MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525
SHA3-384 hash: a55c57e8b7192b6b5ff02d26517dddb472b9fde197b8df301eb7c3a2efbf8f728bf2329e77693265551dc3dde820d4a4
SHA1 hash: fb1347ed7e752bf60c34c7d3bf779ff8e9172e8b
MD5 hash: 7b5d114448df10eff052ab0393e18b4c
humanhash: island-missouri-twelve-autumn
File name:SecuriteInfo.com..16588.17559
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'559'400 bytes
First seen:2021-09-10 19:38:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b2fc26a018e38936a05d5cf369122a0 (5 x RaccoonStealer, 2 x Glupteba, 1 x Tofsee)
ssdeep 98304:3c4M3FPX43o1F/u8F7H1mjbotvXj/k+5kDmEWs9Y6Bd98zI:3hMFPXyo/G8ZVmjbotvI+kmyFBd4I
Threatray 197 similar samples on MalwareBazaar
TLSH T116263320AB90D072F58161318334D9F12E3E7A5A9AF470D7BFEA1CF68E716415721B3A
dhash icon b8b078eccacccc01 (9 x RaccoonStealer, 4 x Glupteba, 4 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'355
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://yelty.info/dcc7975c8a99514da06323f0994cd79b.exe
Verdict:
No threats detected
Analysis date:
2021-09-10 17:45:41 UTC
Tags:
loader
Link:
https://app.any.run/tasks/b97e5363-d40f-4a97-92ae-b4e1fd000ace

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186967/
Detection(s):
SecuriteInfo.com..16588.17559.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a service
Connection attempt to an infection source
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a service
Adding an access-denied ACE
Creating a file in the %temp% subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Disabling the operating system update service
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4dc247ae-0b70-4e13-b161-242d8f5acc38
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849009
Signature
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481440 Sample: SecuriteInfo.com..16588.17559 Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 73 server16.ninhaine.com 2->73 83 Multi AV Scanner detection for domain / URL 2->83 85 Found malware configuration 2->85 87 Antivirus detection for URL or domain 2->87 89 11 other signatures 2->89 11 SecuriteInfo.com..16588.exe 19 2->11         started        14 csrss.exe 2->14         started        16 csrss.exe 2->16         started        18 csrss.exe 2->18         started        signatures3 process4 signatures5 97 Detected unpacking (changes PE section rights) 11->97 99 Modifies the windows firewall 11->99 101 Drops PE files with benign system names 11->101 20 SecuriteInfo.com..16588.exe 11 2 11->20         started        25 csrss.exe 14->25         started        27 csrss.exe 16->27         started        process6 dnsIp7 75 humisnee.com 172.67.186.17, 443, 49691 CLOUDFLARENETUS United States 20->75 63 C:\Windows\rss\csrss.exe, PE32 20->63 dropped 91 Drops executables to the windows directory (C:\Windows) and starts them 20->91 93 Creates an autostart registry key pointing to binary in C:\Windows 20->93 29 csrss.exe 4 7 20->29         started        34 cmd.exe 1 20->34         started        file8 signatures9 process10 dnsIp11 77 hammersd.info 104.21.54.132, 443, 49701 CLOUDFLARENETUS United States 29->77 79 spolaect.info 104.21.33.110, 443, 49700 CLOUDFLARENETUS United States 29->79 81 3 other IPs or domains 29->81 65 C:\Users\...65tQuerySystemInformationHook.dll, PE32+ 29->65 dropped 67 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 29->67 dropped 69 C:FI\Microsoft\Boot\bootmgfw.efi, MS-DOS 29->69 dropped 71 4 other files (none is malicious) 29->71 dropped 103 Detected unpacking (changes PE section rights) 29->103 105 Machine Learning detection for dropped file 29->105 107 Uses schtasks.exe or at.exe to add and modify task schedules 29->107 36 schtasks.exe 1 29->36         started        38 mountvol.exe 1 29->38         started        40 mountvol.exe 1 29->40         started        47 3 other processes 29->47 109 Uses netsh to modify the Windows network and firewall settings 34->109 42 netsh.exe 3 34->42         started        45 conhost.exe 34->45         started        file12 signatures13 process14 signatures15 49 conhost.exe 36->49         started        51 conhost.exe 38->51         started        53 conhost.exe 40->53         started        95 Creates files in the system32 config directory 42->95 55 conhost.exe 47->55         started        57 conhost.exe 47->57         started        59 conhost.exe 47->59         started        process16 process17 61 csrss.exe 49->61         started       
