MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 745d794fd8a4efccfa11efa67e9232f31257931e4d846b2ab0a92bb8c4aea7d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 745d794fd8a4efccfa11efa67e9232f31257931e4d846b2ab0a92bb8c4aea7d8
SHA3-384 hash: 5c2750d5a3cb935622b6ff89e4a7922a6ea31d96871cc35f12c01a4dd78e1fdf2acded235ce7110c504d731bd2c222cb
SHA1 hash: 8e7cfd40698a4ac0ffe6ed345930ee3da4c0165f
MD5 hash: d2ec4306f6f7711fe7c26d9d3f1bb309
humanhash: equal-mobile-equal-november
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:5'029'736 bytes
First seen:2023-11-16 20:28:32 UTC
Last seen:2023-11-16 22:18:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:tbmgwCzl8qW5A4kKbdANLxNoARLxQ9y5eg3WyFGbNF1uZsksVOhA9hDeFwaAxgpV:5mgDRii0nSsXVbKvAp5U
TLSH T1EF369E91E2F1A65CE4DEE572DE3463E462B2A453BB13E395CE00E521346C3E78BC8563
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter andretavare5
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:somoto inc
Issuer:somoto inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-16T17:09:58Z
Valid to:2024-11-16T17:09:58Z
Serial number: 322669ff26eb94e975599894000d8b0a
Thumbprint Algorithm:SHA256
Thumbprint: c92460a346898f101c2594c3306a123b173ae1f4d83791177b5264bab5dafb2e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.243.139/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
398
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458883/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.1962.12375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for the window
Blocking the User Account Control
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive lolbin msbuild overlay packed
Link:
https://www.filescan.io/uploads/65567b903f56544041f95e4d/reports/d51592e0-4466-4055-a1cf-3128ee74f1e7/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/745d794fd8a4efccfa11efa67e9232f31257931e4d846b2ab0a92bb8c4aea7d8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/73f19e72-8ddd-4176-a240-a09510fdf7d8
Result
Threat name:
Glupteba, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1343828
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Disables UAC (registry)
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1343828 Sample: file.exe Startdate: 16/11/2023 Architecture: WINDOWS Score: 100 182 Malicious sample detected (through community Yara rule) 2->182 184 Antivirus detection for URL or domain 2->184 186 Antivirus detection for dropped file 2->186 188 11 other signatures 2->188 12 file.exe 2 4 2->12         started        15 ZXcuwzw.exe 2->15         started        17 cmd.exe 2->17         started        19 3 other processes 2->19 process3 signatures4 232 Writes to foreign memory regions 12->232 234 Allocates memory in foreign processes 12->234 236 Adds a directory exclusion to Windows Defender 12->236 244 2 other signatures 12->244 21 CasPol.exe 15 206 12->21         started        26 powershell.exe 23 12->26         started        238 Multi AV Scanner detection for dropped file 15->238 240 Very long command line found 15->240 242 Modifies Windows Defender protection settings 15->242 28 powershell.exe 15->28         started        30 lwXunVyT6oStnjGtyY8uajPr.exe 17->30         started        32 conhost.exe 17->32         started        34 lwXunVyT6oStnjGtyY8uajPr.exe 17->34         started        36 lwXunVyT6oStnjGtyY8uajPr.exe 17->36         started        38 conhost.exe 19->38         started        40 3 other processes 19->40 process5 dnsIp6 166 91.92.243.139 THEZONEBG Bulgaria 21->166 168 107.167.110.211 OPERASOFTWAREUS United States 21->168 170 6 other IPs or domains 21->170 132 C:\Users\...\xJfOfgKXEOXledNGrlz32aEB.exe, PE32 21->132 dropped 134 C:\Users\...\vnj62R1JyzGpINqMV7rJKYxo.exe, PE32 21->134 dropped 136 C:\Users\...\t93PovtdSSF6rWK13A0BmF21.exe, PE32 21->136 dropped 138 222 other malicious files 21->138 dropped 204 Drops script or batch files to the startup folder 21->204 206 Creates HTML files with .exe extension (expired dropper behavior) 21->206 208 Uses cmd line tools excessively to alter registry or file data 21->208 210 Writes many files with high entropy 21->210 42 VwusFxYMs2k4w8E0UU6fz4gx.exe 21->42         started        46 547hboqqP1kF11byFYSUHXEn.exe 35 21->46         started        49 9o4dfEvhXWGjWhGYQzN44AAN.exe 21->49         started        59 3 other processes 21->59 51 conhost.exe 26->51         started        212 Modifies Windows Defender protection settings 28->212 53 cmd.exe 28->53         started        55 cmd.exe 28->55         started        61 2 other processes 28->61 57 Broom.exe 30->57         started        file7 signatures8 process9 dnsIp10 140 C:\Users\user\AppData\Local\...\Install.exe, PE32 42->140 dropped 142 C:\Users\user\AppData\Local\...\config.txt, data 42->142 dropped 214 Writes many files with high entropy 42->214 63 Install.exe 42->63         started        172 149.154.167.99 TELEGRAMRU United Kingdom 46->172 174 116.202.189.41 HETZNER-ASDE Germany 46->174 144 C:\Users\user\AppData\...