MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42afece193b0655d0e769ca271d37d978c6265dc6404b679e3150d15225b2a60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42afece193b0655d0e769ca271d37d978c6265dc6404b679e3150d15225b2a60
SHA3-384 hash: fa02448f231cde9cef3b9d7d314bc25185384097f11943142bb4e1154c184296d03666bd38c54843b01cf7648a541a45
SHA1 hash: e5741c4de55c6e5592b97eb6a2da62f2f18c2408
MD5 hash: 9fe5f5deb66b5752018c29526c756e0c
humanhash: xray-autumn-wisconsin-texas
File name:9fe5f5deb66b5752018c29526c756e0c
Download: download sample
Signature Glupteba
Create hunting rule
File size:5'513'456 bytes
First seen:2024-02-25 03:24:10 UTC
Last seen:2024-02-25 05:29:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 39389b46d0fc73ab23c0909b184bbcf1 (1 x Stealc, 1 x Glupteba)
ssdeep 98304:SZuzUFBlFMZ5T3a+gxH4Y5im48xaOxQc1zR0eWDu:SA+Zwxn4/5r4NaNcDu
TLSH T11546337371E9BA92EEA2133DD9155C231961D6108B42BA28F13FCFE5188712DB7F6312
TrID 45.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
0.0% (.TAR) TAR - Tape ARchive (directory) (10/3)
File icon (PE):PE icon
dhash icon 009286868686f800 (4 x Stealc, 4 x AgentTesla, 3 x Smoke Loader)
Reporter zbetcheckin
Tags:64 exe Glupteba signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-02-24T19:33:50Z
Valid to:2025-02-24T19:33:50Z
Serial number: 0f6a13e84c26233efa3ee62859b68533
Thumbprint Algorithm:SHA256
Thumbprint: 8455cd2cc61bfb34c4ed02d999a6d2d88cd058f4e492e371af1fd00d90f2b77d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
470
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477643/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.786.3051.12949.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool overlay packed
Link:
https://www.filescan.io/uploads/65dab310510063cea177f816/reports/3a6f217b-8359-430b-ae59-40faef11819c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/42afece193b0655d0e769ca271d37d978c6265dc6404b679e3150d15225b2a60
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/84bce77f-e64c-4308-a449-703c6101393e
Result
Threat name:
Glupteba, Stealc
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1398299
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops script or batch files to the startup folder
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1398299 Sample: wc0t94M8sW.exe Startdate: 25/02/2024 Architecture: WINDOWS Score: 100 136 Malicious sample detected (through community Yara rule) 2->136 138 Antivirus detection for dropped file 2->138 140 Multi AV Scanner detection for submitted file 2->140 142 10 other signatures 2->142 10 wc0t94M8sW.exe 2->10         started        13 cmd.exe 2->13         started        process3 signatures4 144 Query firmware table information (likely to detect VMs) 10->144 146 Writes to foreign memory regions 10->146 148 Allocates memory in foreign processes 10->148 150 4 other signatures 10->150 15 jsc.exe 15 504 10->15         started        20 WerFault.exe 19 16 10->20         started        22 conhost.exe 13->22         started        process5 dnsIp6 122 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 15->122 124 107.167.110.216 OPERASOFTWAREUS United States 15->124 128 10 other IPs or domains 15->128 62 C:\Users\...\zYGm5s8Qsbgc4XcMn1OFz2Xz.exe, PE32 15->62 dropped 64 C:\Users\...\yFbPbYxtewW3FxvzFYBBQBhm.exe, PE32 15->64 dropped 66 C:\Users\...\xfE1lSj2ZAzh2qY5atVIZCHY.exe, PE32 15->66 dropped 68 199 other malicious files 15->68 dropped 130 Drops script or batch files to the startup folder 15->130 132 Creates HTML files with .exe extension (expired dropper behavior) 15->132 134 Writes many files with high entropy 15->134 24 KmYZFmHaO7fcyG9GORYzidaH.exe 15->24         started        29 i4UPW553JFr4vWrxihhMixUW.exe 15->29         started        31 FdoYcTnZmDyFdFzYYVYB8CFG.exe 15->31         started        33 18 other processes 15->33 126 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->126 file7 signatures8 process9 dnsIp10 106 107.167.110.211 OPERASOFTWAREUS United States 24->106 116 4 other IPs or domains 24->116 98 9 other malicious files 24->98 dropped 152 Writes many files with high entropy 24->152 35 KmYZFmHaO7fcyG9GORYzidaH.exe 24->35         started        38 KmYZFmHaO7fcyG9GORYzidaH.exe 24->38         started        40 KmYZFmHaO7fcyG9GORYzidaH.exe 24->40         started        118 4 other IPs or domains 29->118 88 C:\Users\user\AppData\Local\...