yby.cloudfront.net 18.66.248.42, 443, 49859, 49864 MIT-GATEWAYSUS United States 75->197 199 aka.ms 23.79.165.181, 443, 49876 AKAMAI-ASUS United States 75->199 137 C:\Users\user\...\xmrBridge.dll (copy), PE32+ 75->137 dropped 139 C:\Users\user\...\unins000.exe (copy), PE32 75->139 dropped 141 C:\Users\user\...\nvrtc64_100_0.dll (copy), PE32+ 75->141 dropped 149 31 other files (30 malicious) 75->149 dropped 90 vc_redist.x64.exe 75->90         started        271 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 79->271 273 Maps a DLL or memory area into another process 79->273 275 Checks if the current machine is a virtual machine (disk enumeration) 79->275 277 Creates a thread in another existing process (thread injection) 79->277 93 explorer.exe 5 1 79->93 injected 143 C:\Windows\unins000.exe (copy), PE32 82->143 dropped 145 C:\Windows\is-OIIJ3.tmp, PE32 82->145 dropped 147 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 82->147 dropped 279 Modifies Chrome's extension installation force list 82->279 96 PING.EXE 84->96         started        99 conhost.exe 84->99         started        101 powershell.exe 86->101         started        103 conhost.exe 86->103         started        file26 signatures27 process28 dnsIp29 133 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 90->133 dropped 105 vc_redist.x64.exe 90->105         started        135 C:\Users\user\AppData\Roaming\criebdu, PE32 93->135 dropped 267 Benign windows process drops PE files 93->267 269 Hides that the sample has been downloaded from the Internet (zone.identifier) 93->269 171 127.0.0.1 unknown unknown 96->171 108 Conhost.exe 96->108         started        173 62.233.57.51, 49858, 80 DivisionWRSBE unknown 101->173 file30 signatures31 process32 file33 129 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 105->129 dropped 131 C:\Windows\Temp\...\wixstdba.dll, PE32 105->131 dropped 110 VC_redist.x64.exe 105->110         started        process34 file35 159 C:\ProgramData\...\VC_redist.x64.exe, PE32 110->159 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-09 21:51:14 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5adgaech2wqibk5lyetuyoondelfqmjeczvzqxfglmepbihg73va._file
Verdict:
unknown
Similar samples:
27acd486acf23809f4792ed977bef8cd765d16a37fafe2a4e050284423bce11b
lgoogLoader
5c19fb2da50d67ae379047a6a30c01a418aefc98956d0d1662404742e9d84878
lgoogLoader
661a812991c0211d5a20990080bb5160888835d80a99a4cebe2f895b948be62d
lgoogLoader
713ecd61ef27c081ca2c5aab8bc73a87fe277987a53746731e1aa14c54062953
lgoogLoader
763bbf36766a12f4c3b16c73ee7dc8a083dc43ed98b9be9bcff931ca2a7478a5
lgoogLoader
7fe10c2e9e135621141b2d02b3aabda8aad3f852ff1f016ab8278efb8ab24b18
lgoogLoader
8f754e2bfa013020f14d498b5ade5c139163e31dae1ec34975381efeff30f2e3
lgoogLoader
b4b8d49ce8ac2c756f6d65399e71a15fc46814f4aee055bcc99cbb7d1d50cd88
lgoogLoader
+ 69 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader persistence
Link:
https://tria.ge/reports/221109-1qgbmsebfj/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Detects LgoogLoader payload
LgoogLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/85709d56-2024-4413-a5ab-285b809bb31d
Unpacked files
SH256 hash:
f49afba8d3c5c424407952957b3c9c23b6e00cc69e0ac8094d0306455460ef3f
MD5 hash:
d965465d61650c37d510b5e18f5b9ad0
SHA1 hash:
416c81e844e5151da6281d39ca3b56f8d99d64cd
Link:
https://www.unpac.me/results/c8f9d498-b2cf-45ce-b593-64c2bfdca56d/
SH256 hash:
e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea
MD5 hash:
ccea090c93d4e5a9ce01e59a76465842
SHA1 hash:
d1990c913ad915f686cd75ccf5e90899dd5b4f46
Link:
https://www.unpac.me/results/c8f9d498-b2cf-45ce-b593-64c2bfdca56d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

lgoogLoader

Executable exe e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/331482/
  
URLhaus
https://urlhaus.abuse.ch/url/2406508/

Comments