MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b163e6d55ba619377cff9ef05f554bf2736dfac676b0cc8e14552396ef62374. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 10


Intelligence 10 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b163e6d55ba619377cff9ef05f554bf2736dfac676b0cc8e14552396ef62374
SHA3-384 hash: 5fa3906a03e12c2f22578f1b000abdc3835f220aeb899005d20ae9b749557018bc2b0f9921b236685ba2fc976679da59
SHA1 hash: bc4b7d79fad2b3c0852871c2b946f5c791ad0788
MD5 hash: 1a21ea98bbb4b767c9271ef87fc66bc2
humanhash: georgia-quebec-oxygen-ack
File name:1a21ea98bbb4b767c9271ef87fc66bc2
Download: download sample
Signature Glupteba
Create hunting rule
File size:6'614'528 bytes
First seen:2022-10-18 17:36:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bfd37e48a0772ece5d58c788c1bc296 (1 x Glupteba)
ssdeep 49152:bkmZbQsxBXQbKXmuAFe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcr:bkcbf6bKXTSjL+EnHOMz5ysZA5+bf6c
Threatray 25 similar samples on MalwareBazaar
TLSH T11766CE6A35D7C1A6C85204B40D9EA3F1593F2A45592788696FE00F8D0FBF5C73A6232F
TrID 66.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
26.2% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.3% (.EXE) InstallShield setup (43053/19/16)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321463/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.4144.26280.28378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Running batch commands
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43685/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/634ee440fdf6478a15af8115/reports/ecd6ab19-b480-40c4-9175-1489cdef96e1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43df4f2c-8a3d-40c9-be5a-49ca4bfe3fb7
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1092939
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725561 Sample: ydPD5WWnhg.exe Startdate: 18/10/2022 Architecture: WINDOWS Score: 88 35 Antivirus detection for URL or domain 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected CryptOne packer 2->39 41 Found many strings related to Crypto-Wallets (likely being stolen) 2->41 7 ydPD5WWnhg.exe 2->7         started        process3 dnsIp4 31 217.195.155.154, 49709, 8081 SHOCK-1US Netherlands 7->31 33 get.geojs.io 172.67.70.233, 443, 49710 CLOUDFLARENETUS United States 7->33 43 Detected unpacking (changes PE section rights) 7->43 45 Detected unpacking (overwrites its own PE header) 7->45 47 Tries to harvest and steal browser information (history, passwords, etc) 7->47 11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        15 WMIC.exe 1 7->15         started        17 15 other processes 7->17 signatures5 process6 process7 19 WMIC.exe 1 11->19         started        21 conhost.exe 11->21         started        23 WMIC.exe 1 13->23         started        25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 conhost.exe 17->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b163e6d55ba619377cff9ef05f554bf2736dfac676b0cc8e14552396ef62374/
Threat name:
Win32.Spyware.Aurorastealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 17:12:43 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bmld43kvxjqzg56p7hxql5kux4ttnx5mm5vqzshbivjds3xwen2a._file
Verdict:
malicious
Similar samples:
12cb9836ae8b5bc9cc1b671a13cc0c259005bad8fc13991ad28fa0a73dc4fdaa
Glupteba
3a31805ece3bf663781939d4baf36699115de14c9814c0142b6c2aa2cc2e2cda
Glupteba
5f2f29011be6cf5de2a601ddd3ea58224a73f663725f81a87a8659b520000e36
Glupteba
760aa40751dd20657c6b0c9cf925f9e3afbf7078997171ee5fa03ef011aae03f
Glupteba
8b5320743f143e52e4d186b1244b9940a3538893eb22f324ef568e1ab2495b8d
Glupteba
8eb6ae80fd83cdfb03f10de49649d97029f10c3074e0683b9c9c9094b469289d
Glupteba
c5851f9f14f370e7cb513418a3f65cc9afccd970a6e49479b643df9d5b0c27ca
Glupteba
eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362
Glupteba
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221018-v65fhsgeg2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Gathering data
Unpacked files
SH256 hash:
69d043f055680cbd141f3b1f02d9f893d0984596f1702b85aa960f8980bc6b6e
MD5 hash:
9b48c7427e6d09b88e0f40453f1b5e7b
SHA1 hash:
f40bcd1863f21f6fe9ec914ff432d84492860aa0
Link:
https://www.unpac.me/results/5dc95b72-9ead-4caa-a402-2d31782cb695/
SH256 hash:
0b163e6d55ba619377cff9ef05f554bf2736dfac676b0cc8e14552396ef62374
MD5 hash:
1a21ea98bbb4b767c9271ef87fc66bc2
SHA1 hash:
bc4b7d79fad2b3c0852871c2b946f5c791ad0788
Link:
https://www.unpac.me/results/5dc95b72-9ead-4caa-a402-2d31782cb695/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b163e6d55ba619377cff9ef05f554bf2736dfac676b0cc8e14552396ef62374

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 0b163e6d55ba619377cff9ef05f554bf2736dfac676b0cc8e14552396ef62374

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2350084/
Cape
Cape
https://www.capesandbox.com/analysis/321463/

Comments


Avatar
zbet commented on 2022-10-18 17:37:04 UTC

url : hxxp://179.43.163.115/intersock.exe