MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13e767854d12c3a62a83c90839d9b3041fcca033c06ae1452de9704886e4948b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13e767854d12c3a62a83c90839d9b3041fcca033c06ae1452de9704886e4948b
SHA3-384 hash: b3c564175ecf691f018a244bdaeff2277e1bf4ace3472c6369facf6f1446c40ae6183352141eb2d1e0e37d2d76b1db97
SHA1 hash: 72cb7acb3c493f8e2c835a1d7f32b09fb394c8e8
MD5 hash: 295a692c31ac9db116fa6f4c715aafb1
humanhash: connecticut-enemy-foxtrot-maine
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:362'864 bytes
First seen:2023-11-20 20:10:19 UTC
Last seen:2023-11-20 21:14:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:P7lIwowoAogIwowogoAIwow1QBIMAycdO7NbLX35FBpcP1axzzjUZwr6CrgdO4OU:jlIwowoAogIwowogoAIwowVhM7NfXJFe
Threatray 8 similar samples on MalwareBazaar
TLSH T1CE74CF89A5D6DEBAF6D43376A1618213E226810081EFAFAD67D143A6EF4F5034D07F4C
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:ninjia inc
Issuer:ninjia inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-20T19:24:08Z
Valid to:2024-11-20T19:24:08Z
Serial number: acb7d7400e8ec7b6f69d9b5a3b850d5c
Thumbprint Algorithm:SHA256
Thumbprint: edf0a138e4e74b75b9c25a0d18514dde40323f86f83405d74677662cef45d769
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.243.139/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
368
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459392/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13572.31253.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for the window
Blocking the User Account Control
Forced shutdown of a system process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/13e767854d12c3a62a83c90839d9b3041fcca033c06ae1452de9704886e4948b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca0b201e-bfc1-4f6f-9759-fac2f4d972ff
Result
Threat name:
Glupteba, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1345429
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking computer name)
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1345429 Sample: file.exe Startdate: 20/11/2023 Architecture: WINDOWS Score: 100 175 Malicious sample detected (through community Yara rule) 2->175 177 Antivirus detection for URL or domain 2->177 179 Antivirus detection for dropped file 2->179 181 17 other signatures 2->181 12 file.exe 2 4 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 2 other processes 2->19 process3 signatures4 227 Adds a directory exclusion to Windows Defender 12->227 229 Disables UAC (registry) 12->229 21 AddInProcess32.exe 15 228 12->21         started        26 Install.exe 12->26         started        28 powershell.exe 23 12->28         started        30 CasPol.exe 12->30         started        32 F2Kh3zUQStUNtpRHCPGv2dfx.exe 15->32         started        34 conhost.exe 15->34         started        36 conhost.exe 17->36         started        process5 dnsIp6 157 91.92.243.139 THEZONEBG Bulgaria 21->157 159 107.167.110.211 OPERASOFTWAREUS United States 21->159 161 7 other IPs or domains 21->161 129 C:\Users\...\ypz0xAbt9z2Cagn5uJYfBVtX.exe, PE32 21->129 dropped 131 C:\Users\...\xVKCu6oPK6H19MI81VkeX3bT.exe, PE32 21->131 dropped 133 C:\Users\...\wvMStOwAxonc4wqVKbRyyMu3.exe, PE32 21->133 dropped 137 192 other malicious files 21->137 dropped 193 Drops script or batch files to the startup folder 21->193 195 Creates HTML files with .exe extension (expired dropper behavior) 21->195 197 Uses cmd line tools excessively to alter registry or file data 21->197 199 Writes many files with high entropy 21->199 38 Vi5jzxYnCBs72NpUgPgOGuxE.exe 37 21->38         started        43 wvMStOwAxonc4wqVKbRyyMu3.exe 21->43         started        45 n830wDQnAUNhDPUkhYuTqLR6.exe 21->45         started        49 8 other processes 21->49 135 C:\Users\user\AppData\Local\...\aNWXkOj.exe, PE32 26->135 dropped 47 conhost.exe 28->47         started        201 Antivirus detection for dropped file 32->201 203 Multi AV Scanner detection for dropped file 32->203 205 Detected unpacking (changes PE section rights) 32->205 207 2 other signatures 32->207 file7 signatures8 process9 dnsIp10 163 149.154.167.99 TELEGRAMRU United Kingdom 38->163 165 167.235.143.166 ALBERTSONSUS United States 38->165 151 13 other files (9 malicious) 38->151 dropped 209 Detected unpacking (changes PE section rights) 38->209 211 Detected unpacking (overwrites its own PE header) 38->211 213 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->213 221 5 other signatures 38->221 139 C:\Users\user\AppData\Local\...\Install.exe, PE32 43->139 dropped 141 C:\Users\user\AppData\Local\...