MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 11


Intelligence 11 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d
SHA3-384 hash: 7e6dc697e0594761312cd3f25fd9bac70eca152018e220b5928bf9a9349e3f644ac0efbc387c44c608e814039eddefb0
SHA1 hash: 8e9cfa2ebe51e9f71d55b161fb13aae13ee3744f
MD5 hash: d2f812118c89341715fbff0ba9530396
humanhash: mississippi-charlie-zebra-arizona
File name:file300un.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:2'799'840 bytes
First seen:2024-05-10 16:47:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6df573862725a7261d77e9eebaebd3a (1 x AgentTesla, 1 x Stealc, 1 x Glupteba)
ssdeep 24576:tRoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvQB5VA0UC1dUUKj/LZ8j3gy:boKmo4jC6Tov2RUC1doj/wgy
TLSH T1EDD5AE15D3F801A5D47BD634CA2D8733D6B0B8561B34E28B0A09D7962F73A928B7F721
TrID 45.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
33.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
8.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter NDA0E
Tags:exe signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-10T11:20:18Z
Valid to:2025-05-10T11:20:18Z
Serial number: 58ad3118a80340d68b19ef3192b5a270
Thumbprint Algorithm:SHA256
Thumbprint: 0b28b9c7824b0d5d063592b119308b01b8eafc09605533364e5ee61dc52722bf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
NDA0E
http://5.42.96.78/files/file300un.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
352
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d.exe
Verdict:
Malicious activity
Analysis date:
2024-05-10 16:51:10 UTC
Tags:
loader opendir evasion adware neoreklami privateloader smokeloader
Link:
https://app.any.run/tasks/f0c9f3af-21d8-4ab9-a8ca-7a2338bef391

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Sending an HTTP GET request to an infection source
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Modifying a system file
Using the Windows Management Instrumentation requests
Replacing files
Reading critical registry keys
Connection attempt to an infection source
Query of malicious DNS domain
Blocking the Windows Defender launch
Unauthorized injection to a system process
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Malicious
Labled as:
Win64/GenKryptik.GXKH trojan
Link:
https://www.hybrid-analysis.com/sample/716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/752a9aee-bca2-4b6b-8e98-c59bec27eef7
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1439756
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1439756 Sample: file300un.exe Startdate: 10/05/2024 Architecture: WINDOWS Score: 100 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 6 other signatures 2->90 10 file300un.exe 1 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        process3 signatures4 102 Writes to foreign memory regions 10->102 104 Allocates memory in foreign processes 10->104 106 Sample uses process hollowing technique 10->106 108 Injects a PE file into a foreign processes 10->108 19 AddInProcess32.exe 15 264 10->19         started        24 conhost.exe 10->24         started        process5 dnsIp6 72 84.38.181.36 SELECTELRU Russian Federation 19->72 74 5.42.96.64 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 19->74 76 12 other IPs or domains 19->76 46 C:\Users\...\x3umiuB36q6Ulku7JxVfwjpb.exe, MS-DOS 19->46 dropped 48 C:\Users\...\wrVRPnIpnLJXUTudjfFi16tF.exe, PE32 19->48 dropped 50 C:\Users\...\wYRdZZBCLwvOUOj1He4XBHuF.exe, MS-DOS 19->50 dropped 52 216 other malicious files 19->52 dropped 92 Installs new ROOT certificates 19->92 94 Drops script or batch files to the startup folder 19->94 96 Creates HTML files with .exe extension (expired dropper behavior) 19->96 98 Writes many files with high entropy 19->98 26 pZ8DTIfHggC4fceOCmTKKGk5.exe 11 60 19->26         started        31 IblBFITfS0cBKN1OcWkk6AEV.exe 19->31         started        33 uMTcEysOEX1gWiRBXtmweUlR.exe 19->33         started        35 28 other processes 19->35 file7 signatures8 process9 dnsIp10 78 94.232.45.38 WELLWEBNL Russian Federation 26->78 80 87.240.132.72 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 26->80 82 20 other IPs or domains 26->82 54 C:\Users\...\qBQkk2CQPLtIvJgxEqPobrkd.exe, PE32 26->54 dropped 56 C:\Users\...\pEmrQdFMep9N1lmzKFpxDVHM.exe, PE32 26->56 dropped 58 C:\Users\...\n3CEOgaSAGG1hMfIVpjJuavd.exe, PE32 26->58 dropped 64 28 other malicious files 26->64 dropped 110 Drops PE files to the document folder of the user 26->110 112 Creates HTML files with .exe extension (expired dropper behavior) 26->112 114 Disables Windows Defender (deletes autostart) 26->114 118 6 other signatures 26->118 66 3 other malicious files 31->66 dropped 37 Install.exe 31->37         started        60 C:\Users\user\AppData\Local\...\changepk.exe, PE32+ 33->60 dropped 68 2 other malicious files 33->68 dropped 40 Install.exe 33->40         started        62 C:\Users\user\AppData\Local\Temp\u4h4.0.exe, PE32 35->62 dropped 70 12 other malicious files 35->70 dropped 116 Detected unpacking (changes PE section rights) 35->116 file11 signatures12 process13 signatures14 100 Modifies Windows Defender protection settings 37->100 42 cmd.exe 37->42         started        process15 process16 44 conhost.exe 42->44         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oftudwcylhd4i5dtsxploco4bnfsoqna2fmfbkr2obwmaxlbx5wq._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader discovery evasion execution loader spyware stealer
Link:
https://tria.ge/reports/240510-va4t4sfe41/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies firewall policy service
PrivateLoader
Unpacked files
SH256 hash:
716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d
MD5 hash:
d2f812118c89341715fbff0ba9530396
SHA1 hash:
8e9cfa2ebe51e9f71d55b161fb13aae13ee3744f
Link:
https://www.unpac.me/results/ca6f8e2f-76bb-4596-b3ee-57608c3c0f44/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/716741d85859/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0

Glupteba

Executable exe 716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d

(this sample)

Glupteba

Executable exe 7f6df5c1182104000a9a6c7a9f03e5b9cf51e53d1b768ab557c9a94b52fa4c8e

  
Dropped by
SHA256 a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0
  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2845735/
  
URLhaus
https://urlhaus.abuse.ch/url/2845856/
  
Dropping
SHA256 7f6df5c1182104000a9a6c7a9f03e5b9cf51e53d1b768ab557c9a94b52fa4c8e
  
Dropping
MD5 5d46bc4982855a462c08fc9cdf2cb894
  
Dropping
SHA256 1640f03f39d8601b33257bde1ec3820fc4858721d1a2cd9aefdb98ea0f573ff8
  
Dropping
MD5 85f1fcc9de87f59f37c549d956de2630
  
Dropped by
MD5 731ff38afbc5a664f5a458e222d91f84

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::VirtualAllocExNuma
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::DeleteVolumeMountPointW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::ReplaceFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
ADVAPI32.dll::RegSetValueExA

Comments