MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0631f79b64656ff71ed923284acc5ee41ebb530eb42cecbd78846b6ddd180b9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0631f79b64656ff71ed923284acc5ee41ebb530eb42cecbd78846b6ddd180b9f
SHA3-384 hash: 285965c363ebf38b0131acd9d35f2ed03f31b75c763ba688867d1332b6b1d3f609b0982153c68c63efa00f42a86bd30a
SHA1 hash: da90086a30250d5612cb965533d329de770c752c
MD5 hash: 1a7e7794c44762d411d383fac32d45f2
humanhash: seven-virginia-delaware-papa
File name:0631f79b64656ff71ed923284acc5ee41ebb530eb42cecbd78846b6ddd180b9f
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'647'936 bytes
First seen:2021-05-25 06:53:58 UTC
Last seen:2021-05-25 07:01:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 27ed4176d20d4a51f5885d6804a35f62 (1 x CryptBot, 1 x Glupteba)
ssdeep 98304:+muqaIf6jjrJGL0fhyC6t8h5gCbeLTfeOt0ADXlc:fJzM4LmyNlCSL7eIU
Threatray 97 similar samples on MalwareBazaar
TLSH 50263331ABD0F434F4F261FC10F686A4B73A7EB02BB420CB26E946E955B89D09D71356
Reporter JAMESWT_WT
Tags:Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
401
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0631f79b64656ff71ed923284acc5ee41ebb530eb42cecbd78846b6ddd180b9f
Verdict:
No threats detected
Analysis date:
2021-05-25 06:57:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/31570c1d-521e-4770-9a38-97d09e18746c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161693/
Detection(s):
Win.Malware.Dropperx-9862667-0
Create hunting rule

Win.Packed.Generickdz-9862681-0
Create hunting rule

Win.Malware.Pwsx-9862682-0
Create hunting rule

Win.Malware.Pwsx-9862725-0
Create hunting rule

Win.Malware.SmokeLoader-9863030-1
Create hunting rule

Win.Malware.SmokeLoader-9863103-1
Create hunting rule

Win.Packed.Generickdz-9864067-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a service
DNS request
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791222
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Installs VirtualBox drivers
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Sigma detected: Suspicious Service DACL Modification
Sigma detected: System File Execution Location Anomaly
Submitted sample is a known malware sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Yara detected VBox Vulnerable Driver
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423618 Sample: nJZ4enUYqO Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 100 Multi AV Scanner detection for domain / URL 2->100 102 Antivirus detection for URL or domain 2->102 104 Antivirus detection for dropped file 2->104 106 13 other signatures 2->106 11 nJZ4enUYqO.exe 19 2->11         started        14 csrss.exe 2->14         started        16 csrss.exe 2->16         started        18 4 other processes 2->18 process3 signatures4 124 Detected unpacking (changes PE section rights) 11->124 126 Detected unpacking (overwrites its own PE header) 11->126 128 Modifies the windows firewall 11->128 130 Drops PE files with benign system names 11->130 20 nJZ4enUYqO.exe 11 2 11->20         started        25 csrss.exe 14->25         started        27 csrss.exe 16->27         started        29 csrss.exe 18->29         started        process5 dnsIp6 82 humisnee.com 172.67.206.104, 443, 49749 CLOUDFLARENETUS United States 20->82 78 C:\Windows\rss\csrss.exe, PE32 20->78 dropped 108 Drops executables to the windows directory (C:\Windows) and starts them 20->108 110 Creates an autostart registry key pointing to binary in C:\Windows 20->110 31 csrss.exe 3 10 20->31         started        36 cmd.exe 1 20->36         started        file7 signatures8 process9 dnsIp10 84 blinkroast.info 104.21.4.27, 443, 49757 CLOUDFLARENETUS United States 31->84 86 spolaect.info 172.67.161.225, 443, 49756 CLOUDFLARENETUS United States 31->86 88 3 other IPs or domains 31->88 70 C:\Windows\windefender.exe, PE32 31->70 dropped 72 C:\Windows\System32\drivers\Winmon.sys, PE32+ 31->72 dropped 74 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 31->74 dropped 76 5 other files (1 malicious) 31->76 dropped 90 Antivirus detection for dropped file 31->90 92 Multi AV Scanner detection for dropped file 31->92 94 Detected unpacking (changes PE section rights) 31->94 98 5 other signatures 31->98 38 dsefix.exe 31->38         started        42 windefender.exe 31->42         started        44 injector.exe 31->44         started        50 6 other processes 31->50 96 Uses netsh to modify the Windows network and firewall settings 36->96 46 netsh.exe 3 36->46         started        48 conhost.exe 36->48         started        file11 signatures12 process13 file14 80 C:\Windows\System32\drivers\VBoxDrv.sys, PE32+ 38->80 dropped 112 Antivirus detection for dropped file 38->112 114 Multi AV Scanner detection for dropped file 38->114 116 Submitted sample is a known malware sample 38->116 122 2 other signatures 38->122 52 conhost.exe 38->52         started        118 Machine Learning detection for dropped file 42->118 54 conhost.exe 44->54         started        120 Creates files in the system32 config directory 46->120 56 conhost.exe 50->56         started        58 conhost.exe 50->58         started        60 conhost.exe 50->60         started        62 2 other processes 50->62 signatures15 process16 process17 64 cmd.exe 56->64         started        process18 66 conhost.exe 64->66         started        68 sc.exe 64->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0631f79b64656ff71ed923284acc5ee41ebb530eb42cecbd78846b6ddd180b9f/
Threat name:
Win32.Trojan.RanumBot
Create hunting rule
Status:
Malicious
First seen:
2021-05-18 01:09:51 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
42 of 47 (89.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ayy7pg3emvx7ohwzemuevtc64qplwuyowqwozplyqrvw3xiybopq._file
Verdict:
malicious
Similar samples:
0de430b38bdccba626c6c0c5c8297057fd434ccc7a0d4c84bc066eb9dde07420
Glupteba
10ca39f81fb42e95a9dc694244aa826b0d7b8132a12e861732f59add8bb37256
Glupteba
129da3e565d7ab1c5e5c3705be3811b629e058be9af50d354bf7949605062416
Glupteba
1f9578b50263a8f756344b1f1a7c9d8b9e3dcc651aa34ec07bf46e8cc68470eb
Glupteba
397bfeb1261e2856bde7456470832206f54b77ef6a2ad5d1bda8c50a71cd2936
Glupteba
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
Glupteba
919a4877c1435674718c7ffd0c8c5ff7f5876be471fd8419875fb5dc1bdf3dd9
Glupteba
9458e942802c493170321e2eb09fbbd9ecc928e85708c3b08475593e9c59abf2
Glupteba
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
Glupteba
eeab7273fbf740c764fa5bc8ec2595919715dcff3fb91c45f7bfb6640bd2a9a0
Glupteba
+ 87 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210525-54y8elj2x6/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0631f79b64656ff71ed923284acc5ee41ebb530eb42cecbd78846b6ddd180b9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/161693/

Comments