MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 195289a2400f2cb9e94631539b23bc5b2f643e0b444d81485600ee62ea674d89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 195289a2400f2cb9e94631539b23bc5b2f643e0b444d81485600ee62ea674d89
SHA3-384 hash: 0b61a0214fe78daf7dc9221282d0184e47a90186f606625f5da5bc3efb0662785433f34f78f3cb2c71a3e3ff52286c40
SHA1 hash: e660a63da91cf076b84e0b19f1984667e9df745d
MD5 hash: cd79dce12acd476ff39dbd6106876c07
humanhash: robert-montana-sad-moon
File name:cd79dce12acd476ff39dbd6106876c07
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'717'608 bytes
First seen:2021-09-12 17:56:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8447a74d20f094dcabf63f6ce92f5cf9 (4 x Glupteba, 1 x Stop, 1 x ArkeiStealer)
ssdeep 98304:zU0SVMW1TmSKsZ1thlbYwYCWyW9byaNEacVYThfLhIHimnGvTt:z1SyW9wsX5YyW7BxNE1VY5LhvTt
Threatray 204 similar samples on MalwareBazaar
TLSH T1D926332077E0C039D5BB42F5583ADBAD6D297A605F2013C761D95BDA3E2CBE82931783
dhash icon 9824e390e4e72158 (4 x Glupteba)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'341
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd79dce12acd476ff39dbd6106876c07
Verdict:
Suspicious activity
Analysis date:
2021-09-12 17:59:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d0aededd-018c-409b-9be8-b5761ac9b0c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187151/
Detection(s):
SecuriteInfo.com.Trojan.MalPack.22584.47.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Sending an HTTP GET request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6174f8d59a5a1e91c5d1f65d/reports/8a79ba46-8ad8-4415-8487-6caa2261836a/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f7b1f51-af5c-4a21-ae67-66c6b427990b
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849393
Signature
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481824 Sample: 10hORi8M8E Startdate: 12/09/2021 Architecture: WINDOWS Score: 100 74 server11.ninhaine.com 2->74 94 Found malware configuration 2->94 96 Antivirus detection for URL or domain 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 10 other signatures 2->100 10 10hORi8M8E.exe 19 2->10         started        13 csrss.exe 2->13         started        15 csrss.exe 2->15         started        17 csrss.exe 2->17         started        signatures3 process4 signatures5 110 Detected unpacking (changes PE section rights) 10->110 112 Modifies the windows firewall 10->112 114 Drops PE files with benign system names 10->114 19 10hORi8M8E.exe 11 2 10->19         started        24 csrss.exe 13->24         started        26 csrss.exe 15->26         started        28 csrss.exe 17->28         started        process6 dnsIp7 76 humisnee.com 104.21.90.218, 443, 49748 CLOUDFLARENETUS United States 19->76 64 C:\Windows\rss\csrss.exe, PE32 19->64 dropped 102 Drops executables to the windows directory (C:\Windows) and starts them 19->102 104 Creates an autostart registry key pointing to binary in C:\Windows 19->104 30 csrss.exe 3 7 19->30         started        35 cmd.exe 1 19->35         started        file8 signatures9 process10 dnsIp11 78 hammersd.info 104.21.54.132, 443, 49761 CLOUDFLARENETUS United States 30->78 80 server11.ninhaine.com 172.67.141.50, 443, 49754, 49755 CLOUDFLARENETUS United States 30->80 82 3 other IPs or domains 30->82 66 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 30->66 dropped 68 C:\Users\...68tQuerySystemInformationHook.dll, PE32+ 30->68 dropped 70 C:FI\Microsoft\Boot\bootmgfw.efi, MS-DOS 30->70 dropped 72 4 other files (none is malicious) 30->72 dropped 84 Detected unpacking (changes PE section rights) 30->84 86 Machine Learning detection for dropped file 30->86 88 Uses shutdown.exe to shutdown or reboot the system 30->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 30->90 37 injector.exe 30->37         started        40 schtasks.exe 1 30->40         started        42 mountvol.exe 1 30->42         started        48 4 other processes 30->48 92 Uses netsh to modify the Windows network and firewall settings 35->92 44 netsh.exe 3 35->44         started        46 conhost.exe 35->46         started        file12 signatures13 process14 signatures15 106 Multi AV Scanner detection for dropped file 37->106 50 conhost.exe 37->50         started        52 conhost.exe 40->52         started        54 conhost.exe 42->54         started        108 Creates files in the system32 config directory 44->108 56 conhost.exe 48->56         started        58 conhost.exe 48->58         started        60 conhost.exe 48->60         started        62 conhost.exe 48->62         started        process16
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/195289a2400f2cb9e94631539b23bc5b2f643e0b444d81485600ee62ea674d89/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-12 17:57:15 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfjitisab4wlt2kggfjzwi54lmxwipqlirgycscwadxgf2thjweq._file
Verdict:
malicious
Similar samples:
13492a113107ae59e2fe02f3c3b9afa411a39caa73b78ea06dec0fb9a970f7a2
Glupteba
16d1ba9319a2329e64fea8762174354cc0781ab71a181a4ec19a8464b28ff90c
Glupteba
39c5720b9f6ecc9266cb2f31e1d3201da9e0ad17add1af5ec231a3cd1eae4634
Glupteba
55ed36eee21fc8115e9a02c95c218df563db0463088576b9da8b2def73311c05
Glupteba
8756bca615d9140f087ae1df1fbbe56289b991a2efae64d61feb0a162e06d127
Glupteba
8c931f2aa9920fd1756244ea50369a0290ea5a75b2b9416c68e8162ee300f06a
Glupteba
aa15c9a23c122e4df9220823e55ccc39dcb7ac6b0fd07633f5b850e787b1a61f
Glupteba
c794b0cf979f41374471d77bb1cf16eccb46af151a887044c02fe033143b2264
Glupteba
c9c189dc56b69367c3c9249ca291824cd7486680d075dccdffec4c52af4d5d39
Glupteba
eb4694ad3a62d2e007c0f0aba545d57af7dcb41b78504401bafda510d85d9a4f
Glupteba
+ 194 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210912-wjlkkaceb9/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
aa6ecbb2334048c3205ec9d947b0abb6d61f7ff235ae6e0e1159af59a1fe2c1a
MD5 hash:
92fb96677b8ca5fb356db81fa28ce66d
SHA1 hash:
5f786048fb4854c7bdd78bc0d4ebbef2e5f8d4d0
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/25482abb-8ec0-40f1-8b61-34430d9a789b/
Parent samples :
16d1ba9319a2329e64fea8762174354cc0781ab71a181a4ec19a8464b28ff90c
55ed36eee21fc8115e9a02c95c218df563db0463088576b9da8b2def73311c05
8c931f2aa9920fd1756244ea50369a0290ea5a75b2b9416c68e8162ee300f06a
c9c189dc56b69367c3c9249ca291824cd7486680d075dccdffec4c52af4d5d39
fa5ae1658989d1d11e8100a350d08ed016e81e1ab007a271f8c73182bd3d6ccb
39c5720b9f6ecc9266cb2f31e1d3201da9e0ad17add1af5ec231a3cd1eae4634
274755403bcea4b01a2fb4ebabaa1ffd3a3f06ad52c4fa747b8a52f1e7b4dd54
a4fa281b7b5380cb6ce5eb5a03280cc2ba573a7e724ea9ecaec3eef72a8c3c98
b7d6313abaa9157a215b0c3a952068bad014c490f359becab0b55c7e01885034
5d02823347e5eed62fc726832e4044731b5ae02167106e92d3dbd5848f9fba42
3bfa0b763724da5383365a116fde4a9cc1a1932b0f8bd4ba30807386e2b888e6
3e44aaf53dce4bee54658ad0a4ceecf11d73809de59eaad7c652c0e816304bd5
52ec02df4ae8189c6e0c97b69ab4bc0c7eb3dbf2c9056dfd0749589ec0ff8aa6
13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525
66461a7bc3c5893117b2def208f60acd1214f2f684d20faea7ca9ad087548df7
aa15c9a23c122e4df9220823e55ccc39dcb7ac6b0fd07633f5b850e787b1a61f
4e3740f106a2dd5ff862d1d88885e869a01fe7f3aac167e4d8eeaf7e9b2e5393
8756bca615d9140f087ae1df1fbbe56289b991a2efae64d61feb0a162e06d127
eb4694ad3a62d2e007c0f0aba545d57af7dcb41b78504401bafda510d85d9a4f
c794b0cf979f41374471d77bb1cf16eccb46af151a887044c02fe033143b2264
195289a2400f2cb9e94631539b23bc5b2f643e0b444d81485600ee62ea674d89
40507efbaa22e1db92c98d29ede1cdb9f68dcca04bf9558fe96e90ed18e847c1
7600aa65af2e0c32f0471192312b18184c708e72d0eb9af7be927f210dc7ca12
24073b2c9d79f2505f93c77c1e06f6a0b7b44efe3a26e58e99ecb239566cb201
e8c32e157a66fe9ec15372df53785ef878ae8869231ff57d170a5a1f6e609948
b60acb821cf9e94148f4f748830800d285ba1b4ab3d708bbf7033ded3f1c331c
d5bc83c6fef7c7dffe1ed4475bcbfda29d96dfb53b560c545cf7b7c29b639591
b19abbca0a9e526093ea103daa869ec70c1163b7c80844c6be7cd684be26bda7
60cc9eee3e5c35b67498092c33e30735304e8da670e1c6838f181578b30badf2
a8b9ca1ef77bca059ca40539d5943a082361409db76565e60a7541f6e1888898
1db9ab5cff09340433604b9148483cdd81fcbb082816b85a55669ff39cf6a7a3
dd4cd014bf67de3e7820783f35dd3810a6ad0a15985d3c2701abccf26e748bcb
a64593eda5475dfe88df519417b82923962411cbcfcd2997e93ac9daf6ada420
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36
SH256 hash:
195289a2400f2cb9e94631539b23bc5b2f643e0b444d81485600ee62ea674d89
MD5 hash:
cd79dce12acd476ff39dbd6106876c07
SHA1 hash:
e660a63da91cf076b84e0b19f1984667e9df745d
Link:
https://www.unpac.me/results/25482abb-8ec0-40f1-8b61-34430d9a789b/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/195289a2400f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:UroburosVirtualBoxDriver
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 195289a2400f2cb9e94631539b23bc5b2f643e0b444d81485600ee62ea674d89

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187151/

Comments


Avatar
zbet commented on 2021-09-12 17:56:48 UTC

url : hxxp://qwertys.info/af09be81f9c60eac22596128cfde139b.exe