MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 14


Intelligence 14 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36
SHA3-384 hash: ee90a1ac22b950cbc63369bfe7bfc82d507a171008a0d2968f582e15984c39051d9543baa014b1859918183c781d58d1
SHA1 hash: 5a367dbc0473e6f9f412fe52d219525a5ff0d8d2
MD5 hash: 7c20b40b1abca9c0c50111529f4a06fa
humanhash: high-zulu-speaker-mountain
File name:Graphics.bin
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'686'376 bytes
First seen:2022-07-18 18:35:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f0c12643909b692a9be3510bdc965e8 (6 x RedLineStealer, 1 x Glupteba)
ssdeep 98304:8zqCY0K37zUdYo77HKAJuGl+9aEWHoEYDs8cO0LT7HrxNJ/n/P5wWi:8m39Lz6/3HKoS9aLoQOsTfZJm
TLSH T118263321BBA2C034F4F696F846756754EE263AB0579492CB73E623FC17246E4BC30693
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter KdssSupport
Tags:exe Glupteba


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
1
# of downloads :
563
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
installer.exe
Verdict:
Malicious activity
Analysis date:
2022-07-17 20:32:57 UTC
Tags:
trojan evasion redline
Link:
https://app.any.run/tasks/a7406b1e-7c21-413d-be82-b31d02a5c841

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291685/
Detection(s):
Win.Packed.Generic-9895810-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching a service
Sending a custom TCP request
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
DNS request
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62d5a8d045a9cc40878c88ad/reports/ab74366e-b8ba-4e73-8152-63aa8772d9af/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/578408ff-f3bf-4fda-92ea-2ec160878b1b
Result
Threat name:
Glupteba, Metasploit
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036069
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668571 Sample: Graphics.bin Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 85 Multi AV Scanner detection for domain / URL 2->85 87 Antivirus detection for URL or domain 2->87 89 Antivirus detection for dropped file 2->89 91 11 other signatures 2->91 9 Graphics.exe 19 2->9         started        12 csrss.exe 2->12         started        14 csrss.exe 2->14         started        16 csrss.exe 2->16         started        process3 signatures4 103 Detected unpacking (changes PE section rights) 9->103 105 Detected unpacking (overwrites its own PE header) 9->105 107 Modifies the windows firewall 9->107 109 Drops PE files with benign system names 9->109 18 Graphics.exe 11 2 9->18         started        23 csrss.exe 12->23         started        25 csrss.exe 14->25         started        27 csrss.exe 16->27         started        process5 dnsIp6 73 humisnee.com 103.224.212.221, 443, 49727 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 18->73 75 ww38.humisnee.com 18->75 77 701602.parkingcrew.net 13.248.148.254, 49728, 80 AMAZON-02US United States 18->77 63 C:\Windows\rss\csrss.exe, PE32 18->63 dropped 93 Drops executables to the windows directory (C:\Windows) and starts them 18->93 95 Creates an autostart registry key pointing to binary in C:\Windows 18->95 29 csrss.exe 3 7 18->29         started        34 cmd.exe 1 18->34         started        file7 signatures8 process9 dnsIp10 79 spolaect.info 29->79 81 server6.ninhaine.com 29->81 83 5 other IPs or domains 29->83 65 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 29->65 dropped 67 C:\Users\...67tQuerySystemInformationHook.dll, PE32+ 29->67 dropped 69 C:FI\Microsoft\Boot\bootmgfw.efi, MS-DOS 29->69 dropped 71 4 other files (none is malicious) 29->71 dropped 111 Antivirus detection for dropped file 29->111 113 Multi AV Scanner detection for dropped file 29->113 115 Detected unpacking (changes PE section rights) 29->115 119 4 other signatures 29->119 36 injector.exe 29->36         started        39 schtasks.exe 1 29->39         started        41 mountvol.exe 1 29->41         started        47 4 other processes 29->47 117 Uses netsh to modify the Windows network and firewall settings 34->117 43 netsh.exe 3 34->43         started        45 conhost.exe 34->45         started        file11 signatures12 process13 signatures14 97 Antivirus detection for dropped file 36->97 99 Multi AV Scanner detection for dropped file 36->99 49 conhost.exe 36->49         started        51 conhost.exe 39->51         started        53 conhost.exe 41->53         started        101 Creates files in the system32 config directory 43->101 55 conhost.exe 47->55         started        57 conhost.exe 47->57         started        59 conhost.exe 47->59         started        61 conhost.exe 47->61         started        process15
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 23:38:06 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsvon4i2xqfbasa7k346lghzqmzlmfcoes7w56thwy56zr66xu3a._file
Verdict:
malicious
Gathering data
Unpacked files
SH256 hash:
aa6ecbb2334048c3205ec9d947b0abb6d61f7ff235ae6e0e1159af59a1fe2c1a
MD5 hash:
92fb96677b8ca5fb356db81fa28ce66d
SHA1 hash:
5f786048fb4854c7bdd78bc0d4ebbef2e5f8d4d0
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/d3afe977-c662-42f8-8de0-6c7d61bf48ff/
Parent samples :
16d1ba9319a2329e64fea8762174354cc0781ab71a181a4ec19a8464b28ff90c
55ed36eee21fc8115e9a02c95c218df563db0463088576b9da8b2def73311c05
8c931f2aa9920fd1756244ea50369a0290ea5a75b2b9416c68e8162ee300f06a
c9c189dc56b69367c3c9249ca291824cd7486680d075dccdffec4c52af4d5d39
fa5ae1658989d1d11e8100a350d08ed016e81e1ab007a271f8c73182bd3d6ccb
39c5720b9f6ecc9266cb2f31e1d3201da9e0ad17add1af5ec231a3cd1eae4634
274755403bcea4b01a2fb4ebabaa1ffd3a3f06ad52c4fa747b8a52f1e7b4dd54
a4fa281b7b5380cb6ce5eb5a03280cc2ba573a7e724ea9ecaec3eef72a8c3c98
b7d6313abaa9157a215b0c3a952068bad014c490f359becab0b55c7e01885034
5d02823347e5eed62fc726832e4044731b5ae02167106e92d3dbd5848f9fba42
3bfa0b763724da5383365a116fde4a9cc1a1932b0f8bd4ba30807386e2b888e6
3e44aaf53dce4bee54658ad0a4ceecf11d73809de59eaad7c652c0e816304bd5
52ec02df4ae8189c6e0c97b69ab4bc0c7eb3dbf2c9056dfd0749589ec0ff8aa6
13232095abb958a88e02a47fd29f57c3d5a899cd57eed4a67bb1a3ecaa919525
66461a7bc3c5893117b2def208f60acd1214f2f684d20faea7ca9ad087548df7
aa15c9a23c122e4df9220823e55ccc39dcb7ac6b0fd07633f5b850e787b1a61f
4e3740f106a2dd5ff862d1d88885e869a01fe7f3aac167e4d8eeaf7e9b2e5393
8756bca615d9140f087ae1df1fbbe56289b991a2efae64d61feb0a162e06d127
eb4694ad3a62d2e007c0f0aba545d57af7dcb41b78504401bafda510d85d9a4f
c794b0cf979f41374471d77bb1cf16eccb46af151a887044c02fe033143b2264
195289a2400f2cb9e94631539b23bc5b2f643e0b444d81485600ee62ea674d89
40507efbaa22e1db92c98d29ede1cdb9f68dcca04bf9558fe96e90ed18e847c1
7600aa65af2e0c32f0471192312b18184c708e72d0eb9af7be927f210dc7ca12
24073b2c9d79f2505f93c77c1e06f6a0b7b44efe3a26e58e99ecb239566cb201
e8c32e157a66fe9ec15372df53785ef878ae8869231ff57d170a5a1f6e609948
b60acb821cf9e94148f4f748830800d285ba1b4ab3d708bbf7033ded3f1c331c
d5bc83c6fef7c7dffe1ed4475bcbfda29d96dfb53b560c545cf7b7c29b639591
b19abbca0a9e526093ea103daa869ec70c1163b7c80844c6be7cd684be26bda7
60cc9eee3e5c35b67498092c33e30735304e8da670e1c6838f181578b30badf2
a8b9ca1ef77bca059ca40539d5943a082361409db76565e60a7541f6e1888898
1db9ab5cff09340433604b9148483cdd81fcbb082816b85a55669ff39cf6a7a3
dd4cd014bf67de3e7820783f35dd3810a6ad0a15985d3c2701abccf26e748bcb
a64593eda5475dfe88df519417b82923962411cbcfcd2997e93ac9daf6ada420
e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36
SH256 hash:
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36
MD5 hash:
7c20b40b1abca9c0c50111529f4a06fa
SHA1 hash:
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2
Link:
https://www.unpac.me/results/d3afe977-c662-42f8-8de0-6c7d61bf48ff/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5caae6f11abc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:UroburosVirtualBoxDriver
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/291685/

Comments