MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02e3af4e6de5b587d1bb7ffe0b9346f48034dfacca31fda114a5632fd47090f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02e3af4e6de5b587d1bb7ffe0b9346f48034dfacca31fda114a5632fd47090f1
SHA3-384 hash: 3812527747566b970b7d01dfde911b935d31a2b6fd86a4ea15aa9c334511aea1776e7baf8e5d75284be2d242ab4bcae1
SHA1 hash: 1befa06ebdf316e1a8b51651f2eed4cfef8f6c33
MD5 hash: da9e0c931c52a8d6bd3f15c9b1e3c8d0
humanhash: robert-september-hydrogen-east
File name:da9e0c931c52a8d6bd3f15c9b1e3c8d0.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'660'736 bytes
First seen:2021-05-25 07:12:24 UTC
Last seen:2021-05-25 08:04:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 13909e13bc7a3ef67a55b96a4b540893 (1 x Glupteba, 1 x Formbook)
ssdeep 98304:FLON8nRSMbGCnwA2sGDWwR2sATquJU1fMA31r+9rPHEtj44:dg9yGrsGDWwzAz25l+9rijZ
Threatray 97 similar samples on MalwareBazaar
TLSH 542633215AC0C438E4F756BA0932D7B9D62E7D81F73004EB62D926ED12B12D56E703EB
Reporter abuse_ch
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da9e0c931c52a8d6bd3f15c9b1e3c8d0.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-25 07:15:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d43060d-e1cc-4954-953c-aae38c7c7b3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161733/
Detection(s):
Win.Ransomware.Generickdz-9864351-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a service
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791241
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423637 Sample: R9Gmet12Tt.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 84 Multi AV Scanner detection for domain / URL 2->84 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 11 other signatures 2->90 9 R9Gmet12Tt.exe 19 2->9         started        12 svchost.exe 2->12         started        14 csrss.exe 2->14         started        16 12 other processes 2->16 process3 dnsIp4 100 Detected unpacking (changes PE section rights) 9->100 102 Detected unpacking (overwrites its own PE header) 9->102 104 Modifies the windows firewall 9->104 106 Drops PE files with benign system names 9->106 19 R9Gmet12Tt.exe 11 2 9->19         started        108 Changes security center settings (notifications, updates, antivirus, firewall) 12->108 24 csrss.exe 14->24         started        72 127.0.0.1 unknown unknown 16->72 26 csrss.exe 16->26         started        signatures5 process6 dnsIp7 74 humisnee.com 104.21.93.73, 443, 49724 CLOUDFLARENETUS United States 19->74 76 192.168.2.1 unknown unknown 19->76 62 C:\Windows\rss\csrss.exe, PE32 19->62 dropped 96 Drops executables to the windows directory (C:\Windows) and starts them 19->96 98 Creates an autostart registry key pointing to binary in C:\Windows 19->98 28 csrss.exe 3 8 19->28         started        33 cmd.exe 1 19->33         started        file8 signatures9 process10 dnsIp11 78 spolaect.info 104.21.33.110, 443, 49729 CLOUDFLARENETUS United States 28->78 80 server11.sndvoices.com 172.67.218.8, 443, 49726, 49727 CLOUDFLARENETUS United States 28->80 82 3 other IPs or domains 28->82 64 C:\Windows\System32\drivers\Winmon.sys, PE32+ 28->64 dropped 66 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 28->66 dropped 68 C:\Users\...68tQuerySystemInformationHook.dll, PE32+ 28->68 dropped 70 3 other files (none is malicious) 28->70 dropped 110 Antivirus detection for dropped file 28->110 112 Multi AV Scanner detection for dropped file 28->112 114 Detected unpacking (changes PE section rights) 28->114 118 5 other signatures 28->118 35 injector.exe 28->35         started        38 schtasks.exe 1 28->38         started        40 mountvol.exe 1 28->40         started        46 4 other processes 28->46 116 Uses netsh to modify the Windows network and firewall settings 33->116 42 netsh.exe 3 33->42         started        44 conhost.exe 33->44         started        file12 signatures13 process14 signatures15 92 Multi AV Scanner detection for dropped file 35->92 48 conhost.exe 35->48         started        50 conhost.exe 38->50         started        52 conhost.exe 40->52         started        94 Creates files in the system32 config directory 42->94 54 conhost.exe 46->54         started        56 conhost.exe 46->56         started        58 conhost.exe 46->58         started        60 conhost.exe 46->60         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02e3af4e6de5b587d1bb7ffe0b9346f48034dfacca31fda114a5632fd47090f1/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 07:13:09 UTC
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0631f79b64656ff71ed923284acc5ee41ebb530eb42cecbd78846b6ddd180b9f
Glupteba
0de430b38bdccba626c6c0c5c8297057fd434ccc7a0d4c84bc066eb9dde07420
Glupteba
10ca39f81fb42e95a9dc694244aa826b0d7b8132a12e861732f59add8bb37256
Glupteba
129da3e565d7ab1c5e5c3705be3811b629e058be9af50d354bf7949605062416
Glupteba
1f9578b50263a8f756344b1f1a7c9d8b9e3dcc651aa34ec07bf46e8cc68470eb
Glupteba
397bfeb1261e2856bde7456470832206f54b77ef6a2ad5d1bda8c50a71cd2936
Glupteba
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
Glupteba
919a4877c1435674718c7ffd0c8c5ff7f5876be471fd8419875fb5dc1bdf3dd9
Glupteba
9458e942802c493170321e2eb09fbbd9ecc928e85708c3b08475593e9c59abf2
Glupteba
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
Glupteba
+ 87 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210525-wjc2l29lhs/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02e3af4e6de5b587d1bb7ffe0b9346f48034dfacca31fda114a5632fd47090f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_zloader_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 02e3af4e6de5b587d1bb7ffe0b9346f48034dfacca31fda114a5632fd47090f1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1279245/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/161733/

Comments