MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1
SHA3-384 hash: 01077ad0a4969d088cdc03711a40b54c100fde8f636db48d6e1ac040939143e0eff4a146bcc2ae410e71a93f86ae8db1
SHA1 hash: afe9bf269a8ac598eece3e0f36591a59a04913aa
MD5 hash: 15225c230c9c4d014af18e73cb9e6194
humanhash: fix-charlie-november-football
File name:15225c230c9c4d014af18e73cb9e6194
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'628'008 bytes
First seen:2021-09-01 20:28:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2617ed69d5fa8c0972283727d551e89d (5 x Glupteba)
ssdeep 98304:hv1Ien0lEuPLzWdMA0ZHlBWxO9ujyb1U6h3M:34kMAYl8xO9cwM
Threatray 141 similar samples on MalwareBazaar
TLSH T1C726332F2791D0B7D8DC073449C54FF996667E599C04E81B2F811B6EEAA93A2C706333
dhash icon fcfcf4d4d4dcd8c8 (6 x RaccoonStealer, 6 x RedLineStealer, 5 x Glupteba)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'388
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15225c230c9c4d014af18e73cb9e6194
Verdict:
Suspicious activity
Analysis date:
2021-09-01 20:31:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/70653c10-1a6b-4eed-bf6e-a7e093a8a4aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184569/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.22701.930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Launching a service
Connection attempt to an infection source
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Sending a UDP request
Creating a file
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a service
Adding an access-denied ACE
Creating a file in the %temp% subdirectories
Disabling the operating system update service
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27f6cc72-0479-49bb-ae34-03e823c9dacb
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843645
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Found Tor onion address
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476076 Sample: 4pcnu72jxs Startdate: 01/09/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 6 other signatures 2->40 6 4pcnu72jxs.exe 19 2->6         started        9 svchost.exe 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        process3 dnsIp4 42 Detected unpacking (changes PE section rights) 6->42 16 WerFault.exe 6->16         started        18 WerFault.exe 6->18         started        20 WerFault.exe 6->20         started        28 14 other processes 6->28 32 192.168.2.1 unknown unknown 9->32 22 WerFault.exe 9->22         started        24 WerFault.exe 9->24         started        26 WerFault.exe 9->26         started        30 14 other processes 9->30 signatures5 process6
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1/
Threat name:
Win32.Trojan.WinGoRanumBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 20:29:12 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebmgul2ycvpwolb2knlo3zww5niverw2jaozfrzes4obknwo3diq._file
Verdict:
unknown
Similar samples:
0c535fc0755f04c889292d4bcae072d090f67030cb7a369b6a2113bfc37e1697
Glupteba
1c26aa5bcb8e5bc2170d8c7b8c2b0698d4e8a60f0d0f65c1a9a3d5e9b360cf58
Glupteba
4f71b2a4b8c2b49695b57ac172f6fc30e7f7816439c716d5f7b45ca7dcf0a182
Glupteba
74f19d23d99aed723ed2584ef1e558cf3d6995a1a3624a4454f9d4c4c53c2963
Glupteba
7648e6caa40622f2d5c625f3b05b3a5c985592f845c26126311a769c7e256c78
Glupteba
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
Glupteba
93ce6999d6249ff0b1cc363e50b91886fc87f832dbf819c33e4a7c9f01fbb431
Glupteba
b5445b7c8d5971a05495c3e0d3f56ab68bb5f372c3d687b24b5b8930c3368f54
Glupteba
+ 131 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210901-8xhmgnrv1s/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
bd2d2444229feb677e127cd341e336202ec33688626cbe0661b7414b3e481ad3
MD5 hash:
ca7c9a0345b1a820d48b9c5db50a5050
SHA1 hash:
0284ba81dc1d3ff686cbadd69bef68e58dfef5d8
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/071a1af9-8f7e-4dd5-8c47-9b0c1c4f99ea/
Parent samples :
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
b6c20b3a2c6ecd2f50faf45c41218417dadfadc6b4230ca7c8fd1e4439d1046e
7648e6caa40622f2d5c625f3b05b3a5c985592f845c26126311a769c7e256c78
68d83afa2dc4272e54c4ebb1ab8981e7f00442dfe6e66c8b7299c30a230be997
20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1
2374688ef4bb51c7a7477bd3cac94db24f00f3707094e569aa4e4681d06a5176
df0a2b50cba47cba62df3b128948dead529e8ccfbf59225e24bb47eadd2c4a81
07792a24e211c9addd2b46ff799ecda7ab119edb6b043d66031097ae03c70c5f
de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b
15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559
6ac8f87ce26a0a9ad330c8b42342b6891d12df43be535f9c487855182a39aa1f
SH256 hash:
20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1
MD5 hash:
15225c230c9c4d014af18e73cb9e6194
SHA1 hash:
afe9bf269a8ac598eece3e0f36591a59a04913aa
Link:
https://www.unpac.me/results/071a1af9-8f7e-4dd5-8c47-9b0c1c4f99ea/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/20586a2f5815/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:UroburosVirtualBoxDriver
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1584233/
Cape
Cape
https://www.capesandbox.com/analysis/184569/

Comments


Avatar
zbet commented on 2021-09-01 20:28:55 UTC

url : hxxps://closedr.info/82550150ac3397ed391e34aa99d35be4.exe