MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79
SHA3-384 hash: 879ec23d49c2f2ce2bc32b4169d0481f2c307919dbb5cf5adfb215f0183035480cf3a851d2cd7e26cb50cb3faa601cb6
SHA1 hash: 16f7a723d840c7a6cf283e62b68be5be7fd23458
MD5 hash: 1716b0d11963d97541eabbaed24d892d
humanhash: california-september-fillet-colorado
File name:1716b0d11963d97541eabbaed24d892d
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'616'232 bytes
First seen:2021-09-06 11:22:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e3d6341e28c6bbcc1b62678f16dfd32d (1 x Glupteba, 1 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 98304:zd5x3VsUT7lI3mRAPQEE+ZCE63+2lI/7StvG1j6p6D8F5n9NJtX:zd5x3Vs/2wnEbPlIEvcN8FN
Threatray 172 similar samples on MalwareBazaar
TLSH T14226337E339DC848CCCADD749475E2F288A5A914AE90C08F7B5127DC4ED19D2B93A31E
dhash icon 81bcdca89cccb484 (1 x Glupteba)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1716b0d11963d97541eabbaed24d892d
Verdict:
Suspicious activity
Analysis date:
2021-09-06 11:22:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab797b89-b533-47f3-97e5-ee6ab0f28461

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185643/
Detection(s):
SecuriteInfo.com.Variant.Jaik.47587.19711.5026.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Creating a file in the %temp% subdirectories
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Launching a service
Sending a UDP request
Connection attempt to an infection source
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Disabling the operating system update service
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ceadb246-2a2a-4a76-90d9-4278716371f8
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845951
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Found Tor onion address
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478382 Sample: LQyWMV4Pru Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 6 other signatures 2->37 6 LQyWMV4Pru.exe 19 2->6         started        9 svchost.exe 2->9         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        process3 signatures4 39 Detected unpacking (changes PE section rights) 6->39 15 WerFault.exe 6->15         started        17 WerFault.exe 6->17         started        19 WerFault.exe 6->19         started        27 13 other processes 6->27 21 WerFault.exe 9->21         started        23 WerFault.exe 9->23         started        25 WerFault.exe 9->25         started        29 13 other processes 9->29 process5
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 11:23:06 UTC
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvv6yuu5p4nt7mbxiwupuqcuivoak7xzgcsy3arxottltejs5r4q._file
Verdict:
malicious
Similar samples:
0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642
Glupteba
2374688ef4bb51c7a7477bd3cac94db24f00f3707094e569aa4e4681d06a5176
Glupteba
27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881
Glupteba
44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0
Glupteba
6ac8f87ce26a0a9ad330c8b42342b6891d12df43be535f9c487855182a39aa1f
Glupteba
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
Glupteba
a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db
Glupteba
b6c20b3a2c6ecd2f50faf45c41218417dadfadc6b4230ca7c8fd1e4439d1046e
Glupteba
de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b
Glupteba
eddf51b647cdf3f3b1c93279ceff1e6967e36324126a24ed5d3301500ffdf66c
Glupteba
+ 162 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210906-ng5xesbaa9/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
dfc3dc63931b3197a9616b1297b1337a21032d1f2fb0c6e8eff0e8dc0cf69f7d
MD5 hash:
cc5d72eb4d87228d5b519675fbf06b39
SHA1 hash:
ce560038a870dbd3bd1b7af09693500bd8fa7a29
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/d60dd06b-07d9-416f-af4d-7a1c91369a47/
Parent samples :
a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db
27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881
eddf51b647cdf3f3b1c93279ceff1e6967e36324126a24ed5d3301500ffdf66c
0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642
0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79
SH256 hash:
0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79
MD5 hash:
1716b0d11963d97541eabbaed24d892d
SHA1 hash:
16f7a723d840c7a6cf283e62b68be5be7fd23458
Link:
https://www.unpac.me/results/d60dd06b-07d9-416f-af4d-7a1c91369a47/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0d6bec529d7f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185643/

Comments


Avatar
zbet commented on 2021-09-06 11:22:22 UTC

url : hxxp://qwertys.info/82550150ac3397ed391e34aa99d35be4.exe