MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a31805ece3bf663781939d4baf36699115de14c9814c0142b6c2aa2cc2e2cda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a31805ece3bf663781939d4baf36699115de14c9814c0142b6c2aa2cc2e2cda
SHA3-384 hash: 17cdd3929f871bdef6b2b17fd66a23dbb83059f5c8859c9db0558937f77c30e99e78e0c73b9bbf3ee3c9c6fdfc5cbe07
SHA1 hash: ea9b6ac08a7fb50fda4d7fbad9a9bf7a39f66019
MD5 hash: cd68675cfab7247737d8b4f0c9329dbd
humanhash: quebec-edward-river-tennessee
File name:cd68675cfab7247737d8b4f0c9329dbd.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'960'768 bytes
First seen:2022-10-10 14:43:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32a0f6ffa80f8fd32149b6575ae14da5 (2 x Glupteba)
ssdeep 98304:vUjPpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7x:v+bFmS3VjVEOeTtJHbdnrz7
Threatray 21 similar samples on MalwareBazaar
TLSH T1AE36D02AB70981B7DA7177F199AB65DE9430DC30D06940F8EE830B48E516EB743BA347
TrID 65.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
25.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.2% (.EXE) InstallShield setup (43053/19/16)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 88a8e0c8e0a0a2a2 (3 x Glupteba)
Reporter abuse_ch
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318520/
Detection(s):
SecuriteInfo.com.Adware.Generic4.AANW.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Packer.BorlandDelphi-1
Create hunting rule

Win.Trojan.Zusy-9973921-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP POST request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42284/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/63442fb429700e7ac65cb66f/reports/8d2ba04f-fb4f-4027-9be9-23bf489ab234/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/92b2d59b-e130-43ab-ba69-cd6929f1b3d6
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1087080
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719658 Sample: xeH3H73Pyp.exe Startdate: 10/10/2022 Architecture: WINDOWS Score: 88 20 Antivirus detection for URL or domain 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected CryptOne packer 2->24 26 2 other signatures 2->26 6 xeH3H73Pyp.exe 2->6         started        process3 dnsIp4 18 217.195.155.154, 8081 SHOCK-1US Netherlands 6->18 28 Detected unpacking (changes PE section rights) 6->28 30 Detected unpacking (overwrites its own PE header) 6->30 10 WerFault.exe 6->10         started        12 WerFault.exe 6->12         started        14 WerFault.exe 6->14         started        16 2 other processes 6->16 signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a31805ece3bf663781939d4baf36699115de14c9814c0142b6c2aa2cc2e2cda/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 14:44:16 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hiyyaxwohp3gg6azhhklv43gteiv3ykmtakmafblnqvkftboftna._file
Verdict:
malicious
Similar samples:
2e442f59d4b93e0bd914cf49e47b2095b969cc742d9a3615e3d324e495cd2fe8
Glupteba
44deac78b00bf644a7fd8dd1ce54999cfe5552ac24a2c064d16dfcf3eb6295db
Glupteba
760aa40751dd20657c6b0c9cf925f9e3afbf7078997171ee5fa03ef011aae03f
Glupteba
8b5320743f143e52e4d186b1244b9940a3538893eb22f324ef568e1ab2495b8d
Glupteba
8eb6ae80fd83cdfb03f10de49649d97029f10c3074e0683b9c9c9094b469289d
Glupteba
c0aec561068a6e107c0edd70719189cdd4f8eb03084d44506db3e382ea196f93
Glupteba
eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362
Glupteba
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221010-r3514acdej/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Gathering data
Unpacked files
SH256 hash:
69d043f055680cbd141f3b1f02d9f893d0984596f1702b85aa960f8980bc6b6e
MD5 hash:
9b48c7427e6d09b88e0f40453f1b5e7b
SHA1 hash:
f40bcd1863f21f6fe9ec914ff432d84492860aa0
Link:
https://www.unpac.me/results/e276b55d-6a6f-4f1f-a258-3f5cdb6beeed/
SH256 hash:
3a31805ece3bf663781939d4baf36699115de14c9814c0142b6c2aa2cc2e2cda
MD5 hash:
cd68675cfab7247737d8b4f0c9329dbd
SHA1 hash:
ea9b6ac08a7fb50fda4d7fbad9a9bf7a39f66019
Link:
https://www.unpac.me/results/e276b55d-6a6f-4f1f-a258-3f5cdb6beeed/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3a31805ece3b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a31805ece3bf663781939d4baf36699115de14c9814c0142b6c2aa2cc2e2cda

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 3a31805ece3bf663781939d4baf36699115de14c9814c0142b6c2aa2cc2e2cda

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2350084/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/318520/

Comments