MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43884e22b0a3c165fe35508ae947131a0d01f306f721e5cad6903617c4ae97bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43884e22b0a3c165fe35508ae947131a0d01f306f721e5cad6903617c4ae97bc
SHA3-384 hash: a47db61f16e5a3a4d11d60d44d481ebb9769b800b87306ee8cb8f0c3e801df640f1b0ddfeebc67530ed3454c04b7a589
SHA1 hash: 26b3a812bae1348df07890dcbcaf95ee215be2a8
MD5 hash: 02d1467a9aba04c85ffd71d3cd4948fc
humanhash: bacon-queen-ack-chicken
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:1'652'448 bytes
First seen:2023-12-28 16:29:48 UTC
Last seen:2023-12-28 18:17:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:SN1powac0SEgTnrNlxoMbyCbzkqXfd+/9A7:SzpygEgTrzcMzkqXf0FE
Threatray 4 similar samples on MalwareBazaar
TLSH T19275F1FFE62C4EC6EF72EB64885219D1B868D0CE137CCB505758B9255FBE13924E2122
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4505/5/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter jstrosch
Tags:.NET exe Glupteba MSIL signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-27T01:55:57Z
Valid to:2024-12-27T01:55:57Z
Serial number: 443c0419004c5f163a6cbabde5c04b2f
Thumbprint Algorithm:SHA256
Thumbprint: 060a9cd058d698d2bf49c32d1be6ae44fe7c2315518edc4abc5bbd91c194601c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469522/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5556.16567.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Sending a UDP request
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/658da28cb855eb3693fedb3a/reports/3cdf1b9b-0410-48ff-8d35-fd0d44d3edc8/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/43884e22b0a3c165fe35508ae947131a0d01f306f721e5cad6903617c4ae97bc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebb73c9f-9beb-40f3-863d-478539fd923a
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
98 / 100
Link:
https://www.joesandbox.com/analysis/1367738
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
UAC bypass detected (Fodhelper)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1367738 Sample: file.exe Startdate: 28/12/2023 Architecture: WINDOWS Score: 98 187 Multi AV Scanner detection for domain / URL 2->187 189 Malicious sample detected (through community Yara rule) 2->189 191 Antivirus detection for URL or domain 2->191 193 10 other signatures 2->193 12 file.exe 2 4 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 4 other processes 2->19 process3 signatures4 209 Writes to foreign memory regions 12->209 211 Allocates memory in foreign processes 12->211 213 Adds extensions / path to Windows Defender exclusion list (Registry) 12->213 215 3 other signatures 12->215 21 InstallUtil.exe 15 24 12->21         started        26 powershell.exe 23 12->26         started        28 DW8yPpp5K046qIznYhLCEyRU.exe 15->28         started        30 conhost.exe 15->30         started        32 Z1wYdAuI4mlBAwkuAfBoW1Vj.exe 17->32         started        34 conhost.exe 17->34         started        36 tayHs5rollNB0JvE3OWWE53o.exe 19->36         started        38 JgzrTcvlLDpCkg1oaoNZoOlE.exe 19->38         started        40 4 other processes 19->40 process5 dnsIp6 165 107.167.110.211 OPERASOFTWAREUS United States 21->165 167 15.204.49.148 HP-INTERNET-ASUS United States 21->167 171 8 other IPs or domains 21->171 113 C:\Users\...\uRpmkiTrCmCu4fpg9Yge1KWH.exe, PE32 21->113 dropped 115 C:\Users\...\u7uHf9fxhKQ2xz85Tpfnet2Q.exe, PE32 21->115 dropped 117 C:\Users\...\gBBRsww54u2UFsEhptoeNNFD.exe, PE32 21->117 dropped 127 14 other malicious files 21->127 dropped 195 Drops script or batch files to the startup folder 21->195 197 Creates HTML files with .exe extension (expired dropper behavior) 21->197 199 Writes many files with high entropy 21->199 42 X6Pm2mhPFoXR8q74bcjIXsUo.exe 49 21->42         started        47 uRpmkiTrCmCu4fpg9Yge1KWH.exe 21->47         started        49 u7uHf9fxhKQ2xz85Tpfnet2Q.exe 21->49         started        61 2 other processes 21->61 51 conhost.exe 26->51         started        169 23.221.22.217 AKAMAI-ASN1EU United States 28->169 119 Opera_installer_2312281651456637708.dll, PE32 28->119 dropped 121 C:\Users\user\AppData\Local\...\opera_package, PE32 28->121 dropped 123 C:\Users\...\DW8yPpp5K046qIznYhLCEyRU.exe, PE32 28->123 dropped 125 Opera_106.0.4998.1...toupdate_x64[1].exe, PE32 28->125 dropped 53 DW8yPpp5K046qIznYhLCEyRU.exe 28->53         started        55 DW8yPpp5K046qIznYhLCEyRU.exe 28->55         started        201 Detected unpacking (changes PE section rights) 32->201 203 Detected unpacking (overwrites its own PE header) 32->203 205 UAC bypass detected (Fodhelper) 32->205 57 cmd.exe 32->57         started        59 cmd.exe 36->59         started        207 Multi AV Scanner detection for dropped file 38->207 file7 signatures8 process9 dnsIp10 173 107.167.110.217 OPERASOFTWAREUS United States 42->173 175 107.167.125.189 OPERASOFTWAREUS United States 42->175 185 5 other IPs or domains 42->185 129 Opera_installer_2312281651254065136.dll, PE32 42->129 dropped 131 C:\Users\user\AppData\Local\...