MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e3740f106a2dd5ff862d1d88885e869a01fe7f3aac167e4d8eeaf7e9b2e5393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e3740f106a2dd5ff862d1d88885e869a01fe7f3aac167e4d8eeaf7e9b2e5393
SHA3-384 hash: f4c921d9ea8a4d9481fdcf07980c01bd6567c6d9ab47873a8ab43c681c8679394a51c07d0d31b08e1f423a44d25d3299
SHA1 hash: 21f801a409f339a3a6284899a56345d81da729ea
MD5 hash: 3ae61e9f9aa3f193590c6c0ab2cfc1e4
humanhash: video-carbon-fifteen-montana
File name:Meta.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'557'824 bytes
First seen:2021-09-11 06:22:55 UTC
Last seen:2021-09-11 07:22:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash af15f8c81f40203c694f921fcf93798f (2 x DanaBot, 2 x Glupteba)
ssdeep 98304:mFr2HBl7R9Jqygm+4o9W1iCulD6zlEAsnIBdEa3YAEAsK1:mR2PRnqygmGaiLlehnBdEZ1i
Threatray 200 similar samples on MalwareBazaar
TLSH T1912633333E81DC7BE35726B0B17188495BAE7DA65604A247972686FE1FD038C46F8B0D
dhash icon b8b078eccacccc01 (9 x RaccoonStealer, 4 x Glupteba, 4 x RedLineStealer)
Reporter Anonymous
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-10 20:53:55 UTC
Tags:
trojan evasion loader rat redline stealer vidar autoit kelihos unwanted netsupport
Link:
https://app.any.run/tasks/30565023-23ae-45a3-8068-e192ddb6c4c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187012/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37566755.25541.15255.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Sending an HTTP GET request
Query of malicious DNS domain
Sending a TCP request to an infection source
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82de5cba-e5e7-48c0-95c6-5fa80161c419
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849084
Signature
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481515 Sample: Meta.exe Startdate: 11/09/2021 Architecture: WINDOWS Score: 100 81 Found malware configuration 2->81 83 Antivirus detection for URL or domain 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 10 other signatures 2->87 9 Meta.exe 19 2->9         started        12 csrss.exe 2->12         started        14 csrss.exe 2->14         started        16 csrss.exe 2->16         started        process3 signatures4 97 Detected unpacking (changes PE section rights) 9->97 99 Modifies the windows firewall 9->99 101 Drops PE files with benign system names 9->101 18 Meta.exe 11 2 9->18         started        23 csrss.exe 12->23         started        25 csrss.exe 14->25         started        27 csrss.exe 16->27         started        process5 dnsIp6 73 humisnee.com 172.64.166.3, 443, 49736 CLOUDFLARENETUS United States 18->73 63 C:\Windows\rss\csrss.exe, PE32 18->63 dropped 89 Drops executables to the windows directory (C:\Windows) and starts them 18->89 91 Creates an autostart registry key pointing to binary in C:\Windows 18->91 29 csrss.exe 4 7 18->29         started        34 cmd.exe 1 18->34         started        file7 signatures8 process9 dnsIp10 75 spolaect.info 104.21.33.110, 443, 49747 CLOUDFLARENETUS United States 29->75 77 server5.ninhaine.com 104.21.9.31, 443, 49737, 49742 CLOUDFLARENETUS United States 29->77 79 4 other IPs or domains 29->79 65 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 29->65 dropped 67 C:\Users\...67tQuerySystemInformationHook.dll, PE32+ 29->67 dropped 69 C:FI\Microsoft\Boot\bootmgfw.efi, MS-DOS 29->69 dropped 71 4 other files (none is malicious) 29->71 dropped 103 Multi AV Scanner detection for dropped file 29->103 105 Detected unpacking (changes PE section rights) 29->105 107 Machine Learning detection for dropped file 29->107 111 2 other signatures 29->111 36 injector.exe 29->36         started        39 schtasks.exe 1 29->39         started        41 mountvol.exe 1 29->41         started        47 4 other processes 29->47 109 Uses netsh to modify the Windows network and firewall settings 34->109 43 netsh.exe 3 34->43         started        45 conhost.exe 34->45         started        file11 signatures12 process13 signatures14 93 Multi AV Scanner detection for dropped file 36->93 49 conhost.exe 36->49         started        51 conhost.exe 39->51         started        53 conhost.exe 41->53         started        95 Creates files in the system32 config directory 43->95 55 conhost.exe 45->55         started        57 conhost.exe 47->57         started        59 conhost.exe 47->59         started        61 conhost.exe 47->61         started        process15
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e3740f106a2dd5ff862d1d88885e869a01fe7f3aac167e4d8eeaf7e9b2e5393/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 21:34:25 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jy3ub4igulov76dc2hmirbpingqb7z7tvlawpzgy52xx5gzokojq._file
Verdict:
malicious
Similar samples:
13492a113107ae59e2fe02f3c3b9afa411a39caa73b78ea06dec0fb9a970f7a2
Glupteba
16d1ba9319a2329e64fea8762174354cc0781ab71a181a4ec19a8464b28ff90c
Glupteba
39c5720b9f6ecc9266cb2f31e1d3201da9e0ad17add1af5ec231a3cd1eae4634
Glupteba
52ec02df4ae8189c6e0c97b69ab4bc0c7eb3dbf2c9056dfd0749589ec0ff8aa6
Glupteba
55ed36eee21fc8115e9a02c95c218df563db0463088576b9da8b2def73311c05
Glupteba
66461a7bc3c5893117b2def208f60acd1214f2f684d20faea7ca9ad087548df7
Glupteba
8c931f2aa9920fd1756244ea50369a0290ea5a75b2b9416c68e8162ee300f06a
Glupteba
aa15c9a23c122e4df9220823e55ccc39dcb7ac6b0fd07633f5b850e787b1a61f
Glupteba
c9c189dc56b69367c3c9249ca291824cd7486680d075dccdffec4c52af4d5d39
Glupteba
fa5ae1658989d1d11e8100a350d08ed016e81e1ab007a271f8c73182bd3d6ccb
Glupteba
+ 190 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210911-g5gq6sebhq/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
aa6ecbb2334048c3205ec9d947b0abb6d61f7ff235ae6e0e1159af59a1fe2c1a
MD5 hash:
92fb96677b8ca5fb356db81fa28ce66d
SHA1 hash:
5f786048fb4854c7bdd78bc0d4ebbef2e5f8d4d0
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/0f92934d-761d-482b-8e09-780d631dfeb3/
Parent samples :
16d1ba9319a2329e64fea8762174354cc0781ab71a181a4ec19a8464b28ff90c
55ed36eee21fc8115e9a02c95c218df563db0463088576b9da8b2def73311c05
8c931f2aa9920fd1756244ea50369a0290ea5a75b2b9416c68e8162ee300f06a
c9c189dc56b69367c3c9249ca291824cd7486680d075dccdffec4c52af4d5d39
fa5ae1658989d1d11e8100a350d08ed016e81e1ab007a271f8c73182bd3d6ccb
39c5720b9f6ecc9266cb2f31e1d3201da9e0ad17add1af5ec231a3cd1eae4634
274755403bcea4b01a2fb4ebabaa1ffd3a3f06ad52c4fa747b8a52f1e7b4dd54
a4fa281b7b5380cb6ce5eb5a03280cc2ba573a7e724ea9ecaec3eef72a8c3c98
b7d6313abaa9157a215b0c3a952068bad014c490f359becab0b55c7e01885034
5d02823347e5eed62fc726832e4044731b5ae02167106e92d3dbd5848f9fba42
3bfa0b763724da5383365a116fde4a9cc1a1932b0f8bd4ba30807386e2b888e6
3e44aaf53dce4bee54658ad0a4ceecf11d73809de59eaad7c652c0e816304bd5
52ec02df4ae8189c6e0c97b69ab4bc0c7eb3dbf2c9056dfd0749589ec0ff8aa6
13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525
66461a7bc3c5893117b2def208f60acd1214f2f684d20faea7ca9ad087548df7
aa15c9a23c122e4df9220823e55ccc39dcb7ac6b0fd07633f5b850e787b1a61f
4e3740f106a2dd5ff862d1d88885e869a01fe7f3aac167e4d8eeaf7e9b2e5393
8756bca615d9140f087ae1df1fbbe56289b991a2efae64d61feb0a162e06d127
eb4694ad3a62d2e007c0f0aba545d57af7dcb41b78504401bafda510d85d9a4f
c794b0cf979f41374471d77bb1cf16eccb46af151a887044c02fe033143b2264
195289a2400f2cb9e94631539b23bc5b2f643e0b444d81485600ee62ea674d89
40507efbaa22e1db92c98d29ede1cdb9f68dcca04bf9558fe96e90ed18e847c1
7600aa65af2e0c32f0471192312b18184c708e72d0eb9af7be927f210dc7ca12
24073b2c9d79f2505f93c77c1e06f6a0b7b44efe3a26e58e99ecb239566cb201
e8c32e157a66fe9ec15372df53785ef878ae8869231ff57d170a5a1f6e609948
b60acb821cf9e94148f4f748830800d285ba1b4ab3d708bbf7033ded3f1c331c
d5bc83c6fef7c7dffe1ed4475bcbfda29d96dfb53b560c545cf7b7c29b639591
b19abbca0a9e526093ea103daa869ec70c1163b7c80844c6be7cd684be26bda7
60cc9eee3e5c35b67498092c33e30735304e8da670e1c6838f181578b30badf2
a8b9ca1ef77bca059ca40539d5943a082361409db76565e60a7541f6e1888898
1db9ab5cff09340433604b9148483cdd81fcbb082816b85a55669ff39cf6a7a3
dd4cd014bf67de3e7820783f35dd3810a6ad0a15985d3c2701abccf26e748bcb
a64593eda5475dfe88df519417b82923962411cbcfcd2997e93ac9daf6ada420
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36
SH256 hash:
4e3740f106a2dd5ff862d1d88885e869a01fe7f3aac167e4d8eeaf7e9b2e5393
MD5 hash:
3ae61e9f9aa3f193590c6c0ab2cfc1e4
SHA1 hash:
21f801a409f339a3a6284899a56345d81da729ea
Link:
https://www.unpac.me/results/0f92934d-761d-482b-8e09-780d631dfeb3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e3740f106a2dd5ff862d1d88885e869a01fe7f3aac167e4d8eeaf7e9b2e5393

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187012/

Comments