MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 18


Intelligence 18 IOCs YARA 37 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078
SHA3-384 hash: d8875032648e6a0df2cbd8fff18595bda903354358542344024ce261172c7e7b412cc4d0165cfa47e6011d7d4d9a5f8e
SHA1 hash: ca92e8ab80c94ad5ad4530863adbb1e494bc817f
MD5 hash: afac5e4b4d8cb6f10353da7e8fa83fa1
humanhash: pennsylvania-seven-hot-beer
File name:2025-03-22_afac5e4b4d8cb6f10353da7e8fa83fa1_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch
Download: download sample
Signature Glupteba
Create hunting rule
File size:9'511'657 bytes
First seen:2025-03-22 20:00:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep 98304:GHxMZDJ1TRpxYVX9u2IazANfAhZytTD5iqk4:sxEvYjVzANIhwNP
TLSH T129A66B91FA9B00F5EA13543084A7623F9331BD064B25CFCBD6506F2AED73AD20E36659
TrID 29.1% (.EXE) Win64 Executable (generic) (10522/11/4)
27.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.4% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter BastianHein
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
479
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
glupteba
Create hunting rule
ID:
1
File name:
2025-03-22_afac5e4b4d8cb6f10353da7e8fa83fa1_cobalt-strike_frostygoop_gcleaner_poet-rat_sliver_snatch
Verdict:
Malicious activity
Analysis date:
2025-03-22 18:20:28 UTC
Tags:
uac trojan glupteba discord xmrig antivm golang
Link:
https://app.any.run/tasks/86b19756-1b24-4fab-9c2f-61880a1c5bf9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67deff6bc8a812f780e8203b
Tags:
vmdetect glupteba emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Launching a service
Restart of the analyzed sample
Creating a file in the Windows subdirectories
Running batch commands
Launching the process to change the firewall settings
Сreating synchronization primitives
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm crypto evasive expand fingerprint go golang hacktool lolbin overlay packed packed update
Link:
https://www.filescan.io/uploads/67df16ddc9c620e61824c4cf/reports/f3a1670d-1d5c-442f-b939-b927e016bbab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/886c7055-477a-4c9e-a718-bdb64738e72f
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1645873
Signature
Antivirus / Scanner detection for submitted sample
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1645873 Sample: r_snatch.exe Startdate: 22/03/2025 Architecture: WINDOWS Score: 80 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Glupteba 2->32 34 3 other signatures 2->34 8 r_snatch.exe 13 2->8         started        11 svchost.exe 1 1 2->11         started        process3 dnsIp4 38 Found Tor onion address 8->38 14 r_snatch.exe 8->14         started        17 powershell.exe 24 8->17         started        26 127.0.0.1 unknown unknown 11->26 signatures5 process6 signatures7 40 Found Tor onion address 14->40 19 powershell.exe 14->19         started        42 Loading BitLocker PowerShell Module 17->42 22 conhost.exe 17->22         started        process8 signatures9 36 Loading BitLocker PowerShell Module 19->36 24 conhost.exe 19->24         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078/
Threat name:
Win32.Trojan.EfiGuard
Create hunting rule
Status:
Malicious
First seen:
2025-03-22 12:44:19 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxpshbe4njtsfm3lru55caojwwhmqkvq7eppbfjeu644sh7hmb4a._file
Verdict:
malicious
Label(s):
glupteba
Create hunting rule
Similar samples:
error
Glupteba
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba defense_evasion discovery dropper execution loader persistence privilege_escalation rootkit trojan
Link:
https://tria.ge/reports/250322-yrj3tay1ey/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Executes dropped EXE
Loads dropped DLL
Windows security modification
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba family
Glupteba payload
Windows security bypass
Gathering data
Unpacked files
SH256 hash:
65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078
MD5 hash:
afac5e4b4d8cb6f10353da7e8fa83fa1
SHA1 hash:
ca92e8ab80c94ad5ad4530863adbb1e494bc817f
Detections:
Glupteba
Create hunting rule
Link:
https://www.unpac.me/results/f998ca02-f26b-41cf-be59-90d38870b9b2/