\nsxD4DC.tmp, PE32 29->88 dropped 90 C:\Users\user\AppData\Local\...\INetC.dll, PE32 29->90 dropped 100 2 other malicious files 29->100 dropped 42 nsxD4DC.tmp 29->42         started        46 BroomSetup.exe 29->46         started        108 107.167.110.218 OPERASOFTWAREUS United States 31->108 110 107.167.125.189 OPERASOFTWAREUS United States 31->110 112 23.48.203.209 AKAMAI-TYO-APAkamaiTechnologiesTokyoASNSG United States 31->112 92 Opera_installer_2402250326144477328.dll, PE32 31->92 dropped 102 3 other malicious files 31->102 dropped 48 FdoYcTnZmDyFdFzYYVYB8CFG.exe 31->48         started        50 FdoYcTnZmDyFdFzYYVYB8CFG.exe 31->50         started        114 37.228.108.133 NO-OPERANO Norway 33->114 94 Opera_installer_2402250326250077984.dll, PE32 33->94 dropped 96 Opera_installer_2402250326239177860.dll, PE32 33->96 dropped 104 10 other malicious files 33->104 dropped 154 Detected unpacking (changes PE section rights) 33->154 156 Found Tor onion address 33->156 158 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 33->158 52 Install.exe 33->52         started        54 3 other processes 33->54 file11 signatures12 process13 dnsIp14 82 15 other malicious files 35->82 dropped 70 Opera_installer_2402250326146327444.dll, PE32 38->70 dropped 72 Opera_installer_2402250326216187680.dll, PE32 40->72 dropped 120 185.172.128.145 NADYMSS-ASRU Russian Federation 42->120 84 12 other files (8 malicious) 42->84 dropped 160 Detected unpacking (changes PE section rights) 42->160 162 Detected unpacking (overwrites its own PE header) 42->162 164 Tries to steal Mail credentials (via file / registry access) 42->164 166 4 other signatures 42->166 56 cmd.exe 46->56         started        74 Opera_installer_2402250326214977528.dll, PE32 48->74 dropped 76 Opera_installer_2402250326246472132.dll, PE32 50->76 dropped 78 C:\Users\user\AppData\Local\...\Install.exe, PE32 52->78 dropped 80 Opera_installer_2402250326268567296.dll, PE32 54->80 dropped 86 2 other malicious files 54->86 dropped file15 signatures16 process17 process18 58 conhost.exe 56->58         started        60 chcp.com 56->60         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/42afece193b0655d0e769ca271d37d978c6265dc6404b679e3150d15225b2a60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42afece193b0655d0e769ca271d37d978c6265dc6404b679e3150d15225b2a60/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-24 23:26:14 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ikx6zymtwbsv2dtwtsrhdu35s6ggezo4mqclm6pdcugrkis3fjqa._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/240225-dylvrsaf36/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Stealc
Windows security bypass
Unpacked files
SH256 hash:
42afece193b0655d0e769ca271d37d978c6265dc6404b679e3150d15225b2a60
MD5 hash:
9fe5f5deb66b5752018c29526c756e0c
SHA1 hash:
e5741c4de55c6e5592b97eb6a2da62f2f18c2408
Link:
https://www.unpac.me/results/e190b3b8-2177-4e5c-a3d1-39696db3750a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/42afece193b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42afece193b0655d0e769ca271d37d978c6265dc6404b679e3150d15225b2a60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 42afece193b0655d0e769ca271d37d978c6265dc6404b679e3150d15225b2a60

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/477643/
  
URLhaus
https://urlhaus.abuse.ch/url/2754067/

Comments


Avatar
zbet commented on 2024-02-25 03:24:12 UTC

url : hxxp://15.204.38.209/files/installsetup2.exe