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 17:55:02 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmrsbfnlxfmkrdqcur75fh2xypk2rgonk7xnjjt3wgr6zkursusq._file
Verdict:
malicious
Similar samples:
13492a113107ae59e2fe02f3c3b9afa411a39caa73b78ea06dec0fb9a970f7a2
Glupteba
16d1ba9319a2329e64fea8762174354cc0781ab71a181a4ec19a8464b28ff90c
Glupteba
274755403bcea4b01a2fb4ebabaa1ffd3a3f06ad52c4fa747b8a52f1e7b4dd54
Glupteba
3bfa0b763724da5383365a116fde4a9cc1a1932b0f8bd4ba30807386e2b888e6
Glupteba
55ed36eee21fc8115e9a02c95c218df563db0463088576b9da8b2def73311c05
Glupteba
5d02823347e5eed62fc726832e4044731b5ae02167106e92d3dbd5848f9fba42
Glupteba
8c931f2aa9920fd1756244ea50369a0290ea5a75b2b9416c68e8162ee300f06a
Glupteba
b7d6313abaa9157a215b0c3a952068bad014c490f359becab0b55c7e01885034
Glupteba
c9c189dc56b69367c3c9249ca291824cd7486680d075dccdffec4c52af4d5d39
Glupteba
fa5ae1658989d1d11e8100a350d08ed016e81e1ab007a271f8c73182bd3d6ccb
Glupteba
+ 187 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210910-ycdmgsaef4/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
aa6ecbb2334048c3205ec9d947b0abb6d61f7ff235ae6e0e1159af59a1fe2c1a
MD5 hash:
92fb96677b8ca5fb356db81fa28ce66d
SHA1 hash:
5f786048fb4854c7bdd78bc0d4ebbef2e5f8d4d0
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/bcb983d9-e1a6-4d10-9b16-87d43a400fd1/
Parent samples :
16d1ba9319a2329e64fea8762174354cc0781ab71a181a4ec19a8464b28ff90c
55ed36eee21fc8115e9a02c95c218df563db0463088576b9da8b2def73311c05
8c931f2aa9920fd1756244ea50369a0290ea5a75b2b9416c68e8162ee300f06a
c9c189dc56b69367c3c9249ca291824cd7486680d075dccdffec4c52af4d5d39
fa5ae1658989d1d11e8100a350d08ed016e81e1ab007a271f8c73182bd3d6ccb
39c5720b9f6ecc9266cb2f31e1d3201da9e0ad17add1af5ec231a3cd1eae4634
274755403bcea4b01a2fb4ebabaa1ffd3a3f06ad52c4fa747b8a52f1e7b4dd54
a4fa281b7b5380cb6ce5eb5a03280cc2ba573a7e724ea9ecaec3eef72a8c3c98
b7d6313abaa9157a215b0c3a952068bad014c490f359becab0b55c7e01885034
5d02823347e5eed62fc726832e4044731b5ae02167106e92d3dbd5848f9fba42
3bfa0b763724da5383365a116fde4a9cc1a1932b0f8bd4ba30807386e2b888e6
3e44aaf53dce4bee54658ad0a4ceecf11d73809de59eaad7c652c0e816304bd5
52ec02df4ae8189c6e0c97b69ab4bc0c7eb3dbf2c9056dfd0749589ec0ff8aa6
13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525
66461a7bc3c5893117b2def208f60acd1214f2f684d20faea7ca9ad087548df7
aa15c9a23c122e4df9220823e55ccc39dcb7ac6b0fd07633f5b850e787b1a61f
4e3740f106a2dd5ff862d1d88885e869a01fe7f3aac167e4d8eeaf7e9b2e5393
8756bca615d9140f087ae1df1fbbe56289b991a2efae64d61feb0a162e06d127
eb4694ad3a62d2e007c0f0aba545d57af7dcb41b78504401bafda510d85d9a4f
c794b0cf979f41374471d77bb1cf16eccb46af151a887044c02fe033143b2264
195289a2400f2cb9e94631539b23bc5b2f643e0b444d81485600ee62ea674d89
40507efbaa22e1db92c98d29ede1cdb9f68dcca04bf9558fe96e90ed18e847c1
7600aa65af2e0c32f0471192312b18184c708e72d0eb9af7be927f210dc7ca12
24073b2c9d79f2505f93c77c1e06f6a0b7b44efe3a26e58e99ecb239566cb201
e8c32e157a66fe9ec15372df53785ef878ae8869231ff57d170a5a1f6e609948
b60acb821cf9e94148f4f748830800d285ba1b4ab3d708bbf7033ded3f1c331c
d5bc83c6fef7c7dffe1ed4475bcbfda29d96dfb53b560c545cf7b7c29b639591
b19abbca0a9e526093ea103daa869ec70c1163b7c80844c6be7cd684be26bda7
60cc9eee3e5c35b67498092c33e30735304e8da670e1c6838f181578b30badf2
a8b9ca1ef77bca059ca40539d5943a082361409db76565e60a7541f6e1888898
1db9ab5cff09340433604b9148483cdd81fcbb082816b85a55669ff39cf6a7a3
dd4cd014bf67de3e7820783f35dd3810a6ad0a15985d3c2701abccf26e748bcb
a64593eda5475dfe88df519417b82923962411cbcfcd2997e93ac9daf6ada420
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36
SH256 hash:
13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525
MD5 hash:
7b5d114448df10eff052ab0393e18b4c
SHA1 hash:
fb1347ed7e752bf60c34c7d3bf779ff8e9172e8b
Link:
https://www.unpac.me/results/bcb983d9-e1a6-4d10-9b16-87d43a400fd1/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/13232095abb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:UroburosVirtualBoxDriver
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1608439/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186967/

Comments