MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62a510237e5fa4597e618e752512cba0651aeb8e7a5f29f71aa6f573a8aa5db8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Glupteba

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	62a510237e5fa4597e618e752512cba0651aeb8e7a5f29f71aa6f573a8aa5db8
SHA3-384 hash:	5807ef729a7b9f3657ff09dfcbeb10f1123d1ce4c0358f19db43f2f5e60146f4021bcbe0bca97de9d4d1211453307a44
SHA1 hash:	45fd7438461a1cada912769e455127818b3abe50
MD5 hash:	5171e89741f041663c4a91a90ceb9c04
humanhash:	cola-red-triple-texas
File name:	file
Download:	download sample
Signature	Glupteba Create hunting rule
File size:	1'822'944 bytes
First seen:	2023-10-07 01:00:54 UTC
Last seen:	2023-10-08 01:15:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	10f1bd31eb864aa4f02738deca4b5815 (1 x Glupteba)
ssdeep	49152:qYLlbuLcsuQYRwGDFUpVm217qx1bJ1fzlE8K4k5qzeG6b:qCb4uNF6m21mx1ZNdNeGk
TLSH	T13A8533D2BA2241BDFCB55B7091EA18CF6800AE8FA4D8877D2367C1B4791BF641E191F4
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	andretavare5
Tags:	exe Glupteba signed

Code Signing Certificate

Organisation:	Microsoft Code Signing PCA 2011
Issuer:	Microsoft Code Signing PCA 2011
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-10-07T00:50:30Z
Valid to:	2024-10-07T00:50:30Z
Serial number:	ef8dfb3645d37c90937d781d1c8e1836
Thumbprint Algorithm:	SHA256
Thumbprint:	3a641fcfd10128bc4179df80470e75cbb79012944562e2040ec9f08ba0066edc
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://185.225.74.144/files/Umm2.exe

Intelligence

File Origin

# of uploads :

# of downloads :

353

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://www.amsangroup.com/net/Zip.7z

Verdict:

Malicious activity

Analysis date:

2023-10-07 07:20:13 UTC

Tags:

privateloader evasion opendir loader risepro stealer gcleaner redline stealc tofsee botnet ransomware stop onlylogger miner vidar trojan arkei hijackloader raccoon recordbreaker amadey raccoonclipper

Link:

https://app.any.run/tasks/fa8b3a05-a2e9-4183-911a-1cd8588e0ac1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Connecting to a non-recommended domain

Creating a file

Using the Windows Management Instrumentation requests

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% subdirectories

Creating a window

Searching for synchronization primitives

Searching for the window

Launching cmd.exe command interpreter

Delayed reading of the file

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Running batch commands

Blocking the User Account Control

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Gathering data

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/62a510237e5fa4597e618e752512cba0651aeb8e7a5f29f71aa6f573a8aa5db8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/40614d6f-8414-4a48-8489-6907e7e74a44

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/62a510237e5fa4597e618e752512cba0651aeb8e7a5f29f71aa6f573a8aa5db8/

Threat name:

Win64.Trojan.CrypterX

Status:

Malicious

First seen:

2023-10-07 01:01:05 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mksrai36l6sfs7tbrz2skewlubsrv24opjpst5y2u32xhkfklw4a._file

Verdict:

unknown

Result

Malware family:

glupteba

Score:

10/10

Tags:

family:amadey family:glupteba dropper evasion loader trojan upx

Link:

https://tria.ge/reports/231007-bc8fjagf3z/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Launches sc.exe

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Drops startup file

Executes dropped EXE

UPX packed file

Downloads MZ/PE file

Stops running service(s)

Amadey

Glupteba

Glupteba payload

UAC bypass

Malware Config

C2 Extraction:

http://193.42.32.29/9bDc8sQ/index.php

Unpacked files

SH256 hash:

b4cbeb24784044a74a83e76d919461206e0a401441564246690289f563244fe0

MD5 hash:

36809e9fd9df64d0a962d6cba267e7b4

SHA1 hash:

34c941e22ebd84f25aa2a485f0a0e01981e3901f

Link:

https://www.unpac.me/results/a4c07753-216b-48cd-8e99-eacab97d2092/

SH256 hash:

62a510237e5fa4597e618e752512cba0651aeb8e7a5f29f71aa6f573a8aa5db8

MD5 hash:

5171e89741f041663c4a91a90ceb9c04

SHA1 hash:

45fd7438461a1cada912769e455127818b3abe50

Link:

https://www.unpac.me/results/a4c07753-216b-48cd-8e99-eacab97d2092/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/62a510237e5f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/62a510237e5fa4597e618e752512cba0651aeb8e7a5f29f71aa6f573a8aa5db8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shad0w_beacon_16June Create hunting rule
Author:	SBousseaden
Description:	Shad0w beacon compressed
Reference:	https://github.com/bats3c/shad0w

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2715393/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample