Windows
Analysis Report
file.exe
Overview
General Information
Detection
lgoogLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected lgoogLoader
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes to foreign memory regions
Contains functionality to infect the boot sector
Sample is not signed and drops a device driver
Contain functionality to detect virtual machines
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Contains functionality to inject code into remote processes
Sample uses string decryption to hide its real strings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Enables driver privileges
Drops PE files
Creates driver files
Contains functionality to launch a program with higher privileges
Spawns drivers
PE / OLE file has an invalid certificate
Creates or modifies windows services
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
file.exe (PID: 6596 cmdline:
C:\Users\u ser\Deskto p\file.exe MD5: 851DFEB9035473532D796A9B41608B3C) jsc.exe (PID: 2040 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\js c.exe MD5: 2B40A449D6034F41771A460DADD53A60) mscorsvw.exe (PID: 3092 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F) aspnet_compiler.exe (PID: 4768 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\as pnet_compi ler.exe MD5: 7809A19AA8DA1A41F36B60B0664C4E20) RegSvcs.exe (PID: 7156 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Re gSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF) dfsvc.exe (PID: 4136 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\df svc.exe MD5: 48FD4DD682051712E3E7757C525DED71) aspnet_regbrowsers.exe (PID: 2192 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\as pnet_regbr owsers.exe MD5: BF7E443F1E1FA88AD5A2A5EB44F42834) AddInProcess32.exe (PID: 4740 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\Ad dInProcess 32.exe MD5: F2A47587431C466535F3C3D3427724BE)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
LgoogLoader | LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_XORed_MSDOS_Stub_Message | Detects suspicious XORed MSDOS stub message | Florian Roth (Nextron Systems) |
| |
JoeSecurity_lGoogLoader | Yara detected lgoogLoader | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | String decryptor: |
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: | 7_2_02B51000 |
System Summary |
---|
Source: | Long String: |
Source: | Matched rule: |
Source: | Code function: | 7_2_00404AF0 | |
Source: | Code function: | 7_2_004084B7 | |
Source: | Code function: | 7_2_01381AA8 |
Source: | Code function: | 7_2_00402050 |
Source: | Code function: | 7_2_02B5355B |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process token adjusted: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Driver loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Dropped File: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Binary string: |
Source: | Classification label: |
Source: | Code function: | 7_2_004029C0 |
Source: | Static file information: | |||
Source: | Section loaded: | Jump to behavior |
Source: | Base64 encoded string: |