MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 610d9028a1aac20684ad5bf0b6c0212016eceb3d6d4563cead3c398aac441c5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 610d9028a1aac20684ad5bf0b6c0212016eceb3d6d4563cead3c398aac441c5b
SHA3-384 hash: cd157114c8b45c3d812f932e50151494ccbea75ffde2561ffb894f9ecfe9a16cfb3f7cf27ea6c11de040f4ed94ffa8a7
SHA1 hash: 8ca91b14d95b896a7afe2430830ed88c2700d0ab
MD5 hash: 9bd60d8672e34193a3bb35a09d3d4dc5
humanhash: bulldog-william-oven-mississippi
File name:Five.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:355'328 bytes
First seen:2021-04-10 13:47:17 UTC
Last seen:2021-04-10 14:41:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:A0P60kpVxh0TXmxm5d3MGrmzzzzHGzzzzQzzzzHzzzzQWDxPhABztz5CH:AHh0TIuYpANY
Threatray 124 similar samples on MalwareBazaar
TLSH B774A746F9A8CBA0D7DE2DF559C1B41780176A6038E1794311F927108FCADE2CB4BF9A
Reporter James_inthe_box
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
692
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133489/
Detection(s):
SecuriteInfo.com.Adware.WizzMonetize.1.7825.28613.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Connecting to a non-recommended domain
Sending a custom TCP request
Creating a file
Creating a window
Sending a UDP request
Launching a process
Sending an HTTP GET request
Sending an HTTP POST request
Connection attempt
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/672014
Signature
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384954 Sample: Five.exe Startdate: 10/04/2021 Architecture: WINDOWS Score: 72 64 www.google.ch 2->64 66 www.gearbest.com 2->66 68 34 other IPs or domains 2->68 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 Machine Learning detection for sample 2->100 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->102 10 Five.exe 14 9 2->10         started        signatures3 process4 dnsIp5 86 greataccesstoserver.com 159.89.4.33, 49706, 80 DIGITALOCEAN-ASNUS United States 10->86 88 digitalassets.ams3.digitaloceanspaces.com 5.101.110.225, 443, 49707 DIGITALOCEAN-ASNUS Netherlands 10->88 52 C:\Users\user\AppData\...\multitimer.exe, PE32 10->52 dropped 54 C:\Users\user\AppData\Local\...\Five.exe.log, ASCII 10->54 dropped 56 C:\Users\user\AppData\Local\...\setups.exe, PE32 10->56 dropped 14 setups.exe 10->14         started        16 multitimer.exe 14 17 10->16         started        file6 process7 dnsIp8 20 setups.tmp 5 26 14->20         started        58 new.multitimer.fun 104.248.119.44, 443, 49710 DIGITALOCEAN-ASNUS United States 16->58 60 catser.inappapiurl.com 138.197.53.157, 443, 49709, 49711 DIGITALOCEAN-ASNUS United States 16->60 62 2 other IPs or domains 16->62 94 Multi AV Scanner detection for dropped file 16->94 24 multitimer.exe 16->24         started        signatures9 process10 dnsIp11 84 192.168.2.1 unknown unknown 20->84 44 C:\Users\user\AppData\Local\...\psvince.dll, PE32 20->44 dropped 46 C:\Users\user\AppData\...\itdownload.dll, PE32 20->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 20->48 dropped 50 2 other files (none is malicious) 20->50 dropped 26 iexplore.exe 11 188 20->26         started        29 iexplore.exe 20->29         started        31 iexplore.exe 20->31         started        33 multitimer.exe 24->33         started        file12 process13 dnsIp14 90 www.gearbest.com 26->90 92 catser.inappapiurl.com 26->92 35 iexplore.exe 26->35         started        38 iexplore.exe 26->38         started        40 iexplore.exe 26->40         started        42 13 other processes 26->42 process15 dnsIp16 76 2 other IPs or domains 35->76 70 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49879, 49880 YAHOO-DEBDE United Kingdom 38->70 78 24 other IPs or domains 38->78 80 36 other IPs or domains 40->80 72 spdc-global.pbp.gysm.yahoodns.net 212.82.100.181, 443, 49905, 49906 YAHOO-IRDGB United Kingdom 42->72 74 87.248.118.22, 443, 49881, 49882 YAHOO-DEBDE United Kingdom 42->74 82 121 other IPs or domains 42->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/610d9028a1aac20684ad5bf0b6c0212016eceb3d6d4563cead3c398aac441c5b/
Threat name:
ByteCode-MSIL.Trojan.Ursu
Create hunting rule
Status:
Malicious
First seen:
2021-04-10 13:47:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=megzakfbvlbanbfnlpylnqbbealoz2z5nvcwhtvnhq4yvlcedrnq._file
Verdict:
malicious
Similar samples:
0a8ddf7be1e8bcaefd7fca87ee9adc6aabd53dee30c69b726beb0554b1746c6d
Glupteba
0cae975d5c602437ef781f39605c9a79fe0c0bca956bd4fecb21e17ace1c58ca
Glupteba
0ed95818ba222ec8d2ae4fdaaed1b143d9faada09c27a6c8aaecb8aa5ceb270f
Glupteba
2274f98683053410f2b4b95b9fd1ec041dfcff428d766f2a986195383803ecaf
Glupteba
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
Glupteba
5788de5efeb9850b6fdea52dbe26a4aa9fa28dfbfd56280b4533226157d1c9a5
Glupteba
97db3a9f804cdc5a97cfc32fede3ce5f31ed7756be6d4749123e87967e810dc2
Glupteba
b1adf30c5cb4c1a7c06e877308d0f0e32f6ea1b21105de5db7583a889d089373
Glupteba
b8a5cf81ab9584f1ca6e937c2b6e2f399c4dcd81fc300b0746c4fbfd98b80ff7
Glupteba
e99107f51a615207824a28411b0355fba67cbda8dbd24d450a84cbe40aa8faf5
Glupteba
+ 114 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:dridex family:glupteba family:icedid family:metasploit family:vidar botnet:10111 agilenet backdoor banker botnet discovery dropper evasion loader persistence stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210410-v4zearcj9x/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Checks computer location settings
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
VMProtect packed file
ACProtect 1.3x - 1.4x DLL software
Checks for common network interception software
Dridex Loader
IcedID First Stage Loader
Dridex
Glupteba
Glupteba Payload
IcedID, BokBot
MetaSploit
Vidar
Malware Config
C2 Extraction:
131.100.24.231:443
188.165.17.91:8443
185.148.169.10:2303
zapatiryesa.fun
Dropper Extraction:
http://labsclub.com/welcome
Unpacked files
SH256 hash:
610d9028a1aac20684ad5bf0b6c0212016eceb3d6d4563cead3c398aac441c5b
MD5 hash:
9bd60d8672e34193a3bb35a09d3d4dc5
SHA1 hash:
8ca91b14d95b896a7afe2430830ed88c2700d0ab
Link:
https://www.unpac.me/results/bf272d72-4bd9-49d3-86ce-47c63b451ed6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/610d9028a1aac20684ad5bf0b6c0212016eceb3d6d4563cead3c398aac441c5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/1104388/
Cape
Cape
https://www.capesandbox.com/analysis/133489/
  
URLhaus
https://urlhaus.abuse.ch/url/1095752/

Comments