MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28
SHA3-384 hash: 7de7b7ffe563f43ec689424c46d5fbfd3653246db3bc0c4b74ed8164e98c7b6a37c8a110a541e35e3962d0643118c86a
SHA1 hash: d03d8e89a6c75a14f512eeabf180a2f69d30e884
MD5 hash: 326781a332c7040492dc96b13fb126e5
humanhash: beryllium-jupiter-asparagus-oven
File name:326781a332c7040492dc96b13fb126e5.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:144'384 bytes
First seen:2023-11-12 09:10:11 UTC
Last seen:2023-11-12 10:24:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:Oq+kTdFfyZfJ+xjLkTVXbpL9FCOjrAJDH+9s9uAFfvUC:OkTdZy18JLgXbp9F5bo
TLSH T18FE37C0BB2F9A2D4D5F64AF6D97930500371746A2A3DE78D4D04328EF824F4196C7BAB
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
fa951d632a6b1c8efb577fc5b43a64b5.exe
Verdict:
Malicious activity
Analysis date:
2023-11-12 19:07:44 UTC
Tags:
stealc stealer redline lumma loader raccoon recordbreaker smoke trojan miner
Link:
https://app.any.run/tasks/137175c4-fccc-4ea0-9e31-6264b614470b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.18836.13135.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/655096a6946b6ab2245f6f5a/reports/e47146c1-a179-4ceb-9de5-845112478237/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/436079e4-9feb-4e02-9bac-fa21a40baf33
Result
Threat name:
Glupteba, Vidar
Create hunting rule
Detection:
malicious
Classification:
spyw.expl.evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341292
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking computer name)
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1341292 Sample: GluWtKC2hE.exe Startdate: 12/11/2023 Architecture: WINDOWS Score: 100 187 Multi AV Scanner detection for domain / URL 2->187 189 Malicious sample detected (through community Yara rule) 2->189 191 Antivirus detection for URL or domain 2->191 193 13 other signatures 2->193 11 GluWtKC2hE.exe 2 4 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 213 Writes to foreign memory regions 11->213 215 Allocates memory in foreign processes 11->215 217 Adds a directory exclusion to Windows Defender 11->217 219 2 other signatures 11->219 21 CasPol.exe 15 29 11->21         started        26 powershell.exe 18 11->26         started        28 0VqngK3huxG0fB4cUszgux5K.exe 14->28         started        30 conhost.exe 14->30         started        32 Conhost.exe 14->32         started        34 8uSPSm2hIsw2QBSabu2WrycX.exe 16->34         started        36 conhost.exe 16->36         started        161 23.60.72.63 AKAMAI-ASUS United States 18->161 163 127.0.0.1 unknown unknown 18->163 38 VzgX3dj8J3tA5KUoVHqOBQWE.exe 18->38         started        40 conhost.exe 18->40         started        signatures5 process6 dnsIp7 167 107.167.110.211 OPERASOFTWAREUS United States 21->167 169 177.229.198.250 MegaCableSAdeCVMX Mexico 21->169 171 11 other IPs or domains 21->171 109 C:\Users\...\iogyFRzcmwUtIp381YpIL4ro.exe, PE32 21->109 dropped 111 C:\Users\...\dRhlMsSpl67Qa6QVtmY4r2Y6.exe, PE32 21->111 dropped 113 C:\Users\...\WoDm08UiKMmItVRcmsshqGLY.exe, PE32 21->113 dropped 121 19 other malicious files 21->121 dropped 197 Drops script or batch files to the startup folder 21->197 199 Creates HTML files with .exe extension (expired dropper behavior) 21->199 42 dRhlMsSpl67Qa6QVtmY4r2Y6.exe 21->42         started        46 NmdKMWACZgvHn54VbjzJ1ysg.exe 36 21->46         started        49 2EXpXbQF852ggWhHjoYjJN98.exe 21->49         started        57 4 other processes 21->57 51 conhost.exe 26->51         started        115 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 28->115 dropped 117 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 28->117 dropped 119 C:\Users\user\AppData\...\softokn3[1].dll, PE32 28->119 dropped 123 3 other malicious files 28->123 dropped 201 Multi AV Scanner detection for dropped file 28->201 203 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->203 205 Machine Learning detection for dropped file 28->205 211 3 other signatures 28->211 207 Detected unpacking (changes PE section rights) 34->207 209 Detected unpacking (overwrites its own PE header) 34->209 53 cmd.exe 34->53         started        55 Conhost.exe 40->55         started        file8 signatures9 process10 dnsIp11 173 107.167.110.216 OPERASOFTWAREUS United States 42->173 183 7 other IPs or domains 42->183 125 Opera_installer_2311120929105917232.dll, PE32 42->125 dropped 127 C:\Users\user\AppData\Local\...\opera_package, PE32 42->127 dropped 129 C:\Users\user\...\additional_file0.tmp, PE32 42->129 dropped 139 3 other malicious files 42->139 dropped 59 dRhlMsSpl67Qa6QVtmY4r2Y6.exe 42->59         started        62 Assistant_103.0.4928.25_Setup.exe_sfx.exe 42->62         started        64 dRhlMsSpl67Qa6QVtmY4r2Y6.exe 42->64         started        72 2 other processes 42->72 175 5.182.38.138 VMAGE-ASRU Russian Federation 46->175 177 149.154.167.99 TELEGRAMRU United Kingdom 46->177 179 168.119.173.77 HETZNER-ASDE Germany 46->179 131 C:\Users\user\AppData\...\softokn3[1].dll, PE32 46->131 dropped 133 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 46->133 dropped 141 10 other files (6 malicious) 46->141 dropped 221 Multi AV Scanner detection for dropped file 46->221 223 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->223 225 Found many strings related to Crypto-Wallets (likely being stolen) 46->225 239 3 other signatures 46->239 74 2 other processes 46->74 185 4 other IPs or domains 49->185 135 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 49->135 dropped 227 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 49->227 229 Query firmware table information (likely to detect VMs) 49->229 231 Tries to detect sandboxes and other dynamic analysis tools (window names) 49->231 241 5 other signatures 49->241 66 WerFault.exe 49->66         started        76 4 other processes 53->76 181 104.21.38.126 CLOUDFLARENETUS United States 57->181 137 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 57->137 dropped 233 Detected unpacking (changes PE section rights) 57->233 235 Detected unpacking (overwrites its own PE header) 57->235 237 Found Tor onion address 57->237 69 Broom.exe 57->69         started        78 4 other processes 57->78 file12 signatures13 process14 dnsIp15 143 Opera_installer_2311120929159607520.dll, PE32 59->143 dropped 145 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 59->145 dropped 157 18 other malicious files 59->157 dropped 80 dRhlMsSpl67Qa6QVtmY4r2Y6.exe 59->80         started        147 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 62->147 dropped 149 C:\Users\user\AppData\Local\...\launcher.exe, PE32 62->149 dropped 151 C:\Users\user\AppData\Local\...\dbghelp.dll, PE32 62->151 dropped 159 3 other malicious files 62->159 dropped 153 Opera_installer_2311120929128667252.dll, PE32 64->153 dropped 165 52.168.117.172 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 66->165 195 Multi AV Scanner detection for dropped file 69->195 155 Opera_installer_2311120929140387356.dll, PE32 72->155 dropped 83 conhost.exe 74->83         started        85 conhost.exe 74->85         started        87 timeout.exe 74->87         started        89 8uSPSm2hIsw2QBSabu2WrycX.exe 76->89         started        91 powershell.exe 78->91         started        93 powershell.exe 78->93         started        95 conhost.exe 78->95         started        97 conhost.exe 78->97         started        file16 signatures17 process18 file19 107 Opera_installer_2311120929167967604.dll, PE32 80->107 dropped 99 powershell.exe 89->99         started        101 conhost.exe 91->101         started        103 conhost.exe 93->103         started        process20 process21 105 conhost.exe 99->105         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-11-12 09:11:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b4e7r5qhihulhqunzet76gztddmpvjrd2zaxas3alpbycqxvj4ua._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion spyware stealer themida trojan upx
Link:
https://tria.ge/reports/231112-k5la5sdg7w/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Themida packer
UPX packed file
Windows security modification
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28
MD5 hash:
326781a332c7040492dc96b13fb126e5
SHA1 hash:
d03d8e89a6c75a14f512eeabf180a2f69d30e884
Link:
https://www.unpac.me/results/7765d684-ff16-4660-b166-b5673905d233/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f09f8f60741/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2728891/
  
Delivery method
Distributed via web download

Comments