General
-
Target
f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9
-
Size
752KB
-
Sample
230116-m2wc2sdh77
-
MD5
31676b02114e92e2de69d7ea17c307f1
-
SHA1
529374ccf0c521faf0a32279961a54142f20a44a
-
SHA256
f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9
-
SHA512
6b1ddc30454437b193fd473b20fe4a63afd55ff9912a19e3bdb0a1c25fb76ee0c3d48fc616576febd8cdaac7aa600af71847ca379fff931dbf9da0d665e1049d
-
SSDEEP
12288:VQi3IG+zy2Oc6m6UR0Iqpp1hf39Wkv8xwJA:VQiYG+zy2OzHIqppdUMA
Static task
static1
Behavioral task
behavioral1
Sample
f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
gcleaner
45.139.105.171
85.31.46.167
107.182.129.235
171.22.30.106
Targets
-
-
Target
f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9
-
Size
752KB
-
MD5
31676b02114e92e2de69d7ea17c307f1
-
SHA1
529374ccf0c521faf0a32279961a54142f20a44a
-
SHA256
f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9
-
SHA512
6b1ddc30454437b193fd473b20fe4a63afd55ff9912a19e3bdb0a1c25fb76ee0c3d48fc616576febd8cdaac7aa600af71847ca379fff931dbf9da0d665e1049d
-
SSDEEP
12288:VQi3IG+zy2Oc6m6UR0Iqpp1hf39Wkv8xwJA:VQiYG+zy2OzHIqppdUMA
-
Detects LgoogLoader payload
-
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-