lgoogloader | ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1

General

Target

file.exe
Size

1.8MB
MD5

dc36da0558ef0c16cd0cb8126af0f1f2
SHA1

79453dae6980710622e51e18a305d0511a227719
SHA256

ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1
SHA512

985b27688a33036911de8476707cef04a5a46cd0d5efdf1fdfd345b0bc0fbadd09b65a712567f6944745c3b51a9c741ff4cb5120028ff32661a28c33f6d38e8c
SSDEEP

49152:z3SF3DWhFU3AcOHYFv59oa1GOWJNg8ARSuSujF+N84:z3SF3cVSOa1GvNDySbuEN8

Score

10^/10

lgoogloader rhadamanthys downloader stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2472-149-0x00000000006E0000-0x00000000006FD000-memory.dmp	family_rhadamanthys

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3412-142-0x00000000013A0000-0x00000000013AD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

file.exe

description pid process target process

PID 3468 created 2548 3468 file.exe taskhostw.exe
Loads dropped DLL 1 IoCs

Processes:

file.exe

pid process

3468 file.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

fontview.exe

pid process

2472 fontview.exe
2472 fontview.exe
2472 fontview.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 3468 set thread context of 3412 3468 file.exe ngentask.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

224 3468 WerFault.exe file.exe
2636 3468 WerFault.exe file.exe

description	pid	process	target process
PID 3468 created 2548	3468	file.exe	taskhostw.exe

pid	process
2472	fontview.exe
2472	fontview.exe
2472	fontview.exe

description	pid	process	target process
PID 3468 set thread context of 3412	3468	file.exe	ngentask.exe

pid	pid_target	process	target process
224	3468	WerFault.exe	file.exe
2636	3468	WerFault.exe	file.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fontview.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exetaskmgr.exe

pid	process
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
3468	file.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2304 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

fontview.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	2472	fontview.exe
Token: SeCreatePagefilePrivilege	2472	fontview.exe
Token: SeDebugPrivilege	2304	taskmgr.exe
Token: SeSystemProfilePrivilege	2304	taskmgr.exe
Token: SeCreateGlobalPrivilege	2304	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exe

description	pid	process	target process
PID 3468 wrote to memory of 3412	3468	file.exe	ngentask.exe
PID 3468 wrote to memory of 3412	3468	file.exe	ngentask.exe
PID 3468 wrote to memory of 3412	3468	file.exe	ngentask.exe
PID 3468 wrote to memory of 3412	3468	file.exe	ngentask.exe
PID 3468 wrote to memory of 3412	3468	file.exe	ngentask.exe
PID 3468 wrote to memory of 2472	3468	file.exe	fontview.exe
PID 3468 wrote to memory of 2472	3468	file.exe	fontview.exe
PID 3468 wrote to memory of 2472	3468	file.exe	fontview.exe
PID 3468 wrote to memory of 2472	3468	file.exe	fontview.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2548

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1200
2⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1104
2⤵
- Program crash
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3468 -ip 3468
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3468 -ip 3468
1⤵
PID:5084

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240550531.dll
Filesize
335KB

MD5
af92bfcb7e4c67628a686accbf4231df

SHA1
e5b392743d1731ca6fbe6b344d88028588548cac

SHA256
959bd4b08d3f72347082976e5e6b5ad2a04201cda4a4b67d27dc3dfe04c73ebe

SHA512
553c992234635a6e1463ce99107346200c8fbdcfc41421021761321a5e4621db774a6a0e7df0b3883bd1d367c0a58d031443ced015e01875b88e3695fb71f23c

Download Submit
memory/2472-148-0x0000000000765000-0x0000000000767000-memory.dmp

Filesize
8KB

Download
memory/2472-147-0x0000000000765000-0x0000000000767000-memory.dmp

Filesize
8KB

Download
memory/2472-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-145-0x0000000000000000-mapping.dmp

Download
memory/2472-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-150-0x0000000002670000-0x0000000003670000-memory.dmp

Filesize
16.0MB

Download
memory/2472-149-0x00000000006E0000-0x00000000006FD000-memory.dmp

Filesize
116KB

Download
memory/3412-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3412-135-0x0000000000000000-mapping.dmp

Download
memory/3412-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3412-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3412-142-0x00000000013A0000-0x00000000013AD000-memory.dmp

Filesize
52KB

Download
memory/3412-141-0x0000000001380000-0x0000000001389000-memory.dmp

Filesize
36KB

Download
memory/3412-139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-133-0x000000000DDA0000-0x000000000E09A000-memory.dmp

Filesize
3.0MB

Download
memory/3468-132-0x00000000032A0000-0x000000000342A000-memory.dmp

Filesize
1.5MB

Download
memory/3468-134-0x000000000DDA0000-0x000000000E09A000-memory.dmp

Filesize
3.0MB

Download
memory/3468-151-0x00000000032A0000-0x000000000342A000-memory.dmp

Filesize
1.5MB

Download
memory/3468-152-0x000000000DDA0000-0x000000000E09A000-memory.dmp

Filesize
3.0MB

Download
memory/3468-154-0x00000000032A0000-0x000000000342A000-memory.dmp

Filesize
1.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads