MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 347d793c12fd82dc8e0841d24d2f8cb9743534bd0f156b302b5cb7b07bb5d319. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 347d793c12fd82dc8e0841d24d2f8cb9743534bd0f156b302b5cb7b07bb5d319
SHA3-384 hash: a6760a591ccdb16f12e12e26c6af03e60dd91e0bcb7713613e35b2cc7bdb4f60c620ac501edda514bdda8e9eee0ea3fd
SHA1 hash: 817e07af846b030d1efe34b9ea447686af20a6bc
MD5 hash: 5f3075f55c32a2810650f55bc4177338
humanhash: rugby-fanta-michigan-lactose
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:896'880 bytes
First seen:2023-11-30 17:43:05 UTC
Last seen:2023-11-30 22:17:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:JYCIm+KbfO1sGNHU/qNbHC/zuask5yIZYL0b:QXfuqbC+ab6y
Threatray 14 similar samples on MalwareBazaar
TLSH T1DE15E080751A27E7EDC81279A9E3350E865A2EA823E0FE7D9CF1F5C5540DF919600E1F
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:webpic inc
Issuer:webpic inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-30T16:31:47Z
Valid to:2024-11-30T16:31:47Z
Serial number: 9bb3a9b33fd1a295a961d2f822886fb1
Thumbprint Algorithm:SHA256
Thumbprint: 991baa20275813051bc9ced3209ab5e1a4213c44d4eae506b7bb24a79f756c08
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.241.91/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
342
Origin country :
US US
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
New Text Document.zip
Verdict:
Malicious activity
Analysis date:
2023-11-30 23:58:11 UTC
Tags:
opendir loader stealer grmsk lumma trojan lokibot evasion kelihos phorpiex amadey botnet dupzom servstart agenttesla socks5systemz formbook spyware neoreklami adware
Link:
https://app.any.run/tasks/e1b7b18d-0038-442e-9820-637767f9fdd1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461464/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.344.17871.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Moving a recently created file
Launching the process to interact with network services
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/347d793c12fd82dc8e0841d24d2f8cb9743534bd0f156b302b5cb7b07bb5d319
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c63c894-03cf-4c02-af6d-110b6a06591b
Result
Threat name:
Glupteba, Socks5Systemz, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1350707
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Socks5Systemz
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1350707 Sample: file.exe Startdate: 30/11/2023 Architecture: WINDOWS Score: 100 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 Antivirus detection for URL or domain 2->160 162 17 other signatures 2->162 10 file.exe 2 4 2->10         started        13 svchost.exe 1 1 2->13         started        16 cmd.exe 2->16         started        process3 dnsIp4 170 Adds extensions / path to Windows Defender exclusion list (Registry) 10->170 172 Adds a directory exclusion to Windows Defender 10->172 174 Disables UAC (registry) 10->174 18 AddInProcess32.exe 15 246 10->18         started        23 powershell.exe 23 10->23         started        25 CasPol.exe 10->25         started        134 23.48.10.90 AKAMAI-ASN1EU United States 13->134 136 127.0.0.1 unknown unknown 13->136 27 conhost.exe 16->27         started        signatures5 process6 dnsIp7 122 91.92.241.91 THEZONEBG Bulgaria 18->122 124 107.167.110.211 OPERASOFTWAREUS United States 18->124 126 9 other IPs or domains 18->126 74 C:\Users\...\z4v73wcShh6ue66XxwlTjR4c.exe, PE32 18->74 dropped 76 C:\Users\...\yfMDB4r17B9mxHpJjLQsiSeU.exe, PE32 18->76 dropped 78 C:\Users\...\vDxu8XZOqaUoztYns30wCsJE.exe, PE32 18->78 dropped 80 189 other malicious files 18->80 dropped 164 Drops script or batch files to the startup folder 18->164 166 Creates HTML files with .exe extension (expired dropper behavior) 18->166 168 Writes many files with high entropy 18->168 29 Gd9wSPCOZ8nve8ldBn8DAhSm.exe 18->29         started        32 2r7YO0zGUC3sG6Z4eMuQ5n5b.exe 18->32         started        35 pSgfw6ewVoTYLDjKvMFnohLf.exe 18->35         started        39 15 other processes 18->39 37 conhost.exe 23->37         started        file8 signatures9 process10 dnsIp11 104 C:\Users\...behaviorgraphd9wSPCOZ8nve8ldBn8DAhSm.tmp, PE32 29->104 dropped 42 Gd9wSPCOZ8nve8ldBn8DAhSm.tmp 29->42         started        106 C:\Users\user\AppData\Local\...\nstF0C7.tmp, COM 32->106 dropped 108 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 32->108 dropped 110 C:\Users\user\AppData\Local\...\Checker.dll, PE32 32->110 dropped 118 10 other malicious files 32->118 dropped 144 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->144 146 Writes many files with high entropy 32->146 112 C:\Users\...\pSgfw6ewVoTYLDjKvMFnohLf.tmp, PE32 35->112 dropped 46 pSgfw6ewVoTYLDjKvMFnohLf.tmp 35->46         started        128 149.154.167.99 TELEGRAMRU United Kingdom 39->128 130 107.167.110.216 OPERASOFTWAREUS United States 39->130 132 9 other IPs or domains 39->132 114 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 39->114 dropped 116 C:\Users\user\AppData\Local\...\Checker.dll, PE32 39->116 dropped 120 18 other malicious files 39->120 dropped 148 Detected unpacking (changes PE section rights) 39->148 150 Detected unpacking (overwrites its own PE header) 39->150 152 Query firmware table information (likely to detect VMs) 39->152 154 3 other signatures 39->154 48 jqz7I76nc70ygAIP7xjKOf8v.exe 39->48         started        50 Broom.exe 39->50         started        52 jqz7I76nc70ygAIP7xjKOf8v.exe 39->52         started        54 5 other processes 39->54 file12 signatures13 process14 file15 86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->86 dropped 98 15 other files (14 malicious) 42->98 dropped 176 Uses schtasks.exe or at.exe to add and modify task schedules 42->176 56 Qt5OpenGL.exe 42->56         started        59 net.exe 42->59         started        61 schtasks.exe 42->61         started        63 Qt5OpenGL.exe 42->63         started        88 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->88 dropped 90 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 46->90 dropped 92 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 46->92 dropped 100 11 other files (10 malicious) 46->100 dropped 94 Opera_installer_2311301745005938096.dll, PE32 48->94 dropped 66 jqz7I76nc70ygAIP7xjKOf8v.exe 48->66         started        178 Multi AV Scanner detection for dropped file 50->178 96 Opera_installer_2311301744578127792.dll, PE32 52->96 dropped 102 4 other malicious files 54->102 dropped signatures16 process17 dnsIp18 82 C:\ProgramData\TLGAdapter\TLGAdapter.exe, PE32 56->82 dropped 68 conhost.exe 59->68         started        70 net1.exe 59->70         started        72 conhost.exe 61->72         started        138 185.196.8.22 SIMPLECARRER2IT Switzerland 63->138 140 152.89.198.214 NEXTVISIONGB United Kingdom 63->140 142 95.216.227.177 HETZNER-ASDE Germany 63->142 84 Opera_installer_2311301745016988144.dll, PE32 66->84 dropped file19 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/347d793c12fd82dc8e0841d24d2f8cb9743534bd0f156b302b5cb7b07bb5d319
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/347d793c12fd82dc8e0841d24d2f8cb9743534bd0f156b302b5cb7b07bb5d319/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-30 17:44:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gr6xspas7wbnzdqiihje2l4mxf2dknf5b4kwwmblls33a65v2mmq._file
Verdict:
malicious
Similar samples:
3310176989a25f60f2406a1da8ebfd962b27c07ee107b3472faff5e1df3857c9
Glupteba
3665a41374b9b77f594fe118728ff5ffbd741aa6a7534088b4940d0f4f1015da
Glupteba
57dd76c7c512afbed21d7304a66fffd89cd904c39a47d459a49aec1f5f1d5235
Glupteba
6289ccd8121caf8808c91f229e70b4275af6452ef74f507e9919e09c38b02e44
Glupteba
c77aeea8df56c68cf64ac5486a0d5774a1bd8dc6f94e3fa8ae447ff78ec12ace
Glupteba
c99f57b763d90598609eb0b585ca8399057531d171021d3052efdefe26289117
Glupteba
fc0648345e4be061ff4ec08d72c7210afa00a8ff3c490dd0e4f023474e87bef9
Glupteba
+ 4 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:vidar botnet:12c2d61a6798c01d07f5c4638a3ba698 discovery dropper evasion loader persistence ransomware rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231130-wa5bbafc9w/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
UAC bypass
Vidar
Windows security bypass
Malware Config
C2 Extraction:
https://t.me/s4p0g
https://steamcommunity.com/profiles/76561199575355834
Unpacked files
SH256 hash:
0304d37b0e83cbc8b44c8be62a9b32d795304741680927ea6d7889fe84d60283
MD5 hash:
cb54bcf24e18fe6cd52f9e120fd70ad4
SHA1 hash:
168a26688549c6d976188701a7437f8301ddc66c
Link:
https://www.unpac.me/results/cfc3132a-9db8-4a7f-a1c7-8a4d376b9a91/
SH256 hash:
347d793c12fd82dc8e0841d24d2f8cb9743534bd0f156b302b5cb7b07bb5d319
MD5 hash:
5f3075f55c32a2810650f55bc4177338
SHA1 hash:
817e07af846b030d1efe34b9ea447686af20a6bc
Link:
https://www.unpac.me/results/cfc3132a-9db8-4a7f-a1c7-8a4d376b9a91/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/347d793c12fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/347d793c12fd82dc8e0841d24d2f8cb9743534bd0f156b302b5cb7b07bb5d319

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2735609/
Cape
Cape
https://www.capesandbox.com/analysis/461464/

Comments