\config.txt, data 43->141 dropped 215 Writes many files with high entropy 43->215 51 Install.exe 43->51         started        167 107.167.110.216 OPERASOFTWAREUS United States 45->167 169 107.167.110.217 OPERASOFTWAREUS United States 45->169 173 5 other IPs or domains 45->173 143 Opera_installer_2311202012054134564.dll, PE32 45->143 dropped 153 6 other malicious files 45->153 dropped 54 n830wDQnAUNhDPUkhYuTqLR6.exe 45->54         started        56 n830wDQnAUNhDPUkhYuTqLR6.exe 45->56         started        58 n830wDQnAUNhDPUkhYuTqLR6.exe 45->58         started        171 23.57.90.7 AKAMAI-ASUS United States 49->171 145 Opera_installer_2311202012271027188.dll, PE32 49->145 dropped 147 Opera_installer_2311202012103155952.dll, PE32 49->147 dropped 149 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 49->149 dropped 155 6 other malicious files 49->155 dropped 217 Found Tor onion address 49->217 219 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->219 60 Broom.exe 49->60         started        63 sXsXUKRbUHTIqzBQO41k33Uj.exe 49->63         started        65 Install.exe 49->65         started        67 4 other processes 49->67 file11 signatures12 process13 file14 105 C:\Users\user\AppData\Local\...\Install.exe, PE32 51->105 dropped 69 Install.exe 51->69         started        107 Opera_installer_2311202012113806436.dll, PE32 54->107 dropped 73 n830wDQnAUNhDPUkhYuTqLR6.exe 54->73         started        109 Opera_installer_2311202012061171684.dll, PE32 56->109 dropped 111 Opera_installer_2311202012092723376.dll, PE32 58->111 dropped 231 Multi AV Scanner detection for dropped file 60->231 113 Opera_installer_2311202012171211124.dll, PE32 63->113 dropped 115 C:\Users\user\AppData\Local\...\Install.exe, PE32 65->115 dropped 117 Opera_installer_2311202012314587560.dll, PE32 67->117 dropped 119 Opera_installer_2311202012292754208.dll, PE32 67->119 dropped 121 Opera_installer_2311202012291487344.dll, PE32 67->121 dropped signatures15 process16 file17 123 C:\Users\user\AppData\Local\...\bdvDOlh.exe, PE32 69->123 dropped 125 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 69->125 dropped 185 Uses schtasks.exe or at.exe to add and modify task schedules 69->185 187 Modifies Windows Defender protection settings 69->187 189 Adds extensions / path to Windows Defender exclusion list 69->189 191 Modifies Group Policy settings 69->191 75 forfiles.exe 69->75         started        78 forfiles.exe 69->78         started        80 schtasks.exe 69->80         started        82 schtasks.exe 69->82         started        127 Opera_installer_2311202012228744476.dll, PE32 73->127 dropped signatures18 process19 signatures20 223 Modifies Windows Defender protection settings 75->223 225 Adds extensions / path to Windows Defender exclusion list 75->225 84 cmd.exe 75->84         started        87 conhost.exe 75->87         started        89 cmd.exe 78->89         started        91 conhost.exe 78->91         started        93 conhost.exe 80->93         started        95 conhost.exe 82->95         started        process21 signatures22 183 Uses cmd line tools excessively to alter registry or file data 84->183 97 reg.exe 84->97         started        99 reg.exe 84->99         started        101 reg.exe 89->101         started        103 reg.exe 89->103         started        process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/13e767854d12c3a62a83c90839d9b3041fcca033c06ae1452de9704886e4948b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13e767854d12c3a62a83c90839d9b3041fcca033c06ae1452de9704886e4948b/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-11-20 20:11:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cptwpbknclb2mkudzeedtwntaqp4zibtybvocrjn5fyerbxessfq._file
Verdict:
malicious
Similar samples:
0a83d0d2312389ef06b761afdbbc213888ebba51bcd41ef53d532485e1bc0600
Glupteba
2334e139a40a909f3b5b2726c1c2e49f354ca4200dc1df48f5648921f062e265
Glupteba
3dc6359da570fe22bb978572f80c64c540f1d3f68db732953ce8aec2586a6d36
Glupteba
4d5d7a98b37962cfb6d7ae402fda40b70b63b880b9f20f9d0569ce0986bc4e7a
Glupteba
cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8
Glupteba
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231120-yx89wsab73/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
9c198110bc39807d66d6416ce5e3d81c75c794860f080036ed1832380e430bb0
MD5 hash:
0c5906d3fd3f7cd2ccf0f6027e46b6de
SHA1 hash:
b6f5db7fb9128da82588c914a28a700f8089eb97
Link:
https://www.unpac.me/results/d3e704c7-42cd-4ea3-9927-df9a3abad669/
SH256 hash:
13e767854d12c3a62a83c90839d9b3041fcca033c06ae1452de9704886e4948b
MD5 hash:
295a692c31ac9db116fa6f4c715aafb1
SHA1 hash:
72cb7acb3c493f8e2c835a1d7f32b09fb394c8e8
Link:
https://www.unpac.me/results/d3e704c7-42cd-4ea3-9927-df9a3abad669/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13e767854d12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/13e767854d12c3a62a83c90839d9b3041fcca033c06ae1452de9704886e4948b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2730658/
Cape
Cape
https://www.capesandbox.com/analysis/459392/

Comments