lgoogloader | 8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9 | Triage

Submit
Reports

Overview

overview

Static

static

3

a.exe

windows10-2004-x64

Resubmissions

20-05-2023 01:01

230520-bdhlhahd64 10

20-05-2023 00:59

230520-bb6wbahd52 10

17-05-2023 15:12

230517-sld2qafe25 10

16-05-2023 18:13

230516-wt6ngsbb3s 10

16-05-2023 18:11

230516-wsz5babb2w 10

16-05-2023 18:10

230516-wr6wgabb2s 10

16-05-2023 18:03

230516-wm22qabh79 10

Sharing

General

Target

a.bin
Size

5KB
Sample

230516-wsz5babb2w
MD5

69525fa93fd47eb3c533afe3b1baba48
SHA1

3dea1b337987177c73c64e89b370d90dc94c64cb
SHA256

8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
SHA512

909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182
SSDEEP

48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt

Score

10^/10

lgoogloader redline downloader evasion infostealer persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a.exe

Resource

win10v2004-20230220-en

lgoogloader redline downloader evasion infostealer persistence

windows10-2004-x64

31 signatures

1800 seconds

Malware Config

Targets

- Target
  
  a.bin
- Size
  
  5KB
- MD5
  
  69525fa93fd47eb3c533afe3b1baba48
- SHA1
  
  3dea1b337987177c73c64e89b370d90dc94c64cb
- SHA256
  
  8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
- SHA512
  
  909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182
- SSDEEP
  
  48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt
Score

10^/10

lgoogloader redline downloader evasion infostealer persistence
- Detects LgoogLoader payload
- LgoogLoader
  A downloader capable of dropping and executing other malware families.
  downloader lgoogloader
- Modifies WinLogon for persistence
  persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

lgoogloaderredlinedownloaderevasioninfostealerpersistence

© 2018-2024

Terms | Privacy