\opera_package, PE32 42->131 dropped 143 7 other malicious files 42->143 dropped 217 Writes many files with high entropy 42->217 63 X6Pm2mhPFoXR8q74bcjIXsUo.exe 42->63         started        66 Assistant_106.0.4998.16_Setup.exe_sfx.exe 42->66         started        68 X6Pm2mhPFoXR8q74bcjIXsUo.exe 42->68         started        72 2 other processes 42->72 177 192.186.7.211 FEDERAL-ONLINE-GROUP-LLCUS United States 47->177 179 38.6.193.13 COGENT-174US United States 47->179 133 C:\Windows\Microsoft.NET\authman\Macro.dll, PE32+ 47->133 dropped 135 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 47->135 dropped 137 C:\Users\user\AppData\Local\...\Checker.dll, PE32 47->137 dropped 145 11 other files (9 malicious) 47->145 dropped 219 Query firmware table information (likely to detect VMs) 47->219 221 Creates an undocumented autostart registry key 47->221 223 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 47->223 225 Detected unpacking (changes PE section rights) 49->225 227 Detected unpacking (overwrites its own PE header) 49->227 229 Found Tor onion address 49->229 231 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->231 74 2 other processes 49->74 139 Opera_installer_2312281651461847668.dll, PE32 53->139 dropped 141 Opera_installer_2312281651473876976.dll, PE32 55->141 dropped 70 fodhelper.exe 57->70         started        76 3 other processes 57->76 78 4 other processes 59->78 181 1.1.1.1 CLOUDFLARENETUS Australia 61->181 183 127.0.0.1 unknown unknown 61->183 233 Contains functionality to detect sleep reduction / modifications 61->233 80 2 other processes 61->80 file11 signatures12 process13 file14 147 Opera_installer_2312281651275443572.dll, PE32 63->147 dropped 149 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 63->149 dropped 161 22 other malicious files 63->161 dropped 82 X6Pm2mhPFoXR8q74bcjIXsUo.exe 63->82         started        151 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 66->151 dropped 153 C:\Users\user\AppData\Local\...\launcher.exe, PE32 66->153 dropped 155 C:\Users\user\AppData\Local\...\dbghelp.dll, PE32 66->155 dropped 163 3 other malicious files 66->163 dropped 157 Opera_installer_2312281651258704196.dll, PE32 68->157 dropped 85 Z1wYdAuI4mlBAwkuAfBoW1Vj.exe 70->85         started        159 C:\...\Opera_installer_231228165126970408.dll, PE32 72->159 dropped 87 assistant_installer.exe 72->87         started        89 powershell.exe 74->89         started        91 conhost.exe 74->91         started        93 powershell.exe 80->93         started        95 conhost.exe 80->95         started        process15 file16 111 Opera_installer_2312281651278037172.dll, PE32 82->111 dropped 97 Z1wYdAuI4mlBAwkuAfBoW1Vj.exe 85->97         started        99 powershell.exe 85->99         started        101 conhost.exe 89->101         started        103 conhost.exe 93->103         started        process17 process18 105 powershell.exe 97->105         started        107 conhost.exe 99->107         started        process19 109 conhost.exe 105->109         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/43884e22b0a3c165fe35508ae947131a0d01f306f721e5cad6903617c4ae97bc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43884e22b0a3c165fe35508ae947131a0d01f306f721e5cad6903617c4ae97bc/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-12-28 16:30:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
12 of 22 (54.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioee4ivqupawl7rvkcfosrytdigqd4yg64q6lswwsa3bprfos66a._file
Verdict:
malicious
Similar samples:
50c66d64351ff1343d3def42d50213308da45ab388b7a9fe55b7404c358b96be
Glupteba
805092e0147098b3b21bf2c822e85b3591ce27a8ac1c3be99829fb2747ca02f0
Glupteba
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba dropper evasion loader trojan upx
Link:
https://tria.ge/reports/231228-tzsygahgc8/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
System policy modification
NSIS installer
Enumerates physical storage devices
Launches sc.exe
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
8e53cee38028793baa6e3fc90af21731fb494ee12a8ad647efaf4c84152095ea
MD5 hash:
e8b75da40ac245676bc4ab7821e26dc5
SHA1 hash:
ad2e5606a06ac7918d36097e6077a592f9a60c9b
Link:
https://www.unpac.me/results/7d67f752-8d80-4b8e-a16f-a051f6a9a6bd/
SH256 hash:
43884e22b0a3c165fe35508ae947131a0d01f306f721e5cad6903617c4ae97bc
MD5 hash:
02d1467a9aba04c85ffd71d3cd4948fc
SHA1 hash:
26b3a812bae1348df07890dcbcaf95ee215be2a8
Link:
https://www.unpac.me/results/7d67f752-8d80-4b8e-a16f-a051f6a9a6bd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43884e22b0a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/43884e22b0a3c165fe35508ae947131a0d01f306f721e5cad6903617c4ae97bc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 43884e22b0a3c165fe35508ae947131a0d01f306f721e5cad6903617c4ae97bc

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469522/

Comments