lgoogloader | ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1

General

Target

file.exe
Size

1.8MB
MD5

dc36da0558ef0c16cd0cb8126af0f1f2
SHA1

79453dae6980710622e51e18a305d0511a227719
SHA256

ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1
SHA512

985b27688a33036911de8476707cef04a5a46cd0d5efdf1fdfd345b0bc0fbadd09b65a712567f6944745c3b51a9c741ff4cb5120028ff32661a28c33f6d38e8c
SSDEEP

49152:z3SF3DWhFU3AcOHYFv59oa1GOWJNg8ARSuSujF+N84:z3SF3cVSOa1GvNDySbuEN8

Score

10^/10

lgoogloader rhadamanthys downloader stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/744-149-0x0000000000800000-0x000000000081D000-memory.dmp	family_rhadamanthys
behavioral2/memory/744-150-0x00000000024F0000-0x00000000034F0000-memory.dmp	family_rhadamanthys

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2224-142-0x0000000000AB0000-0x0000000000ABD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

file.exe

description pid process target process

PID 1536 created 2848 1536 file.exe taskhostw.exe
Loads dropped DLL 1 IoCs

Processes:

file.exe

pid process

1536 file.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

fontview.exe

pid process

744 fontview.exe
744 fontview.exe
744 fontview.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 1536 set thread context of 2224 1536 file.exe ngentask.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3084 1536 WerFault.exe file.exe
1940 1536 WerFault.exe file.exe

description	pid	process	target process
PID 1536 created 2848	1536	file.exe	taskhostw.exe

pid	process
744	fontview.exe
744	fontview.exe
744	fontview.exe

description	pid	process	target process
PID 1536 set thread context of 2224	1536	file.exe	ngentask.exe

pid	pid_target	process	target process
3084	1536	WerFault.exe	file.exe
1940	1536	WerFault.exe	file.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fontview.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

file.exe

pid	process
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe
1536	file.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fontview.exe

description pid process

Token: SeShutdownPrivilege 744 fontview.exe
Token: SeCreatePagefilePrivilege 744 fontview.exe

description	pid	process
Token: SeShutdownPrivilege	744	fontview.exe
Token: SeCreatePagefilePrivilege	744	fontview.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1536 wrote to memory of 2224	1536	file.exe	ngentask.exe
PID 1536 wrote to memory of 2224	1536	file.exe	ngentask.exe
PID 1536 wrote to memory of 2224	1536	file.exe	ngentask.exe
PID 1536 wrote to memory of 2224	1536	file.exe	ngentask.exe
PID 1536 wrote to memory of 2224	1536	file.exe	ngentask.exe
PID 1536 wrote to memory of 744	1536	file.exe	fontview.exe
PID 1536 wrote to memory of 744	1536	file.exe	fontview.exe
PID 1536 wrote to memory of 744	1536	file.exe	fontview.exe
PID 1536 wrote to memory of 744	1536	file.exe	fontview.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2848

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 480
2⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 504
2⤵
- Program crash
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1536 -ip 1536
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1536 -ip 1536
1⤵
PID:3596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240542734.dll
Filesize
335KB

MD5
af92bfcb7e4c67628a686accbf4231df

SHA1
e5b392743d1731ca6fbe6b344d88028588548cac

SHA256
959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe

SHA512
553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c

Download Submit
memory/744-148-0x00000000008E5000-0x00000000008E7000-memory.dmp

Filesize
8KB

Download
memory/744-153-0x0000000000150000-0x0000000000185000-memory.dmp

Filesize
212KB

Download
memory/744-144-0x0000000000150000-0x0000000000185000-memory.dmp

Filesize
212KB

Download
memory/744-146-0x0000000000150000-0x0000000000185000-memory.dmp

Filesize
212KB

Download
memory/744-145-0x0000000000000000-mapping.dmp

Download
memory/744-147-0x00000000008E5000-0x00000000008E7000-memory.dmp

Filesize
8KB

Download
memory/744-149-0x0000000000800000-0x000000000081D000-memory.dmp

Filesize
116KB

Download
memory/744-150-0x00000000024F0000-0x00000000034F0000-memory.dmp

Filesize
16.0MB

Download
memory/1536-152-0x000000000F110000-0x000000000F40A000-memory.dmp

Filesize
3.0MB

Download
memory/1536-133-0x00000000028C0000-0x0000000002A4A000-memory.dmp

Filesize
1.5MB

Download
memory/1536-151-0x00000000028C0000-0x0000000002A4A000-memory.dmp

Filesize
1.5MB

Download
memory/1536-132-0x000000000F110000-0x000000000F40A000-memory.dmp

Filesize
3.0MB

Download
memory/1536-134-0x000000000F110000-0x000000000F40A000-memory.dmp

Filesize
3.0MB

Download
memory/1536-154-0x00000000028C0000-0x0000000002A4A000-memory.dmp

Filesize
1.5MB

Download
memory/2224-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-135-0x0000000000000000-mapping.dmp

Download
memory/2224-141-0x0000000000A90000-0x0000000000A99000-memory.dmp

Filesize
36KB

Download
memory/2224-142-0x0000000000AB0000-0x0000000000ABD000-memory.dmp

Filesize
52KB

Download
memory/2224-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads