lgoogloader | 044e62e14faf9e06d2759ac0d62b4c6cb3a103fe287e235c48ab1c64604cfe3a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2023, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4adf9b20011bc571b61884f1b630a84a.exe
Size

1.6MB
MD5

4adf9b20011bc571b61884f1b630a84a
SHA1

fa9b755b0c0a86183ce059ec5c03a57ebd292de9
SHA256

044e62e14faf9e06d2759ac0d62b4c6cb3a103fe287e235c48ab1c64604cfe3a
SHA512

e25bcffb6b9615ee0945c9d3692bb692ebc1ae733fd515a5fbc0ccfced2fcf03c3e022c75f8635b2f709b21ff248dce3f9ba3822c4e7f1acc931d22c414915a9
SSDEEP

24576:gncYAIIhJ6Z1NM97KM/th4FosodIWp26ICk95akZPa/S6Dh/aI5:2GJ6q7DQi3dTp2/9gpRaI5

Score

10^/10

lgoogloader rhadamanthys downloader stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

resource	yara_rule
behavioral2/memory/2276-149-0x0000000002DD0000-0x0000000002DEC000-memory.dmp	family_rhadamanthys
behavioral2/memory/2276-153-0x0000000002DD0000-0x0000000002DEC000-memory.dmp	family_rhadamanthys

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/4108-140-0x00000000019B0000-0x00000000019BD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4156 created 2944	4156	4adf9b20011bc571b61884f1b630a84a.exe	43

Loads dropped DLL 1 IoCs

pid	Process
4156	4adf9b20011bc571b61884f1b630a84a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2276	fontview.exe
2276	fontview.exe
2276	fontview.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4156 set thread context of 4108	4156	4adf9b20011bc571b61884f1b630a84a.exe	89

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2696	4156	WerFault.exe	85
4944	4156	WerFault.exe	85

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe
4156	4adf9b20011bc571b61884f1b630a84a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2276	fontview.exe
Token: SeCreatePagefilePrivilege	2276	fontview.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 4108	4156	4adf9b20011bc571b61884f1b630a84a.exe	89
PID 4156 wrote to memory of 4108	4156	4adf9b20011bc571b61884f1b630a84a.exe	89
PID 4156 wrote to memory of 4108	4156	4adf9b20011bc571b61884f1b630a84a.exe	89
PID 4156 wrote to memory of 4108	4156	4adf9b20011bc571b61884f1b630a84a.exe	89
PID 4156 wrote to memory of 4108	4156	4adf9b20011bc571b61884f1b630a84a.exe	89
PID 4156 wrote to memory of 2276	4156	4adf9b20011bc571b61884f1b630a84a.exe	90
PID 4156 wrote to memory of 2276	4156	4adf9b20011bc571b61884f1b630a84a.exe	90
PID 4156 wrote to memory of 2276	4156	4adf9b20011bc571b61884f1b630a84a.exe	90
PID 4156 wrote to memory of 2276	4156	4adf9b20011bc571b61884f1b630a84a.exe	90

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2944
- C:\Windows\SysWOW64\fontview.exe
  "C:\Windows\SYSWOW64\fontview.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2276

C:\Users\Admin\AppData\Local\Temp\4adf9b20011bc571b61884f1b630a84a.exe
"C:\Users\Admin\AppData\Local\Temp\4adf9b20011bc571b61884f1b630a84a.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  PID:4108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1236
  2⤵
  - Program crash
  PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1220
  2⤵
  - Program crash
  PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4156 -ip 4156
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4156 -ip 4156
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240557312.dll

Filesize
334KB

MD5
4cb75f40755bf606f8a5f1b0bc1db511

SHA1
0e4fd3965245063a55ab411016a98c52e3498bca

SHA256
4c3b45b602867d875c6377fca5823a5134f991858d69efce61cccf63b3eadc3f

SHA512
2e54c0c7dba5cd54362a0d9a9407431faed52aba86acefe3843e509c316e9f51f12f6f17d2762f42d3c5e1f588bb774d0c9683c7f9527cf33a8a0c12634cef48

Download Submit
memory/2276-149-0x0000000002DD0000-0x0000000002DEC000-memory.dmp

Filesize
112KB

Download
memory/2276-145-0x0000000000FB0000-0x0000000000FE3000-memory.dmp

Filesize
204KB

Download
memory/2276-150-0x0000000001410000-0x0000000001412000-memory.dmp

Filesize
8KB

Download
memory/2276-152-0x0000000001410000-0x0000000001413000-memory.dmp

Filesize
12KB

Download
memory/2276-153-0x0000000002DD0000-0x0000000002DEC000-memory.dmp

Filesize
112KB

Download
memory/2276-154-0x0000000000FB0000-0x0000000000FE3000-memory.dmp

Filesize
204KB

Download
memory/4108-137-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4108-138-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4108-140-0x00000000019B0000-0x00000000019BD000-memory.dmp

Filesize
52KB

Download
memory/4108-139-0x0000000001550000-0x0000000001559000-memory.dmp

Filesize
36KB

Download
memory/4108-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4156-134-0x000000000F450000-0x000000000F720000-memory.dmp

Filesize
2.8MB

Download