MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5befb90b9e363ee7a3c80607b83247dee8d21267f5923345119c07ac22f0bdef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5befb90b9e363ee7a3c80607b83247dee8d21267f5923345119c07ac22f0bdef
SHA3-384 hash: 88e1e1ef36f42dd6537b09b01024f2757ecaf22da83e628d6a8828fbaecd7de7235548cfce204a104e39bdc204449790
SHA1 hash: c221047f96a5c84e00455959b79607d0191b37db
MD5 hash: 13b753f9c80fc833e02928b47248b7b2
humanhash: lemon-lima-hot-oranges
File name:13b753f9c80fc833e02928b47248b7b2
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'607'016 bytes
First seen:2021-07-02 03:56:21 UTC
Last seen:2021-07-02 04:44:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55a0c8c10bcaf6d6f8dc3c2058f9e5a7 (2 x Glupteba)
ssdeep 98304:oE8bMJXipnwojOrysBEkK8Ob1R1jolRCr3R1KmcNVdE//KM:BCwXipnXsekKX5R1IR7XdASM
Threatray 134 similar samples on MalwareBazaar
TLSH 412633917745E931D9C28631EE81EBB89A313F159D38AF177FA005CA2AB16D2D7343C2
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
13b753f9c80fc833e02928b47248b7b2
Verdict:
No threats detected
Analysis date:
2021-07-02 03:57:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a99191f1-fcbf-4aa5-99a0-bcf474b5c625

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169263/
Detection(s):
SecuriteInfo.com.Trojan.MalPack.GS.26684.23708.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a014c95-6b15-433d-9e48-7feb49e698bd
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810897
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Performs DNS TXT record lookups
Sigma detected: Schedule system process
Sigma detected: Suspicious Service DACL Modification
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443308 Sample: tOTiU7F1xV Startdate: 02/07/2021 Architecture: WINDOWS Score: 100 108 Antivirus detection for URL or domain 2->108 110 Multi AV Scanner detection for dropped file 2->110 112 Yara detected Glupteba 2->112 114 9 other signatures 2->114 10 tOTiU7F1xV.exe 19 2->10         started        13 svchost.exe 21 2->13         started        15 csrss.exe 2->15         started        17 7 other processes 2->17 process3 signatures4 120 Detected unpacking (changes PE section rights) 10->120 122 Detected unpacking (overwrites its own PE header) 10->122 124 Modifies the windows firewall 10->124 126 Drops PE files with benign system names 10->126 19 tOTiU7F1xV.exe 11 2 10->19         started        24 WerFault.exe 10->24         started        26 WerFault.exe 13->26         started        28 WerFault.exe 13->28         started        36 4 other processes 13->36 30 WerFault.exe 15->30         started        32 csrss.exe 15->32         started        34 csrss.exe 17->34         started        38 3 other processes 17->38 process5 dnsIp6 90 humisnee.com 172.67.206.104, 443, 49741 CLOUDFLARENETUS United States 19->90 80 C:\Windows\rss\csrss.exe, PE32 19->80 dropped 116 Drops executables to the windows directory (C:\Windows) and starts them 19->116 118 Creates an autostart registry key pointing to binary in C:\Windows 19->118 40 csrss.exe 3 8 19->40         started        45 cmd.exe 1 19->45         started        92 192.168.2.1 unknown unknown 30->92 47 WerFault.exe 34->47         started        file7 signatures8 process9 dnsIp10 94 spolaect.info 104.21.33.110, 443, 49751 CLOUDFLARENETUS United States 40->94 96 ninhaine.com 40->96 98 4 other IPs or domains 40->98 82 C:\Windows\windefender.exe, PE32 40->82 dropped 84 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 40->84 dropped 86 C:\Users\...86tQuerySystemInformationHook.dll, PE32+ 40->86 dropped 88 3 other files (none is malicious) 40->88 dropped 128 Detected unpacking (changes PE section rights) 40->128 130 Detected unpacking (overwrites its own PE header) 40->130 132 Machine Learning detection for dropped file 40->132 134 Uses schtasks.exe or at.exe to add and modify task schedules 40->134 49 windefender.exe 40->49         started        52 injector.exe 40->52         started        54 schtasks.exe 1 40->54         started        60 4 other processes 40->60 136 Uses netsh to modify the Windows network and firewall settings 45->136 56 netsh.exe 3 45->56         started        58 conhost.exe 45->58         started        file11 signatures12 process13 signatures14 100 Antivirus detection for dropped file 49->100 102 Multi AV Scanner detection for dropped file 49->102 104 Machine Learning detection for dropped file 49->104 62 cmd.exe 49->62         started        64 conhost.exe 52->64         started        66 conhost.exe 54->66         started        106 Creates files in the system32 config directory 56->106 68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        72 conhost.exe 60->72         started        74 conhost.exe 60->74         started        process15 process16 76 conhost.exe 62->76         started        78 sc.exe 62->78         started       
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5befb90b9e363ee7a3c80607b83247dee8d21267f5923345119c07ac22f0bdef/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-02 03:57:09 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpx3sc46gy7opi6iayd3qmsh33uneeth6wjdgrirtqd2yixqxxxq._file
Verdict:
malicious
Similar samples:
07d9cc94a464997e7b768b4186bec3897e22650577d73aa6f9f924ba769648ea
Glupteba
0898957c40396d42ccd8e4d39800e2835bf537fe9c0206015c6f7968c687fe7d
Glupteba
0e2bcbe99b84383cfa549598d998bddce096daa94e1eb6dfbfa66d3cf12cc1e4
Glupteba
3ed60a60c3aeb99f383ef97de1581827c535d082cf9f33c5fe6ef572fc186a94
Glupteba
46836190326258f65c9dbc1930b01e9d3de04996a1a2c79e39a36c281d79fe0a
Glupteba
8e8ce2e7aded8560037718928e891ddc0831e7be68d906c93f91509e71756d72
Glupteba
af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6
Glupteba
b40d3f5493f03dd8fa6efc0d3f02c7f67d3ca76daa45dbec75887cb6eb013461
Glupteba
bf348bb3548e36fc86c7cd916f08be6f2b6e870ba20475e9aa660bf81cccb525
Glupteba
fb6dc575c8c198be8af4f170e7ff62ab2301ebef1720cb5ae6a835abd0d3a1b6
Glupteba
+ 124 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210702-pvkgbfw28e/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
b3dfd39fbd86b5473844d8e68bb08e24fce0778ac0ad83af44867d100ed6b9f3
MD5 hash:
57699197e5670c0f77d674d7818abbe6
SHA1 hash:
1b648548a7ce05ac6a62b0341e9ecbfff768dd03
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/e716b560-fad0-4c33-9e50-591fbdfd5507/
Parent samples :
5befb90b9e363ee7a3c80607b83247dee8d21267f5923345119c07ac22f0bdef
3de698ac8b7a255a50e6f0ec0fc0cba3299719516a96f641a24d0996aa1515c2
4b5091f5530ef7e23a331115a0290cc3c368fe23e4e53b68d5d61ffddd27e793
415f9d7bdc9ea00d2c8e58d906cdd7af876e28494e24e027401b6be60144ddcc
7471e982051110160ecb8d1a95aa8ba5d8f3d61d341706232caf57c1b8b3ac88
79c334850dedad7a1eacb71789b4f025a307bb093f916b51939384a6593315d3
db724681d71bd9cc6d6272e1fb68e52509a453b16c6b2bf3cf3040b6169bb1e5
cdd97a4a8f04c6241bc2bc9fed6b43dfc4b08b8d96ffa91688df52c3f0b489a6
dad7611f8df2b970dad82657205886a8b314472c59927c9ba29a484e1376e157
9629761247d31f92dd76b67e98acb749b69572cb7198e05b3a2a2b1fa3a9bfaa
7a30562757837dadbb29871ae310dd344b0c422d14920d4c72a98fa820f5e9e2
2db2cc193feadebfc2a1847f97ba91070840b51cc9729a3208cf288afa71f19a
67315a8a56433109b3fd378798d9d9a0b5b7f31e8054e1dcb4c5e91eb596b495
0042db3f1d304c60dc3d50fb26fcc87cea1b8f2eb15132429588d3a0f4bae296
670eb3744d703bdf43a246ffbb313cecaf01f55feaa973a3f85bd8c4dae781c2
98fa2b33875a2409f9107832e7869bca91f44e57af1fc0743009c8eb53f0e928
8cd17893e8ac733bb4bf624e9351dcb0b08d83c3908385fba72fe72c70fd4f03
e48022e9f7c8d368e6f8d65c86f19afb98d1104dda8d06047acd1feff6a658d7
37550c63f7c27440149dcd0cefdc456f04422595679adebb3be0278249d145c6
b503aee98c27d8e15feb765addc1c386c7c59ccbd43ae7c4d2842b293120130b
3ad13fd7968f9574d2c822e579291c77a0c525991cfb785cbe6cdd500b737218
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
8bb0c75f554647d27173b3d8b2e63abba3670fb7972b6856cbca89f1eda96c6d
21391fc51c85957fb1bf530fbdd01b9cc6b855445c5ae6e46d9be51441ee62f5
0b07fe8c554ff364d42e3311b10a79ba6ed1b47e35763e45c924bafeb8d0d50a
a8647cfb02a8b8c077fb4285357c29f58afb1a8ffff6da199e6a3887030869fd
4df83e858a2d52987f6e9b8afcde20643ee1cd106089e412e25b1df186a57b29
a4561c8115ba9a40d8ccc6411379e8db03ac8540c681b8aae63763a7e8c10a27
d6d3dd2923a9b46473abb1d811fb4b64bdcf2c0c15c1f48161353b1c220d7e23
bf5bc18439ee4363f861058f1dc8a0fa74775be6efc44fbf7d8d6c511fd2a447
cb7fc22f3b5ccf76238049bd7388f760204728fe846742fbda3560b1085efa7f
cf46c5f2cd03626cad846f9d3d55366a7b469704eae8ed7ba54eda6940dc9bba
a7a2d5e0d31d31e452252c14023420621e92967814dc6410f783c5f101c3de1b
41ce43aa875bf977ec9eb039e5853ade1af522dd0dff4f19282f6c8038ae2dff
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
d824b099e911bc138c15e82996288b84253e98e2f2b286801edc564ff98e7bf5
db9c79df5fa9185f4f1d4745cdc8c417d21679d4bfd7dc7d5939312024d92127
d2f01f5182de940b27db63f60ca85d5f4421c75de628c03a63d8e92cf9f3681c
055581a45098bcdda89f414c2346c7737546908ad7fba54f1c6f6451886e014d
30471f6f937611ff3868013eccd4b8fd33150e7bd0c25e49bc1ae53c2f3ad78a
4024acf12f12a1ef676b1edd835a5e384d4800725c352c1e88b9c94b94293e72
7edd23716ea559a786a78a1637749a4dd626c79f7119fd128e43334dafa1dceb
d57957436111516ca7a7e9af7cb143353cf41a22d556aa19ba6e710a37c6f0ae
f421b369da1548568f6d2edc332073ef7604517e83eb1425f9b336eb56e6ce7a
b5f88e34db4bb65da8c21982590b67922fe32e62e7cfaae9fbe417a4262aa143
8eea00bd7d1db820c7a1b5622119b76944215e5803c2e8b772b9548e9ee91c66
b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
203a03884451e5f74fa167f4708e19722f1d91ba434957aac1ba13f1a3d70127
8980c8abaa3365782c905b3f9506a032c54a5d1833fef1fe0ce46b6f84ee7534
049305763188b36e9010906c55428a2b42b59da7da4e0709112835a46c600243
58a7195eaf6e6d8c366dd038689da7697e0acfc5d0d160fb89d63f1658e997b8
ce16fc8b907646744f5790fa16e1bba6b1b3c3484a7c9d3802193d7c518c1f08
d64cda4b27aee29a8f491b125d83bc8b55d483db8884b14fc1a3ef20fe1717eb
13b76d70cecc082e06783f4a67c8c3b9cd5e4fb652e22475e9e11440b7a215cd
d179e667e2790673f30e69bebaa0bcd4d4b9bf68503611b6d26b278447cd4ae1
d86aa13697e550f6e74a585167e0e5aae455a7a99284679f230fe1d96ff59d8a
07a3740166cef528ebddd4f594c555f7a07cee5260fb85d2840dded9ebbbd652
50ab699ceb6bb259199d197392ea0ed00d024ce77d3d663ea13fe7b93a4ab50e
769a9ae9ab253e8cce64c35143eff02b2ae70e53465ab4aa4f6cf1b2d4fe698e
b01b61c911a3b80d4f265e4915f9d62275efa34f84989f77be142f3f9e062f9b
1c74706b3f7dc817e51a166a5e41e55383347e1080a3b2aa41b9f6dd87d63040
56538d4161a6b6e0e57759f73f81a76db0b7bf9f923791f56e719793ae10ece9
2cc5f31570047becc5e77581e2f640afba8d6904c6be61105603d60d01c181d0
fff25302774366cdb466fa0e4015f9c7de93fd0192585a3cab2e2f51b635047c
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
962793c4decea8dd718bd96ccc4209ce744414a62e4afb93c79db64df4b792e2
SH256 hash:
5befb90b9e363ee7a3c80607b83247dee8d21267f5923345119c07ac22f0bdef
MD5 hash:
13b753f9c80fc833e02928b47248b7b2
SHA1 hash:
c221047f96a5c84e00455959b79607d0191b37db
Link:
https://www.unpac.me/results/e716b560-fad0-4c33-9e50-591fbdfd5507/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5befb90b9e363ee7a3c80607b83247dee8d21267f5923345119c07ac22f0bdef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 5befb90b9e363ee7a3c80607b83247dee8d21267f5923345119c07ac22f0bdef

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169263/

Comments


Avatar
zbet commented on 2021-07-02 03:56:22 UTC

url : hxxp://fikerty.info/app.exe