SH256 hash:
5dfd6eb519b114f61731b959b989797b1f2e9ae95ee4c1a7a69370b3842d8c24
MD5 hash:
b18f9e70d07bec7e3efac6de192db871
SHA1 hash:
6af1f424c9379f939a037d5a8d71d5f3e2faafd5
Link:
https://www.unpac.me/results/f998ca02-f26b-41cf-be59-90d38870b9b2/
SH256 hash:
caa8e02d91cf6ded2cd6a9d0b218f536bdb99dbe2d19727df1ef899b619f5c01
MD5 hash:
ded1bb3a4536a459954fe78b7ef24994
SHA1 hash:
287e32ac702b9a66d73d959f76fefdfd1296aa2b
Link:
https://www.unpac.me/results/f998ca02-f26b-41cf-be59-90d38870b9b2/
SH256 hash:
5e4145650e1133fea25c19dfe9bf6b132b89c98e3b92d77f6fa947ce40eb032a
MD5 hash:
772e4de91558d4c8b4783a3cbc10dfad
SHA1 hash:
34d32e4406aedad766e34e3665d5aac22c5f8610
Detections:
SUSP_Modified_SystemExeFileName_in_File
Create hunting rule
Link:
https://www.unpac.me/results/f998ca02-f26b-41cf-be59-90d38870b9b2/
Parent samples :
8d1f1605046b4f5989903aeb1970cab44da9b1e974e957e2459f0603f628b6f5
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78
1ad9131850474561beb17f304b1264ca9a73fc9a53355a153c43bbdfa920e642
f61ea31ba042cb4b9640ed853b792cf3a5984c56bac9f937fd638bb6e1efbe30
942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6
693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda
ec045ab4c0957a1930d5effe265d30a1624713ea2897b78b7fddb5322d9960f1
e31eca26eebc6c55841ba9012aef2e64af914e13d85be5eed4cfee7d18b7cc44
22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db
8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
328af6e2b02c62db3b533a84e0b403d1c99f682bdff7ef0941d711d4d607501d
dd093b7ac1890eb8847181a375c99d4e97a0acf00180017cc4ef279a285bd24c
845b6a3db4889461e89e3dbfdae360f63d506dd8e029dc033ce0745489041ee8
780b1ff0c005269630be0aa4234842367b8d310810ce79a1df6b1c11c2d637ed
5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d
65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078
SH256 hash:
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
MD5 hash:
d98e78fd57db58a11f880b45bb659767
SHA1 hash:
ab70c0d3bd9103c07632eeecee9f51d198ed0e76
Detections:
MAL_ME_RawDisk_Agent_Jan20_2
Create hunting rule
Link:
https://www.unpac.me/results/f998ca02-f26b-41cf-be59-90d38870b9b2/
Parent samples :
452c2fae1cf93f933ef30e73cd3ae5d8afc14286b0aa58a512c40f3e81e5a922
036fc2001553cd4b3e6105febc6f6dcef40b5ba169816f4a32b48ae06f9bf930
887ee8b0f7c4f46b4bc8f19019625b5bf14f4d404d869ffdb9832c27abc57d38
68d3f9a99b088216e7825a88db2d5ff0ccc669050abd9574ad101b8a2c536581
6110c7a02fe334fd3cfda9a7be565b4bd3ce59661fba7b744fec1c5a8d46a229
5d60502a5cb4d285aa1292f7d1fd6297e07e310babf6fc52bcdc86ef0c9e06bb
61b0b285e4e111e959317e8abd5ba9ab82e531ec6358952c64bb8fa20e8e3a94
8d1f1605046b4f5989903aeb1970cab44da9b1e974e957e2459f0603f628b6f5
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78
1ad9131850474561beb17f304b1264ca9a73fc9a53355a153c43bbdfa920e642
f61ea31ba042cb4b9640ed853b792cf3a5984c56bac9f937fd638bb6e1efbe30
693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda
ec045ab4c0957a1930d5effe265d30a1624713ea2897b78b7fddb5322d9960f1
e31eca26eebc6c55841ba9012aef2e64af914e13d85be5eed4cfee7d18b7cc44
22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db
8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
328af6e2b02c62db3b533a84e0b403d1c99f682bdff7ef0941d711d4d607501d
dd093b7ac1890eb8847181a375c99d4e97a0acf00180017cc4ef279a285bd24c
845b6a3db4889461e89e3dbfdae360f63d506dd8e029dc033ce0745489041ee8
780b1ff0c005269630be0aa4234842367b8d310810ce79a1df6b1c11c2d637ed
5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d
81b8d673c51e5f98a4690c11f4f4f156349b2ab850733cbac4119c7c6ec3d804
ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078
SH256 hash:
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
MD5 hash:
09031a062610d77d685c9934318b4170
SHA1 hash:
880f744184e7774f3d14c1bb857e21cc7fe89a6d
Link:
https://www.unpac.me/results/f998ca02-f26b-41cf-be59-90d38870b9b2/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65df23849c6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifacts associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Exploit_Generic_e95cc41c
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleW
kernel32.dll::SetConsoleCtrlHandler
kernel32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetSystemDirectoryA

Comments