MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
SHA3-384 hash: 0f6c1d7f970ef583cdb8f637a0a05ff967af75aa8303b6c5e943eb8d2b4dd41a9a5cc97ed757354cd520957b95487879
SHA1 hash: ca3adc7e4f1a027a2969749ccd5e2c1b06b88162
MD5 hash: 0c4043a9a9efff20810530fd0cad91d7
humanhash: california-colorado-ohio-sixteen
File name:file300un.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:396'198 bytes
First seen:2024-04-28 20:49:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:J6zu3pBE2tnPIuE2nGewVMGrNRdb2KZkfgV3:Izu3pBE2tnP3nGBeGHkKZkO
Threatray 387 similar samples on MalwareBazaar
TLSH T1B18423016AAE9FB7C8DE0738A97341C33771363135EBE7398D5CA12EA057A805874F66
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter bobross_malware2
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
US US
Vendor Threat Intelligence
Malware family:
glupteba
Create hunting rule
ID:
1
File name:
1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc.exe
Verdict:
Malicious activity
Analysis date:
2024-04-28 20:51:50 UTC
Tags:
opendir gcleaner loader stealer stealc evasion discord arechclient2 backdoor trojan glupteba adware neoreklami privateloader
Link:
https://app.any.run/tasks/f3d6325d-eb72-4970-b577-bbd96c1a7f28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Creating a process from a recently created file
Creating a process with a hidden window
Searching for analyzing tools
Searching for the window
Modifying a system file
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Replacing files
Reading critical registry keys
Creating a window
Launching a service
Creating a file in the %AppData% subdirectories
Connecting to a non-recommended domain
Running batch commands
Sending a UDP request
Launching cmd.exe command interpreter
Connection attempt to an infection source
Query of malicious DNS domain
Blocking the Windows Defender launch
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/662eb67b238e3ee25c5a18aa/reports/ed47485d-a6af-4638-be9a-4333db7ae4e7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9818ebce-ca1c-4546-a630-8ec5c2729265
Result
Threat name:
Glupteba, Mars Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433006
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1433006 Sample: file300un.exe Startdate: 28/04/2024 Architecture: WINDOWS Score: 100 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Antivirus detection for dropped file 2->133 135 15 other signatures 2->135 8 file300un.exe 3 2->8         started        11 cmd.exe 2->11         started        13 svchost.exe 24 2->13         started        15 5 other processes 2->15 process3 dnsIp4 167 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->167 169 Writes to foreign memory regions 8->169 171 Allocates memory in foreign processes 8->171 173 2 other signatures 8->173 18 InstallUtil.exe 15 216 8->18         started        23 WerFault.exe 19 16 8->23         started        25 conhost.exe 8->25         started        27 wG8H2Z7t8ReE1kbudSwx8qgd.exe 11->27         started        29 conhost.exe 11->29         started        31 WerFault.exe 2 13->31         started        125 20.190.190.196 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->125 127 72.21.81.240 EDGECASTUS United States 15->127 signatures5 process6 dnsIp7 115 107.167.110.211 OPERASOFTWAREUS United States 18->115 117 107.167.110.216 OPERASOFTWAREUS United States 18->117 121 8 other IPs or domains 18->121 75 C:\Users\...\yyXBxkOFw1IGbAOGL1VeiRkI.exe, PE32 18->75 dropped 77 C:\Users\...\yvyyVnt1T8IAc6ex7h0Bc2ba.exe, PE32 18->77 dropped 79 C:\Users\...\xSN4VhvSW4j9qApz84ddfzn2.exe, PE32 18->79 dropped 87 177 other malicious files 18->87 dropped 157 Installs new ROOT certificates 18->157 159 Drops script or batch files to the startup folder 18->159 161 Creates HTML files with .exe extension (expired dropper behavior) 18->161 33 8jmbWFWfWJGQYqyeoApvVVjW.exe 18->33         started        38 1ZWUNtwOKR6Sg8ig81UQAT4H.exe 18->38         started        40 XxDMhkDKLzrBWj31rR7KW8Jv.exe 18->40         started        42 19 other processes 18->42 119 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->119 81 C:\Users\user\AppData\Local\Temp\...\run.exe, PE32 27->81 dropped 83 C:\Users\user\AppData\Local\...\relay.dll, PE32 27->83 dropped 85 C:\Users\user\AppData\...\UIxMarketPlugin.dll, PE32 27->85 dropped 89 2 other malicious files 27->89 dropped 163 Detected unpacking (overwrites its own PE header) 27->163 165 Writes many files with high entropy 27->165 file8 signatures9 process10 dnsIp11 101 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 33->101 103 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 33->103 109 22 other IPs or domains 33->109 57 C:\Users\...\xp9HEJ7tVxNbdQsj_d983nsn.exe, MS-DOS 33->57 dropped 59 C:\Users\...\u0GHh7tF2_wHIVMrv_vJUZ3m.exe, PE32 33->59 dropped 61 C:\Users\...\tcp0RkNhSaLSe6fUSXGGAbc5.exe, PE32 33->61 dropped 67 30 other malicious files 33->67 dropped 137 Query firmware table information (likely to detect VMs) 33->137 139 Drops PE files to the document folder of the user 33->139 141 Creates HTML files with .exe extension (expired dropper behavior) 33->141 153 8 other signatures 33->153 111 2 other IPs or domains 38->111 69 5 other malicious files 38->69 dropped 143 Detected unpacking (overwrites its own PE header) 38->143 145 Writes many files with high entropy 38->145 44 u5m0.0.exe 38->44         started        105 185.172.128.90 NADYMSS-ASRU Russian Federation 40->105 71 5 other malicious files 40->71 dropped 49 u5ls.0.exe 40->49         started        107 107.167.110.217 OPERASOFTWAREUS United States 42->107 113 5 other IPs or domains 42->113 63 C:\Users\user\AppData\Local\Temp\...\run.exe, PE32 42->63 dropped 65 C:\Users\user\AppData\Local\...\relay.dll, PE32 42->65 dropped 73 45 other malicious files 42->73 dropped 147 Detected unpacking (changes PE section rights) 42->147 149 Tries to detect sandboxes and other dynamic analysis tools (window names) 42->149 151 Found Tor onion address 42->151 155 2 other signatures 42->155 51 u5rc.0.exe 42->51         started        53 u61c.0.exe 42->53         started        55 ubficynd8n5CkJVwmUlr5dhe.exe 42->55         started        file12 signatures13 process14 dnsIp15 123 185.172.128.150 NADYMSS-ASRU Russian Federation 44->123 91 C:\Users\user\AppData\...\softokn3[1].dll, PE32 44->91 dropped 93 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 44->93 dropped 95 C:\Users\user\AppData\...\mozglue[1].dll, PE32 44->95 dropped 99 9 other files (5 malicious) 44->99 dropped 175 Detected unpacking (changes PE section rights) 44->175 177 Detected unpacking (overwrites its own PE header) 44->177 179 Found many strings related to Crypto-Wallets (likely being stolen) 44->179 181 3 other signatures 44->181 97 Opera_installer_2404282051310655012.dll, PE32 55->97 dropped file16 signatures17
Score:
66%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-04-28 11:06:43 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cfj3thvhuilwslld54wjlnq7tn4bqytzh3k437z7kpylipm4rtga._file
Verdict:
malicious
Similar samples:
0b51f3120c7d31f504bd67b8bc8e9f41ca580b77bbf3a2aaa257bb1232d31073
Glupteba
2b7efff0b80e8a25e6acba7d686ba3836d3d672d62b880e3661587658edeee40
Glupteba
44076f98f8eb94de54ede47ed6d40d685eeab38606232b022f29996a2ab33cef
Glupteba
47307dc63a88e7e1ba5eb0230a0ac39092bd5c284896909d5e9f274f47939483
Glupteba
84aabb05fa24bb4994957177e3721ed6666aadd821b63360ac4417009dfb7db9
Glupteba
a928541a7b5b5732341dcb71c0ee2b98d181da422430923781d7dbb97b693645
Glupteba
d83011dec2bbee77269f3b84f65ab094c77615e6a1f25266f7f7705eb2ce99b5
Glupteba
e4847e1dafb9f7c429cab477f942d7bbcd47646594c7354b8cb35078de6c606c
Glupteba
eb1b82882490b936d4fbdd1375194d3fc97a9ded0daca28dd58eb2e9599b336a
Glupteba
ec091f0e5d6a757ab77e9789f57b3269192784fef76f338d99b5e675ed2d8f7b
Glupteba
+ 377 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240428-zmkn8ahb8z/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Unpacked files
SH256 hash:
1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc
MD5 hash:
0c4043a9a9efff20810530fd0cad91d7
SHA1 hash:
ca3adc7e4f1a027a2969749ccd5e2c1b06b88162
Link:
https://www.unpac.me/results/5a6243cb-0d10-49bd-b9c2-a7156d6c534e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1153b99ea7a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 1153b99ea7a217692d63ef2c95b61f9b781862793ed5cdff3f53f0b43d9c8ccc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2819428/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments