MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5edf36f66a907a94f784312aba40f5090418e4a1b404d53d88965ad11fdeec20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 8


Intelligence 8 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5edf36f66a907a94f784312aba40f5090418e4a1b404d53d88965ad11fdeec20
SHA3-384 hash: 98d54f217e06d26ae12a38580733a5ac1016071c5ed35b9e6cb61681357fc3848964f8d4d20bf11c2576ccebe16a0cbd
SHA1 hash: d38743290ae4e60e7d4cbd843b5f8ed308e09c51
MD5 hash: 9ef7986267bda788fec22557df41e6f1
humanhash: golf-jupiter-alabama-neptune
File name:9ef7986267bda788fec22557df41e6f1
Download: download sample
Signature Glupteba
Create hunting rule
File size:110'080 bytes
First seen:2021-07-03 05:31:10 UTC
Last seen:2021-07-03 06:54:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 379eeb3dff6fa63dd79e7b6f6a70f460 (1 x Glupteba)
ssdeep 3072:z2kNdv6G5BHlLjBRQHiabSttu1wY/q8qhcLskyh7ppkCvPx3:KkN/jF+HbfwY/k7kq53
TLSH 0AB38E0279C0C473E97628364570DAB04A3DFD301F619EAB635C167A8F346D1DA29EBB
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ef7986267bda788fec22557df41e6f1
Verdict:
Malicious activity
Analysis date:
2021-07-03 05:34:24 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/61c02343-a6b5-4a54-8990-cdf1c75c8959

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169440/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader40.23533.817.3711.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8070f1d0-13d5-4e5e-a32d-53ae66f3b642
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811319
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443730 Sample: MEfcsLRG2E Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Antivirus detection for URL or domain 2->67 69 9 other signatures 2->69 9 MEfcsLRG2E.exe 15 2->9         started        13 csrss.exe 2->13         started        15 csrss.exe 2->15         started        process3 dnsIp4 49 touchook.info 104.21.63.133, 49709, 80 CLOUDFLARENETUS United States 9->49 51 fackerty.info 104.21.89.3, 443, 49711 CLOUDFLARENETUS United States 9->51 53 fikerty.info 172.67.202.130, 49710, 80 CLOUDFLARENETUS United States 9->53 43 C:\Users\user\Desktop\app.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\...\app[1].exe, PE32 9->45 dropped 17 app.exe 19 9->17         started        20 WerFault.exe 13->20         started        22 csrss.exe 13->22         started        file5 process6 signatures7 55 Antivirus detection for dropped file 17->55 57 Detected unpacking (changes PE section rights) 17->57 59 Detected unpacking (overwrites its own PE header) 17->59 61 3 other signatures 17->61 24 app.exe 11 2 17->24         started        29 WerFault.exe 17->29         started        process8 dnsIp9 47 humisnee.com 172.67.206.104, 443, 49726 CLOUDFLARENETUS United States 24->47 41 C:\Windows\rss\csrss.exe, PE32 24->41 dropped 73 Drops executables to the windows directory (C:\Windows) and starts them 24->73 75 Creates an autostart registry key pointing to binary in C:\Windows 24->75 31 csrss.exe 24->31         started        34 cmd.exe 1 24->34         started        file10 signatures11 process12 signatures13 77 Antivirus detection for dropped file 31->77 79 Detected unpacking (changes PE section rights) 31->79 81 Machine Learning detection for dropped file 31->81 83 Uses netsh to modify the Windows network and firewall settings 34->83 36 netsh.exe 3 34->36         started        39 conhost.exe 34->39         started        process14 signatures15 71 Creates files in the system32 config directory 36->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5edf36f66a907a94f784312aba40f5090418e4a1b404d53d88965ad11fdeec20/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-07-03 01:31:17 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3ptn5tksb5jj54egevluqhvbecbrzfbwqcnkpmisznnch665qqa._file
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210703-jhl2mggw92/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
5edf36f66a907a94f784312aba40f5090418e4a1b404d53d88965ad11fdeec20
MD5 hash:
9ef7986267bda788fec22557df41e6f1
SHA1 hash:
d38743290ae4e60e7d4cbd843b5f8ed308e09c51
Link:
https://www.unpac.me/results/78cce376-176b-4bd1-a8bf-1e9f805ef897/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5edf36f66a907a94f784312aba40f5090418e4a1b404d53d88965ad11fdeec20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 5edf36f66a907a94f784312aba40f5090418e4a1b404d53d88965ad11fdeec20

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169440/
  
URLhaus
https://urlhaus.abuse.ch/url/1422547/

Comments


Avatar
zbet commented on 2021-07-03 05:31:10 UTC

url : hxxp://fikerty.info/preloader.exe