MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642
SHA3-384 hash: 02e02315de039de299656c705c633833499a50acb3aaaf2e0632aba134c02765828f8adfd96f5bbea90a933eec3b23f9
SHA1 hash: b5c23fa6a7da901fa6da1d728f331cbd7b511ca0
MD5 hash: 6c0c5757834168ac9537cd2a85a9ffad
humanhash: fruit-oscar-fruit-music
File name:6c0c5757834168ac9537cd2a85a9ffad.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'650'536 bytes
First seen:2021-09-05 06:12:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f530acf7acd4a5c8880ba2a4704d4cbb (14 x RaccoonStealer, 4 x Glupteba, 2 x Tofsee)
ssdeep 98304:Kv5ymCkjWLCQ27ksJHJJybs5eVvRYqa72use3wFCNu3:Kvb8LF6Hiieb/a7n/XNu3
Threatray 164 similar samples on MalwareBazaar
TLSH T1432633477EA2F897D251D07145AAE790DAFEBCE2B93883267394FA2F5C311C0C91E194
dhash icon b67e7c7d727e6e76 (11 x RaccoonStealer, 4 x Glupteba, 4 x Stop)
Reporter abuse_ch
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6c0c5757834168ac9537cd2a85a9ffad.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-05 06:15:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec806923-7b71-4c48-9f17-785f68b73597

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185379/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.7556.11610.403.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Launching a service
Connection attempt to an infection source
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Sending a UDP request
Creating a file in the %temp% subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Disabling the operating system update service
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5fbf6d0-13fb-4250-8d17-b8fcc8de4c21
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845454
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Found Tor onion address
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477886 Sample: 4AV10wV3K5.exe Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 17 Found malware configuration 2->17 19 Antivirus detection for URL or domain 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 6 other signatures 2->23 6 4AV10wV3K5.exe 19 2->6         started        process3 signatures4 25 Detected unpacking (changes PE section rights) 6->25 9 WerFault.exe 6->9         started        11 WerFault.exe 6->11         started        13 WerFault.exe 6->13         started        15 11 other processes 6->15 process5
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-05 06:13:15 UTC
AV detection:
12 of 42 (28.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bcmaod3rafo6igvufos63qowoiknh7um4eg7v4xt23boutyqqzba._file
Verdict:
unknown
Similar samples:
07792a24e211c9addd2b46ff799ecda7ab119edb6b043d66031097ae03c70c5f
Glupteba
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
Glupteba
2374688ef4bb51c7a7477bd3cac94db24f00f3707094e569aa4e4681d06a5176
Glupteba
27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881
Glupteba
44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0
Glupteba
7648e6caa40622f2d5c625f3b05b3a5c985592f845c26126311a769c7e256c78
Glupteba
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
Glupteba
a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db
Glupteba
b6c20b3a2c6ecd2f50faf45c41218417dadfadc6b4230ca7c8fd1e4439d1046e
Glupteba
df0a2b50cba47cba62df3b128948dead529e8ccfbf59225e24bb47eadd2c4a81
Glupteba
+ 154 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210905-gyr9bsfhg2/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
dfc3dc63931b3197a9616b1297b1337a21032d1f2fb0c6e8eff0e8dc0cf69f7d
MD5 hash:
cc5d72eb4d87228d5b519675fbf06b39
SHA1 hash:
ce560038a870dbd3bd1b7af09693500bd8fa7a29
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/eaca9ad6-478e-4a01-9a46-41baff50a622/
Parent samples :
a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db
27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881
eddf51b647cdf3f3b1c93279ceff1e6967e36324126a24ed5d3301500ffdf66c
0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642
0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79
SH256 hash:
0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642
MD5 hash:
6c0c5757834168ac9537cd2a85a9ffad
SHA1 hash:
b5c23fa6a7da901fa6da1d728f331cbd7b511ca0
Link:
https://www.unpac.me/results/eaca9ad6-478e-4a01-9a46-41baff50a622/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0898070f7101/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1593431/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185379/

Comments