\softokn3[1].dll, PE32 46->144 dropped 154 12 other files (8 malicious) 46->154 dropped 216 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->216 218 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 46->218 220 Tries to harvest and steal ftp login credentials 46->220 226 2 other signatures 46->226 176 107.167.110.216 OPERASOFTWAREUS United States 49->176 178 107.167.110.218 OPERASOFTWAREUS United States 49->178 180 6 other IPs or domains 49->180 146 Opera_installer_2311162030050847644.dll, PE32 49->146 dropped 148 C:\Users\user\AppData\Local\...\opera_package, PE32 49->148 dropped 150 C:\Users\user\...\additional_file0.tmp, PE32 49->150 dropped 156 4 other malicious files 49->156 dropped 66 9o4dfEvhXWGjWhGYQzN44AAN.exe 49->66         started        68 9o4dfEvhXWGjWhGYQzN44AAN.exe 49->68         started        70 9o4dfEvhXWGjWhGYQzN44AAN.exe 49->70         started        222 Uses cmd line tools excessively to alter registry or file data 53->222 72 reg.exe 53->72         started        74 conhost.exe 55->74         started        152 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 59->152 dropped 224 Found Tor onion address 59->224 76 Broom.exe 59->76         started        79 nXMrSztPmeZchUdpd2Eozx4D.exe 59->79         started        81 powershell.exe 59->81         started        file11 signatures12 process13 file14 158 C:\Users\user\AppData\Local\...\Install.exe, PE32 63->158 dropped 83 Install.exe 63->83         started        160 Opera_installer_2311162030129158008.dll, PE32 66->160 dropped 87 9o4dfEvhXWGjWhGYQzN44AAN.exe 66->87         started        162 Opera_installer_2311162030072167668.dll, PE32 68->162 dropped 164 Opera_installer_2311162030080377740.dll, PE32 70->164 dropped 246 Multi AV Scanner detection for dropped file 76->246 248 Found Tor onion address 79->248 89 conhost.exe 81->89         started        signatures15 process16 file17 126 C:\Users\user\AppData\Local\...\ZXcuwzw.exe, PE32 83->126 dropped 128 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 83->128 dropped 190 Multi AV Scanner detection for dropped file 83->190 192 Uses schtasks.exe or at.exe to add and modify task schedules 83->192 194 Modifies Windows Defender protection settings 83->194 196 2 other signatures 83->196 91 forfiles.exe 83->91         started        94 forfiles.exe 83->94         started        96 schtasks.exe 83->96         started        98 3 other processes 83->98 130 Opera_installer_2311162030137538072.dll, PE32 87->130 dropped signatures18 process19 signatures20 228 Modifies Windows Defender protection settings 91->228 230 Adds extensions / path to Windows Defender exclusion list 91->230 100 cmd.exe 91->100         started        103 conhost.exe 91->103         started        105 cmd.exe 94->105         started        107 conhost.exe 94->107         started        109 conhost.exe 96->109         started        111 conhost.exe 98->111         started        113 conhost.exe 98->113         started        115 conhost.exe 98->115         started        process21 signatures22 198 Uses cmd line tools excessively to alter registry or file data 100->198 117 reg.exe 100->117         started        120 reg.exe 100->120         started        122 reg.exe 105->122         started        124 reg.exe 105->124         started        process23 signatures24 200 Very long command line found 117->200 202 Modifies Windows Defender protection settings 117->202
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/745d794fd8a4efccfa11efa67e9232f31257931e4d846b2ab0a92bb8c4aea7d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/745d794fd8a4efccfa11efa67e9232f31257931e4d846b2ab0a92bb8c4aea7d8/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-11-16 20:29:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oroxst6yutx4z6qr56th5ers6mjfpey6jwcgwkvqvev3rrfou7ma._file
Verdict:
malicious
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231116-y9j6jafc68/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
2065563971ecbaab8c1d31215c7322b894e9a3101d69544862f3a2be97857b70
MD5 hash:
db72198b2dfc9580ac93c0d335ca972c
SHA1 hash:
1629ff3c29ba170ab8d4fad8b651070a75c9a776
Link:
https://www.unpac.me/results/7b1f0e34-6b09-42fc-b9c7-d91f58fe87e1/
SH256 hash:
745d794fd8a4efccfa11efa67e9232f31257931e4d846b2ab0a92bb8c4aea7d8
MD5 hash:
d2ec4306f6f7711fe7c26d9d3f1bb309
SHA1 hash:
8e7cfd40698a4ac0ffe6ed345930ee3da4c0165f
Link:
https://www.unpac.me/results/7b1f0e34-6b09-42fc-b9c7-d91f58fe87e1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/745d794fd8a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/745d794fd8a4efccfa11efa67e9232f31257931e4d846b2ab0a92bb8c4aea7d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2730658/
Cape
Cape
https://www.capesandbox.com/analysis/458883/

Comments