MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2772403df32adec199765d4a7119d17aa066dc21d583aa7eac8f5d71571fe3a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2772403df32adec199765d4a7119d17aa066dc21d583aa7eac8f5d71571fe3a3
SHA3-384 hash: e88ec507f40ee2ccf1cd0b977c745f0cff81c8230a0a927ea51c42b39ed63469cca5fc24e900d82f96685ee5904c5799
SHA1 hash: 62690ad61c3d50501bfd2adf626dee838912b78c
MD5 hash: ac71fc82665f99d65246ae3dc5c270a1
humanhash: video-eight-river-april
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:1'087'352 bytes
First seen:2023-12-10 20:14:46 UTC
Last seen:2023-12-10 22:45:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:awwizS1a3MJphWHXL/TRAQDeaJWK9vnAsramUbaJtUtXr/9wEerfdMRKABaRaFV6:aHqS1aZXzTRAmeAvAs+5ba4tbOEeraRc
Threatray 5 similar samples on MalwareBazaar
TLSH T1CE35E02D99C79F70D62B6473AC6B01796B653842726F06F7FFA5AB00C3591C9001F2AB
TrID 27.3% (.SCR) Windows screen saver (13097/50/3)
22.0% (.EXE) Win64 Executable (generic) (10523/12/4)
13.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe Glupteba


Avatar
andretavare5
Sample downloaded from http://15.204.49.148/files/Installsetup2.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
259
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/464708/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65761c46bb9490c89ccca58b/reports/68ac2217-08d4-47d0-b7c5-8e4bb59fdeea/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/2772403df32adec199765d4a7119d17aa066dc21d583aa7eac8f5d71571fe3a3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73a6114b-fc56-48d0-b1a1-f8c0e86afae4
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1357709
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1357709 Sample: file.exe Startdate: 10/12/2023 Architecture: WINDOWS Score: 100 135 Malicious sample detected (through community Yara rule) 2->135 137 Antivirus detection for URL or domain 2->137 139 Yara detected Glupteba 2->139 141 8 other signatures 2->141 9 file.exe 2 4 2->9         started        process3 signatures4 155 Writes to foreign memory regions 9->155 157 Allocates memory in foreign processes 9->157 159 Adds extensions / path to Windows Defender exclusion list (Registry) 9->159 161 3 other signatures 9->161 12 AddInProcess32.exe 15 213 9->12         started        17 powershell.exe 23 9->17         started        19 CasPol.exe 9->19         started        process5 dnsIp6 129 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 12->129 131 5.42.65.57 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 12->131 133 8 other IPs or domains 12->133 109 C:\Users\...\zv3cvz8QwJPE773nxTlK7YT4.exe, PE32 12->109 dropped 111 C:\Users\...\y1xImpMeLx5feOp5BU7Xv3AG.exe, PE32 12->111 dropped 113 C:\Users\...\xn572ct45aBcSCvay4wdr9hV.exe, PE32 12->113 dropped 115 239 other malicious files 12->115 dropped 163 Drops script or batch files to the startup folder 12->163 165 Creates HTML files with .exe extension (expired dropper behavior) 12->165 167 Writes many files with high entropy 12->167 21 Y814b1lSPleegwTXWvRtqfn1.exe 12->21         started        26 Plp3yy5yrLHCacJXn4tpLmR9.exe 12->26         started        28 cE1QSVQXH5KzidqTZdlGvfqF.exe 12->28         started        32 10 other processes 12->32 30 conhost.exe 17->30         started        file7 signatures8 process9 dnsIp10 117 107.167.110.216 OPERASOFTWAREUS United States 21->117 119 107.167.110.218 OPERASOFTWAREUS United States 21->119 125 7 other IPs or domains 21->125 91 Opera_installer_2312102103069627992.dll, PE32 21->91 dropped 101 7 other malicious files 21->101 dropped 143 Writes many files with high entropy 21->143 34 Y814b1lSPleegwTXWvRtqfn1.exe 21->34         started        37 Y814b1lSPleegwTXWvRtqfn1.exe 21->37         started        39 Y814b1lSPleegwTXWvRtqfn1.exe 21->39         started        103 2 other malicious files 26->103 dropped 41 Install.exe 26->41         started        93 Opera_installer_2312102103130905340.dll, PE32 28->93 dropped 105 3 other malicious files 28->105 dropped 43 cE1QSVQXH5KzidqTZdlGvfqF.exe 28->43         started        45 cE1QSVQXH5KzidqTZdlGvfqF.exe 28->45         started        121 104.237.62.212 WEBNXUS United States 32->121 123 173.231.16.77 WEBNXUS United States 32->123 127 2 other IPs or domains 32->127 95 C:\Users\user\AppData\...\nsxB91C.tmp.exe, PE32 32->95 dropped 97 C:\Users\user\AppData\Local\...\INetC.dll, PE32 32->97 dropped 99 C:\Users\user\AppData\...\nssAE6D.tmp.exe, PE32 32->99 dropped 107 13 other malicious files 32->107 dropped 145 Detected unpacking (changes PE section rights) 32->145 147 Detected unpacking (overwrites its own PE header) 32->147 149 Found Tor onion address 32->149 151 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->151 47 Install.exe 32->47         started        49 cmd.exe 32->49         started        51 5 other processes 32->51 file11 signatures12 process13 file14 67 Opera_installer_2312102103157446840.dll, PE32 34->67 dropped 69 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 34->69 dropped 83 22 other malicious files 34->83 dropped 53 Y814b1lSPleegwTXWvRtqfn1.exe 34->53         started        71 Opera_installer_2312102103087858020.dll, PE32 37->71 dropped 73 Opera_installer_2312102103094428188.dll, PE32 39->73 dropped 75 C:\Users\user\AppData\Local\...\Install.exe, PE32 41->75 dropped 56 Install.exe 41->56         started        77 Opera_installer_2312102103144085988.dll, PE32 43->77 dropped 79 Opera_installer_2312102103158585528.dll, PE32 45->79 dropped 81 C:\Users\user\AppData\Local\...\Install.exe, PE32 47->81 dropped 59 conhost.exe 49->59         started        61 cmd.exe 49->61         started        63 conhost.exe 51->63         started        65 cmd.exe 51->65         started        process15 file16 85 Opera_installer_2312102103166622384.dll, PE32 53->85 dropped 87 C:\Users\user\AppData\Local\...\AeRbqTT.exe, PE32 56->87 dropped 89 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 56->89 dropped 153 Modifies Group Policy settings 56->153 signatures17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2772403df32adec199765d4a7119d17aa066dc21d583aa7eac8f5d71571fe3a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2772403df32adec199765d4a7119d17aa066dc21d583aa7eac8f5d71571fe3a3/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-10 21:08:05 UTC
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5zeapptflpmdglwlvfhcgorpkqgnxbb2wb2u7vmr5oxcvy74orq._file
Verdict:
malicious
Similar samples:
0acc5eca8860dc87070e066f3258296228439b35bdb9fbc02185fc861a97475f
Glupteba
7dc286e575fd2b37631065a72a1890faeb2186e4e4cbb0eefe6e4332a632c22a
Glupteba
b7283eee6896c605fbaf0c06c8c39d0d7bb43df0fcec72e7d63873732cfd4f8e
Glupteba
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc discovery dropper evasion loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/231210-y1jteachc6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
Stealc
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.76.36
Unpacked files
SH256 hash:
2772403df32adec199765d4a7119d17aa066dc21d583aa7eac8f5d71571fe3a3
MD5 hash:
ac71fc82665f99d65246ae3dc5c270a1
SHA1 hash:
62690ad61c3d50501bfd2adf626dee838912b78c
Link:
https://www.unpac.me/results/0c097242-b502-4d5c-a684-16f9e45b38e1/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2772403df32a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2772403df32adec199765d4a7119d17aa066dc21d583aa7eac8f5d71571fe3a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2738073/
Cape
Cape
https://www.capesandbox.com/analysis/464708/

Comments