MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559
SHA3-384 hash: d743b157d70bf40f25cd24de9332b50cb18067224ba917cf5729a75342dc95c809adbb78c82720acab53f131742108b8
SHA1 hash: ec54b4ddd9a09e6c93ebf557413554784bd2ca4c
MD5 hash: fd0d443e15067df34c6850339b49bf01
humanhash: butter-july-aspen-eight
File name:fd0d443e15067df34c6850339b49bf01
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'651'048 bytes
First seen:2021-09-04 05:14:52 UTC
Last seen:2021-09-04 06:21:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 193b8a18b82d2d8f5b36c7239901d2c7 (4 x ArkeiStealer, 3 x Glupteba, 3 x Stop)
ssdeep 98304:1lYytOhyx9FSq84+0VPTNOANeJShOkDzbK/h95j+ES3vIga3f4257zi+DO9:1mytOhm9XL+S35Od/PF+ES3vSL5CO+
Threatray 164 similar samples on MalwareBazaar
TLSH T1FD26331162D1C021F6A769F0A9B59769712CF9A34B3085EFC3D56CE60B24BDCBE32643
dhash icon e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fd0d443e15067df34c6850339b49bf01
Verdict:
Suspicious activity
Analysis date:
2021-09-04 05:15:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ae25d98-1834-4c1f-aa60-f11dde388dff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185250/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.24829.12444.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a service
Connection attempt to an infection source
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Creating a file in the %temp% subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Disabling the operating system update service
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc24b17e-e160-4249-81a6-e56e9fd1ad69
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845138
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sigma detected: Schedule system process
Sigma detected: Suspicious Service DACL Modification
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477569 Sample: k6Cgi2iRsK Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 97 Found malware configuration 2->97 99 Antivirus detection for URL or domain 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 12 other signatures 2->103 10 k6Cgi2iRsK.exe 19 2->10         started        13 csrss.exe 2->13         started        15 csrss.exe 2->15         started        17 8 other processes 2->17 process3 dnsIp4 117 Detected unpacking (changes PE section rights) 10->117 119 Modifies the windows firewall 10->119 121 Drops PE files with benign system names 10->121 20 k6Cgi2iRsK.exe 11 2 10->20         started        25 csrss.exe 13->25         started        27 csrss.exe 15->27         started        79 192.168.2.1 unknown unknown 17->79 29 csrss.exe 17->29         started        signatures5 process6 dnsIp7 81 humisnee.com 172.64.101.6, 443, 49721 CLOUDFLARENETUS United States 20->81 77 C:\Windows\rss\csrss.exe, PE32 20->77 dropped 105 Drops executables to the windows directory (C:\Windows) and starts them 20->105 107 Creates an autostart registry key pointing to binary in C:\Windows 20->107 31 csrss.exe 4 8 20->31         started        36 cmd.exe 1 20->36         started        file8 signatures9 process10 dnsIp11 83 spolaect.info 104.21.33.110, 443, 49727 CLOUDFLARENETUS United States 31->83 85 hammersd.info 104.21.54.132, 443, 49728 CLOUDFLARENETUS United States 31->85 87 3 other IPs or domains 31->87 69 C:\Windows\windefender.exe, PE32 31->69 dropped 71 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 31->71 dropped 73 C:\Users\...73tQuerySystemInformationHook.dll, PE32+ 31->73 dropped 75 5 other files (none is malicious) 31->75 dropped 89 Detected unpacking (changes PE section rights) 31->89 91 Machine Learning detection for dropped file 31->91 93 Uses schtasks.exe or at.exe to add and modify task schedules 31->93 38 windefender.exe 31->38         started        41 injector.exe 31->41         started        43 schtasks.exe 1 31->43         started        49 4 other processes 31->49 95 Uses netsh to modify the Windows network and firewall settings 36->95 45 netsh.exe 3 36->45         started        47 conhost.exe 36->47         started        file12 signatures13 process14 signatures15 109 Antivirus detection for dropped file 38->109 111 Multi AV Scanner detection for dropped file 38->111 113 Machine Learning detection for dropped file 38->113 51 cmd.exe 38->51         started        53 conhost.exe 41->53         started        55 conhost.exe 43->55         started        115 Creates files in the system32 config directory 45->115 57 conhost.exe 49->57         started        59 conhost.exe 49->59         started        61 conhost.exe 49->61         started        63 conhost.exe 49->63         started        process16 process17 65 conhost.exe 51->65         started        67 sc.exe 51->67         started       
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 05:15:10 UTC
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxqgqpmtfjgerfsifknnblbvjlist5swqazeli6mzqjm5slccvmq._file
Verdict:
suspicious
Similar samples:
07a3740166cef528ebddd4f594c555f7a07cee5260fb85d2840dded9ebbbd652
Glupteba
21391fc51c85957fb1bf530fbdd01b9cc6b855445c5ae6e46d9be51441ee62f5
Glupteba
50ab699ceb6bb259199d197392ea0ed00d024ce77d3d663ea13fe7b93a4ab50e
Glupteba
68d83afa2dc4272e54c4ebb1ab8981e7f00442dfe6e66c8b7299c30a230be997
Glupteba
769a9ae9ab253e8cce64c35143eff02b2ae70e53465ab4aa4f6cf1b2d4fe698e
Glupteba
8bb0c75f554647d27173b3d8b2e63abba3670fb7972b6856cbca89f1eda96c6d
Glupteba
98c781b3fd15d6c7c7624aa1a0c93910dd5d19722a1d9b8cb1c7b9673d311090
Glupteba
d86aa13697e550f6e74a585167e0e5aae455a7a99284679f230fe1d96ff59d8a
Glupteba
ea0caa6312daceeb1afafa56060d7de28ae4a91c814c79c4ddbf6f2e751d50c3
Glupteba
+ 154 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210904-fxkx7adhc7/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
bd2d2444229feb677e127cd341e336202ec33688626cbe0661b7414b3e481ad3
MD5 hash:
ca7c9a0345b1a820d48b9c5db50a5050
SHA1 hash:
0284ba81dc1d3ff686cbadd69bef68e58dfef5d8
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/c908e6ed-b398-423a-906f-1fce09470682/
Parent samples :
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
b6c20b3a2c6ecd2f50faf45c41218417dadfadc6b4230ca7c8fd1e4439d1046e
7648e6caa40622f2d5c625f3b05b3a5c985592f845c26126311a769c7e256c78
68d83afa2dc4272e54c4ebb1ab8981e7f00442dfe6e66c8b7299c30a230be997
20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1
2374688ef4bb51c7a7477bd3cac94db24f00f3707094e569aa4e4681d06a5176
df0a2b50cba47cba62df3b128948dead529e8ccfbf59225e24bb47eadd2c4a81
07792a24e211c9addd2b46ff799ecda7ab119edb6b043d66031097ae03c70c5f
de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b
15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559
6ac8f87ce26a0a9ad330c8b42342b6891d12df43be535f9c487855182a39aa1f
SH256 hash:
15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559
MD5 hash:
fd0d443e15067df34c6850339b49bf01
SHA1 hash:
ec54b4ddd9a09e6c93ebf557413554784bd2ca4c
Link:
https://www.unpac.me/results/c908e6ed-b398-423a-906f-1fce09470682/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/15e0683d932a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:UroburosVirtualBoxDriver
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185250/

Comments


Avatar
zbet commented on 2021-09-04 05:14:54 UTC

url : hxxp://qwertys.info/dcc7975c8a99514da06323f0994cd79b.exe