lgoogloader | 140b117ebb69f027d931787d2a3b0bb445a655e5460c1100b808297c482ae1f5

General

Target

file.exe
Size

1.8MB
MD5

d62c0adb7bb8113e33b6d1edc9a1a511
SHA1

c527022d7a129c12c5b71116da750f41cf9d868f
SHA256

140b117ebb69f027d931787d2a3b0bb445a655e5460c1100b808297c482ae1f5
SHA512

bf9687f7a2694939818d3a4e58171d6b80204e85f4e1f32bcdb060eb66ece38370e08107253e4687df57f132fdb1f24ef3ac3cdc31dad553b203821ff4d38ddb
SSDEEP

49152:VKX23JkRwZq810P9GNu8Tj05WQOmtgEdnXROt0OQ:VKm3KRwZq810PgN1QwmtgEdnXROK9

Score

10^/10

lgoogloader rhadamanthys downloader stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1856-149-0x0000000001260000-0x000000000127D000-memory.dmp	family_rhadamanthys
behavioral2/memory/1856-154-0x0000000001260000-0x000000000127D000-memory.dmp	family_rhadamanthys

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4372-142-0x0000000002B30000-0x0000000002B3D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

file.exe

description pid process target process

PID 3152 created 2660 3152 file.exe taskhostw.exe
Loads dropped DLL 1 IoCs

Processes:

file.exe

pid process

3152 file.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

fontview.exe

pid process

1856 fontview.exe
1856 fontview.exe
1856 fontview.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 3152 set thread context of 4372 3152 file.exe ngentask.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2292 3152 WerFault.exe file.exe
1836 3152 WerFault.exe file.exe

description	pid	process	target process
PID 3152 created 2660	3152	file.exe	taskhostw.exe

pid	process
1856	fontview.exe
1856	fontview.exe
1856	fontview.exe

description	pid	process	target process
PID 3152 set thread context of 4372	3152	file.exe	ngentask.exe

pid	pid_target	process	target process
2292	3152	WerFault.exe	file.exe
1836	3152	WerFault.exe	file.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fontview.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

file.exe

pid	process
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe
3152	file.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fontview.exe

description pid process

Token: SeShutdownPrivilege 1856 fontview.exe
Token: SeCreatePagefilePrivilege 1856 fontview.exe

description	pid	process
Token: SeShutdownPrivilege	1856	fontview.exe
Token: SeCreatePagefilePrivilege	1856	fontview.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exe

description	pid	process	target process
PID 3152 wrote to memory of 4372	3152	file.exe	ngentask.exe
PID 3152 wrote to memory of 4372	3152	file.exe	ngentask.exe
PID 3152 wrote to memory of 4372	3152	file.exe	ngentask.exe
PID 3152 wrote to memory of 4372	3152	file.exe	ngentask.exe
PID 3152 wrote to memory of 4372	3152	file.exe	ngentask.exe
PID 3152 wrote to memory of 1856	3152	file.exe	fontview.exe
PID 3152 wrote to memory of 1856	3152	file.exe	fontview.exe
PID 3152 wrote to memory of 1856	3152	file.exe	fontview.exe
PID 3152 wrote to memory of 1856	3152	file.exe	fontview.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2660

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 576
2⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 836
2⤵
- Program crash
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3152 -ip 3152
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3152 -ip 3152
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240546203.dll
Filesize
335KB

MD5
af92bfcb7e4c67628a686accbf4231df

SHA1
e5b392743d1731ca6fbe6b344d88028588548cac

SHA256
959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe

SHA512
553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c

Download Submit
memory/1856-148-0x00000000012B5000-0x00000000012B7000-memory.dmp

Filesize
8KB

Download
memory/1856-151-0x0000000000D50000-0x0000000000D85000-memory.dmp

Filesize
212KB

Download
memory/1856-145-0x0000000000000000-mapping.dmp

Download
memory/1856-144-0x0000000000D50000-0x0000000000D85000-memory.dmp

Filesize
212KB

Download
memory/1856-147-0x00000000012B5000-0x00000000012B7000-memory.dmp

Filesize
8KB

Download
memory/1856-154-0x0000000001260000-0x000000000127D000-memory.dmp

Filesize
116KB

Download
memory/1856-150-0x0000000003010000-0x0000000004010000-memory.dmp

Filesize
16.0MB

Download
memory/1856-149-0x0000000001260000-0x000000000127D000-memory.dmp

Filesize
116KB

Download
memory/1856-146-0x0000000000D50000-0x0000000000D85000-memory.dmp

Filesize
212KB

Download
memory/3152-152-0x0000000002880000-0x0000000002A03000-memory.dmp

Filesize
1.5MB

Download
memory/3152-155-0x0000000002880000-0x0000000002A03000-memory.dmp

Filesize
1.5MB

Download
memory/3152-133-0x0000000002880000-0x0000000002A03000-memory.dmp

Filesize
1.5MB

Download
memory/3152-134-0x000000000C3C0000-0x000000000C69C000-memory.dmp

Filesize
2.9MB

Download
memory/3152-153-0x000000000C3C0000-0x000000000C69C000-memory.dmp

Filesize
2.9MB

Download
memory/3152-132-0x000000000C3C0000-0x000000000C69C000-memory.dmp

Filesize
2.9MB

Download
memory/4372-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-142-0x0000000002B30000-0x0000000002B3D000-memory.dmp

Filesize
52KB

Download
memory/4372-135-0x0000000000000000-mapping.dmp

Download
memory/4372-141-0x0000000002B10000-0x0000000002B19000-memory.dmp

Filesize
36KB

Download
memory/4372-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads