MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881
SHA3-384 hash: 9653aef3b3677ac938280104160dbef1fa7ea52f1fa81f3c9a2bd54168f095f6a1714b0c72cbccaf18b283ccbf51239b
SHA1 hash: 8ed6c99d2d2e7b7f72e582d3fd057b0661940577
MD5 hash: da334b88e6bbe6b77cb9470f8f9de2e5
humanhash: two-hot-purple-twelve
File name:da334b88e6bbe6b77cb9470f8f9de2e5
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'650'024 bytes
First seen:2021-09-05 05:32:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f530acf7acd4a5c8880ba2a4704d4cbb (14 x RaccoonStealer, 4 x Glupteba, 2 x Tofsee)
ssdeep 98304:o4+8FLHnk2DwvU7/rcnub10nXmLzcYWoKZiwzR0b:o4DLE2DWUPcuh0nXmvlszR4
Threatray 163 similar samples on MalwareBazaar
TLSH T10D26330A6E90E4BFC021DAB045A9EBA0DD3E7C992C14641F3715FF6F9A13285932D3E5
dhash icon b27e7c7d727e6e76 (10 x RaccoonStealer, 5 x RedLineStealer, 5 x Stop)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
da334b88e6bbe6b77cb9470f8f9de2e5
Verdict:
Suspicious activity
Analysis date:
2021-09-05 05:35:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a80803fb-48c5-49f7-86e1-ec631591f7e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185361/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.7556.13704.1551.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file
Launching a process
Creating a file in the %temp% subdirectories
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a service
Connection attempt to an infection source
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Disabling the operating system update service
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e40a2ae-a8b3-4908-bea2-3b5b87dc0129
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845426
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Found Tor onion address
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477857 Sample: DN3MQnzCmq Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 17 Multi AV Scanner detection for domain / URL 2->17 19 Found malware configuration 2->19 21 Antivirus detection for URL or domain 2->21 23 7 other signatures 2->23 6 DN3MQnzCmq.exe 19 2->6         started        process3 signatures4 25 Detected unpacking (changes PE section rights) 6->25 9 WerFault.exe 6->9         started        11 WerFault.exe 6->11         started        13 WerFault.exe 6->13         started        15 14 other processes 6->15 process5
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-05 05:33:09 UTC
AV detection:
13 of 43 (30.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7gbze34c5ll2wgob3cbnvmmjw3n7s66tzds6pqs7cl3nyvc5caq._file
Verdict:
unknown
Similar samples:
07792a24e211c9addd2b46ff799ecda7ab119edb6b043d66031097ae03c70c5f
Glupteba
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
Glupteba
2374688ef4bb51c7a7477bd3cac94db24f00f3707094e569aa4e4681d06a5176
Glupteba
44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0
Glupteba
7648e6caa40622f2d5c625f3b05b3a5c985592f845c26126311a769c7e256c78
Glupteba
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
Glupteba
a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db
Glupteba
b6c20b3a2c6ecd2f50faf45c41218417dadfadc6b4230ca7c8fd1e4439d1046e
Glupteba
de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b
Glupteba
df0a2b50cba47cba62df3b128948dead529e8ccfbf59225e24bb47eadd2c4a81
Glupteba
+ 153 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210905-f8v8asfbb6/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
dfc3dc63931b3197a9616b1297b1337a21032d1f2fb0c6e8eff0e8dc0cf69f7d
MD5 hash:
cc5d72eb4d87228d5b519675fbf06b39
SHA1 hash:
ce560038a870dbd3bd1b7af09693500bd8fa7a29
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/54b2987c-5db0-432a-8988-8b3f4d6df11b/
Parent samples :
a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db
27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881
eddf51b647cdf3f3b1c93279ceff1e6967e36324126a24ed5d3301500ffdf66c
0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642
0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79
SH256 hash:
27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881
MD5 hash:
da334b88e6bbe6b77cb9470f8f9de2e5
SHA1 hash:
8ed6c99d2d2e7b7f72e582d3fd057b0661940577
Link:
https://www.unpac.me/results/54b2987c-5db0-432a-8988-8b3f4d6df11b/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/27cc1c937c17/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185361/

Comments


Avatar
zbet commented on 2021-09-05 05:32:34 UTC

url : hxxp://mysters.info/82550150ac3397ed391e34aa99d35be4.exe