MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5032244863d62238e00af2c69bf254fdb384fadb00972450472f66ddf00b5288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5032244863d62238e00af2c69bf254fdb384fadb00972450472f66ddf00b5288
SHA3-384 hash: 0a051ca4cee1f12d1c08265a635529f45ecf6d3e059f5684360325fff95d2fce333af2c8f02a20a9f32de8aabcb8af96
SHA1 hash: f05db80a6bb4d2d844b93ae60b2d34fea031c621
MD5 hash: f3609a49a5d6eafa54f5ba5f9b90fc69
humanhash: october-california-william-west
File name:SecuriteInfo.com.Generic.mg.f3609a49a5d6eafa.15250
Download: download sample
Signature Glupteba
Create hunting rule
File size:3'957'248 bytes
First seen:2020-08-26 22:01:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc32dde9023a663df75564fdb67f922e (1 x Glupteba)
ssdeep 98304:Nik+Rxea+kkxMET66SCF2O9NeVx2YCkwKPkFlQDM:sOXBxw6S8228VUPkwKPElQ
Threatray 33 similar samples on MalwareBazaar
TLSH 8B06337639D2DC72E21905B60037EB84EA2FFDB184B89349FB606CB56EB0B518743746
Reporter SecuriteInfoCom
Tags:Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51477/
Detection(s):
SecuriteInfo.com.Generic.mg.f3609a49a5d6eafa.15250.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a service
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
DNS request
Launching a process
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Replacing files
Moving a file to the system32 directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/452109
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Schedule CERTUTIL windows binary
Sigma detected: Suspicious Certutil Command
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 278448 Sample: SecuriteInfo.com.Generic.mg... Startdate: 27/08/2020 Architecture: WINDOWS Score: 100 77 easywbdesign.com 2->77 79 bbistrovantonbb.com 2->79 85 Multi AV Scanner detection for domain / URL 2->85 87 Antivirus detection for dropped file 2->87 89 Multi AV Scanner detection for dropped file 2->89 91 13 other signatures 2->91 10 SecuriteInfo.com.Generic.mg.f3609a49a5d6eafa.exe 19 2->10         started        13 cmd.exe 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 105 Detected unpacking (changes PE section rights) 10->105 107 Detected unpacking (overwrites its own PE header) 10->107 109 Drops PE files with benign system names 10->109 20 SecuriteInfo.com.Generic.mg.f3609a49a5d6eafa.exe 13 2 10->20         started        24 certutil.exe 13->24         started        27 conhost.exe 13->27         started        111 Changes security center settings (notifications, updates, antivirus, firewall) 15->111 73 127.0.0.1 unknown unknown 17->73 75 192.168.2.1 unknown unknown 17->75 signatures6 process7 dnsIp8 59 C:\Windows\rss\csrss.exe, PE32 20->59 dropped 93 Drops executables to the windows directory (C:\Windows) and starts them 20->93 95 Creates an autostart registry key pointing to binary in C:\Windows 20->95 29 csrss.exe 3 4 20->29         started        34 cmd.exe 1 20->34         started        36 cmd.exe 1 20->36         started        81 bbistrovantonbb.com 104.27.164.226, 443, 49739, 49740 CLOUDFLARENETUS United States 24->81 61 C:\Windows\System32\config\...\app[1].exe, PE32 24->61 dropped 63 C:\...\18DB5E73109514020ED113C19CB8415A, PE32 24->63 dropped 65 C:\Users\user\AppData\Local\...\scheduled.exe, PE32 24->65 dropped 97 System process connects to network (likely due to code injection or exploit) 24->97 99 Creates files in the system32 config directory 24->99 file9 signatures10 process11 dnsIp12 83 c51934dc-16d9-4912-b410-bfd77f283a0f.server3.easywbdesign.com 104.27.158.16, 443, 49736, 49737 CLOUDFLARENETUS United States 29->83 67 C:\Windows\System32\drivers\Winmon.sys, PE32+ 29->67 dropped 69 C:\Users\user\AppData\Local\...\patch.exe, PE32+ 29->69 dropped 71 C:\Users\user\AppData\Local\...\dsefix.exe, PE32+ 29->71 dropped 113 Multi AV Scanner detection for dropped file 29->113 115 Detected unpacking (changes PE section rights) 29->115 117 Detected unpacking (overwrites its own PE header) 29->117 119 3 other signatures 29->119 38 patch.exe 29->38         started        41 schtasks.exe 1 29->41         started        43 schtasks.exe 1 29->43         started        45 bcdedit.exe 29->45         started        47 netsh.exe 3 34->47         started        49 conhost.exe 34->49         started        51 netsh.exe 3 36->51         started        53 conhost.exe 36->53         started        file13 signatures14 process15 signatures16 101 Multi AV Scanner detection for dropped file 38->101 55 conhost.exe 41->55         started        57 conhost.exe 43->57         started        103 Creates files in the system32 config directory 47->103 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5032244863d62238e00af2c69bf254fdb384fadb00972450472f66ddf00b5288/
Threat name:
Win32.Trojan.Zenpack
Create hunting rule
Status:
Malicious
First seen:
2020-08-26 19:26:45 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kazcisdd2yrdryak6ldjx4su7wzyj6w3aclsiuchf5tn34alkkea._file
Verdict:
malicious
Similar samples:
34c2eed8a266d3b5221bb51f0b5a59712b01d0b339a1db8f626688cb8fb81030
Glupteba
39264a6f15e8a51bab03924312a3dd05fc58a8d2b4aac39ca00e4cf16c9a21a9
Glupteba
6ea5155a0572aed1cc6d535c2c9111a35aa20ee1c798a1eafaa0ced97b703e07
Glupteba
86fce58f93e4087e261c52befbb872ddafeb8129008d5153c90084cd4a4a45d0
Glupteba
9808a3875c36c7fc105ebba81213f9c108dbf12d65025752013ea2a2763578d6
Glupteba
9f0c58f568c713eb2a7fc4836806a3e70bcdb41d05bfc75a1f815c64d856afde
Glupteba
b7db5b70b15ebac71e0aa8d7cb4e5f663171721b03157644cc2880a38337048a
Glupteba
c006abbb1bae333e5973f9c419bfd9c3c721698cf2cf3ffbd1048fdfb4de811b
Glupteba
cb1ffa5cd81d50702ee7296cd788a66fa8d5aa422e5cb4cdaca5a2ea4322141f
Glupteba
f4be8a038fc4b681a850d8ecaecc1f663d41bf27daf4f1af9c4cee1a3f63ae1a
Glupteba
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan discovery persistence
Link:
https://tria.ge/reports/200826-jy1f2qn6se/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Launches sc.exe
Drops file in Windows directory
Modifies service
Adds Run key to start application
Checks installed software on the system
JavaScript code in executable
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Windows security modification
Loads dropped DLL
Windows security modification
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Modifies boot configuration data using bcdedit
Modifies boot configuration data using bcdedit
Windows security bypass
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MalPE
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5032244863d62238e00af2c69bf254fdb384fadb00972450472f66ddf00b5288

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51477/

Comments