MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3310176989a25f60f2406a1da8ebfd962b27c07ee107b3472faff5e1df3857c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3310176989a25f60f2406a1da8ebfd962b27c07ee107b3472faff5e1df3857c9
SHA3-384 hash: d992d2b7259c5cfca7182b3eec4c7e870c0acbfa2411d1f535274e4610d03c1d6983af75a83214a882340cc6286b3a11
SHA1 hash: cb496f2193e5623ed0a8066bb0b9d996a79fd458
MD5 hash: 8f602d30966ffba20f95c2c047080aef
humanhash: floor-victor-nuts-victor
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:1'190'912 bytes
First seen:2023-11-19 23:40:16 UTC
Last seen:2023-11-20 18:43:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:KRIXK6oTsNXz/kfArTnzS+hUVUyWAUq8hXU2qG3NXFX7Fc3fnsQPFeVAO5:KOK6wsV7kfAPZheU1qgXkdO5
Threatray 7 similar samples on MalwareBazaar
TLSH T15245013806746359EBAA82F3E8C10C59B354FD35197BF65EBC8ACEC615F89A90493C43
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe Glupteba


Avatar
andretavare5
Sample downloaded from http://91.92.243.139/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
314
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459176/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.27718.22605.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/655a9d0fe7421d316a45b12e/reports/099bfb3f-a7b3-42f3-a807-e9cdff16afa3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3310176989a25f60f2406a1da8ebfd962b27c07ee107b3472faff5e1df3857c9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b3cc352-c1bc-4ecd-afec-e538b123abf0
Result
Threat name:
Glupteba, Neoreklami, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1344841
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Neoreklami
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1344841 Sample: file.exe Startdate: 20/11/2023 Architecture: WINDOWS Score: 100 148 Multi AV Scanner detection for domain / URL 2->148 150 Found malware configuration 2->150 152 Malicious sample detected (through community Yara rule) 2->152 154 17 other signatures 2->154 9 file.exe 2 4 2->9         started        12 cmd.exe 2->12         started        process3 signatures4 156 Writes to foreign memory regions 9->156 158 Allocates memory in foreign processes 9->158 160 Adds a directory exclusion to Windows Defender 9->160 162 2 other signatures 9->162 14 CasPol.exe 15 231 9->14         started        19 powershell.exe 19 9->19         started        21 GikPROUenrJ7D14kvPwwyf6t.exe 12->21         started        23 conhost.exe 12->23         started        process5 dnsIp6 132 91.92.243.139 THEZONEBG Bulgaria 14->132 134 107.167.110.211 OPERASOFTWAREUS United States 14->134 138 6 other IPs or domains 14->138 106 C:\Users\...\z5J6449VJUkTYJiQmgnitECu.exe, PE32 14->106 dropped 108 C:\Users\...\wIJrwmY69dIM9Fng72cVrHWR.exe, PE32 14->108 dropped 110 C:\Users\...\vc4l8v9bPWx0WkNMwoEphKUk.exe, PE32 14->110 dropped 120 198 other malicious files 14->120 dropped 140 Drops script or batch files to the startup folder 14->140 142 Creates HTML files with .exe extension (expired dropper behavior) 14->142 144 Writes many files with high entropy 14->144 25 KOVkPYkPlxWInJz7Ct0D2zBx.exe 14->25         started        29 iaBBdB1lm1Ylr85BF6oEx8JJ.exe 32 14->29         started        32 QLyBj7IEFPCtDRNR88m3LciO.exe 14->32         started        36 15 other processes 14->36 34 conhost.exe 19->34         started        136 107.167.110.217 OPERASOFTWAREUS United States 21->136 112 Opera_installer_2311192342201907648.dll, PE32 21->112 dropped 114 C:\Users\user\AppData\Local\...\opera_package, PE32 21->114 dropped 116 C:\Users\...behaviorgraphikPROUenrJ7D14kvPwwyf6t.exe, PE32 21->116 dropped 118 Opera_105.0.4970.1...toupdate_x64[1].exe, PE32 21->118 dropped file7 signatures8 process9 dnsIp10 88 C:\Users\user\AppData\Local\...\Install.exe, PE32 25->88 dropped 90 C:\Users\user\AppData\Local\...\config.txt, data 25->90 dropped 168 Writes many files with high entropy 25->168 38 Install.exe 25->38         started        122 107.167.110.216 OPERASOFTWAREUS United States 29->122 124 107.167.110.218 OPERASOFTWAREUS United States 29->124 130 3 other IPs or domains 29->130 92 Opera_installer_2311192341557003300.dll, PE32 29->92 dropped 102 2 other malicious files 29->102 dropped 41 iaBBdB1lm1Ylr85BF6oEx8JJ.exe 29->41         started        43 iaBBdB1lm1Ylr85BF6oEx8JJ.exe 29->43         started        45 iaBBdB1lm1Ylr85BF6oEx8JJ.exe 29->45         started        126 149.154.167.99 TELEGRAMRU United Kingdom 32->126 128 167.235.143.166 ALBERTSONSUS United States 32->128 94 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 32->94 dropped 170 Detected unpacking (changes PE section rights) 32->170 172 Detected unpacking (overwrites its own PE header) 32->172 174 Found evasive API chain (may stop execution after checking computer name) 32->174 176 Tries to harvest and steal browser information (history, passwords, etc) 32->176 96 Opera_installer_2311192342197857812.dll, PE32 36->96 dropped 98 Opera_installer_2311192342124127552.dll, PE32 36->98 dropped 100 Opera_installer_2311192342084937224.dll, PE32 36->100 dropped 104 14 other malicious files 36->104 dropped 178 Found Tor onion address 36->178 180 Contain functionality to detect virtual machines 36->180 182 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->182 47 Install.exe 36->47         started        49 Broom.exe 36->49         started        52 p1kyZ1rEAyhRFtNQBKxVpzdZ.exe 36->52         started        54 5 other processes 36->54 file11 signatures12 process13 file14 64 C:\Users\user\AppData\Local\...\Install.exe, PE32 38->64 dropped 56 Install.exe 38->56         started        66 Opera_installer_2311192342133627364.dll, PE32 41->66 dropped 60 iaBBdB1lm1Ylr85BF6oEx8JJ.exe 41->60         started        68 Opera_installer_2311192341562846136.dll, PE32 43->68 dropped 70 Opera_installer_2311192341588063744.dll, PE32 45->70 dropped 72 C:\Users\user\AppData\Local\...\Install.exe, PE32 47->72 dropped 62 Install.exe 47->62         started        146 Multi AV Scanner detection for dropped file 49->146 74 Opera_installer_2311192342095357336.dll, PE32 52->74 dropped 76 Opera_installer_2311192342269737924.dll, PE32 54->76 dropped 78 Opera_installer_2311192342229157612.dll, PE32 54->78 dropped 80 Opera_installer_2311192342182847480.dll, PE32 54->80 dropped signatures15 process16 file17 82 C:\Users\user\AppData\Local\...\RFnapjU.exe, PE32 56->82 dropped 84 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 56->84 dropped 164 Multi AV Scanner detection for dropped file 56->164 166 Modifies Group Policy settings 56->166 86 Opera_installer_2311192342289137680.dll, PE32 60->86 dropped signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3310176989a25f60f2406a1da8ebfd962b27c07ee107b3472faff5e1df3857c9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3310176989a25f60f2406a1da8ebfd962b27c07ee107b3472faff5e1df3857c9/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-11-19 21:47:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gmibo2mjujpwb4sanio2r275syvspqd64ed3grzpv726dxzyk7eq._file
Verdict:
malicious
Similar samples:
57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235
Glupteba
6289ccd8121caf8808c91f229e70b4275af6452ef74f507e9919e09c38b02e44
Glupteba
c77aeea8df56c68cf64ac5486a0d5774a1bd8dc6f94e3fa8ae447ff78ec12ace
Glupteba
c99f57b763d90598609eb0b585ca8399057531d171021d3052efdefe26289117
Glupteba
fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9
Glupteba
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231119-3pegrscf99/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
3310176989a25f60f2406a1da8ebfd962b27c07ee107b3472faff5e1df3857c9
MD5 hash:
8f602d30966ffba20f95c2c047080aef
SHA1 hash:
cb496f2193e5623ed0a8066bb0b9d996a79fd458
Link:
https://www.unpac.me/results/fed8971a-e3af-460c-ae51-3ec44ab844a1/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3310176989a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3310176989a25f60f2406a1da8ebfd962b27c07ee107b3472faff5e1df3857c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2730658/
Cape
Cape
https://www.capesandbox.com/analysis/459176/

Comments