MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 15


Intelligence 15 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93
SHA3-384 hash: 883871567ea3c13df70125089add41651ee281d489622f22405c80608e6a4a9b21e33c44d1efbab9f1bd62dfbd07496f
SHA1 hash: cb982786f558208767bc171a4c3b718b0db0ce3f
MD5 hash: 1d5c8c5f65ece8bd6c534c2a4dab103f
humanhash: princess-enemy-vermont-shade
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'383'104 bytes
First seen:2023-06-08 14:19:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 04fcc8db11b5c1b7316151fcbb546c01 (1 x RedLineStealer, 1 x Amadey, 1 x Smoke Loader)
ssdeep 98304:rPc9FcYO05ihGHS9WSnwj8q/RLdadqz/Y0RFELZvszSs:7c3EciILSnqdBdamY0RyeWs
Threatray 63 similar samples on MalwareBazaar
TLSH T1B116331052DDBC12F9F64A368D3F87F4632BB6A18FAE5A6B13025B5A05739F2CE11305
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0020201010100000 (1 x Glupteba)
Reporter jstrosch
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
8ada0d8273fab2340bdec6e6309dcd2c.exe
Verdict:
Malicious activity
Analysis date:
2023-06-07 18:57:51 UTC
Tags:
loader smoke trojan ransomware stop stealer vidar amadey gcleaner rat redline miner
Link:
https://app.any.run/tasks/985978f5-538c-4a98-80a8-345fd8f52c61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397004/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Launching a service
Creating a file in the Windows subdirectories
Running batch commands
Launching the process to change the firewall settings
Сreating synchronization primitives
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed xpack
Link:
https://www.filescan.io/uploads/6481e3954f821962ae1dd57b/reports/105a4417-9f63-426e-970d-8eb5f353e0d0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dsefix
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a871d54-45aa-459f-92f6-7dce7ecb4d77
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1251222
Signature
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 884240 Sample: file.exe Startdate: 08/06/2023 Architecture: WINDOWS Score: 100 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for URL or domain 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 6 other signatures 2->113 11 file.exe 13 2->11         started        14 csrss.exe 2->14         started        16 csrss.exe 2->16         started        18 2 other processes 2->18 process3 signatures4 131 Detected unpacking (changes PE section rights) 11->131 133 Detected unpacking (overwrites its own PE header) 11->133 135 Modifies the windows firewall 11->135 137 Drops PE files with benign system names 11->137 20 file.exe 8 2 11->20         started        24 powershell.exe 20 11->24         started        26 cmd.exe 14->26         started        28 cmd.exe 16->28         started        30 csrss.exe 18->30         started        32 powershell.exe 18->32         started        process5 file6 103 C:\Windows\rss\csrss.exe, PE32 20->103 dropped 127 Creates an autostart registry key pointing to binary in C:\Windows 20->127 34 csrss.exe 20->34         started        38 cmd.exe 1 20->38         started        48 3 other processes 20->48 40 conhost.exe 24->40         started        42 fodhelper.exe 26->42         started        50 3 other processes 26->50 52 4 other processes 28->52 44 powershell.exe 30->44         started        46 conhost.exe 32->46         started        signatures7 process8 dnsIp9 105 17fefb11-99a4-4cd7-8d4c-1fdfd00008ad.uuid.cdneurops.pics 34->105 115 Multi AV Scanner detection for dropped file 34->115 117 Detected unpacking (changes PE section rights) 34->117 119 Detected unpacking (overwrites its own PE header) 34->119 125 2 other signatures 34->125 54 powershell.exe 34->54         started        56 schtasks.exe 34->56         started        69 3 other processes 34->69 121 Uses netsh to modify the Windows network and firewall settings 38->121 58 netsh.exe 3 38->58         started        61 conhost.exe 38->61         started        123 Drops executables to the windows directory (C:\Windows) and starts them 42->123 63 csrss.exe 42->63         started        65 conhost.exe 44->65         started        71 3 other processes 48->71 67 csrss.exe 52->67         started        signatures10 process11 signatures12 73 conhost.exe 54->73         started        75 conhost.exe 56->75         started        129 Creates files in the system32 config directory 58->129 77 csrss.exe 63->77         started        79 powershell.exe 63->79         started        81 csrss.exe 67->81         started        83 powershell.exe 67->83         started        85 conhost.exe 69->85         started        87 conhost.exe 69->87         started        89 conhost.exe 69->89         started        process13 process14 91 powershell.exe 77->91         started        93 conhost.exe 79->93         started        95 powershell.exe 81->95         started        97 conhost.exe 83->97         started        process15 99 conhost.exe 91->99         started        101 conhost.exe 95->101         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2023-06-07 20:11:14 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmebpfiu2odpxijvnkselh2g7es5jjnzu3zwomyvjumdyb4avsjq._file
Verdict:
malicious
Similar samples:
1adda3b870c28e6ae33226565b2f31ebfed65adf7a530a883404021104714746
Glupteba
2623d7e4c87307b1f05e9343ebc4e5c1550e4341da1781bd82d8995ef93e7715
Glupteba
75b5de04b6bacdb88bb58062c1a0ce1c407bdc97360d1709809e8a528ccfe06b
Glupteba
cdb7f634e8702dfb8789473967567a935b941ec0a3e7f2228d5477782122a47a
Glupteba
d2611672b10dad989a692cd8105c84420c129ec876601c5192c7303fdc5ccc3f
Glupteba
dee253eb6d34ae0817711a085370cc16920bafb6b2ce0e26dd3e588522b68b45
Glupteba
fc6b1d6a4d1aa5b2532dad1011db9a0bbf549e56e168061f56c5b5d755bd0ed4
Glupteba
+ 53 additional samples on MalwareBazaar
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence rootkit trojan upx
Link:
https://tria.ge/reports/230608-rnfgwsgg2z/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Executes dropped EXE
Loads dropped DLL
UPX packed file
Windows security modification
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Windows security bypass
Unpacked files
SH256 hash:
e206de78f87b7d3f73242e179261d0bd7a91524bc2ef6cb043789c4b8e8b3e69
MD5 hash:
139a0ba2600e97aae458a2db1324fc08
SHA1 hash:
afbeaa6d4008abb99596e19747deb92d8a22a45f
Link:
https://www.unpac.me/results/659d0c67-4002-4808-bf45-f7a3d43dd05e/
Parent samples :
265a9e7f1ceb8b4fd7f8bc18826b9eb68826af0e22d0ff074c19d7d0e77e8fd3
d571dbe3249950ebc2a8b600b9e3dcac5fa2393b84983709995df071d7f9a2be
222301a390730394fdfba560a8a0070c3571aaf9541d4c96cb5ee931b26ede59
f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
7d07d17c2783ceeee097dc94082d7991a7e27755065dc5f73be10321803fe80f
aa234447899c8ce342f8b90ddd3bc2ba20cb51ed6856835ba9c18e842f057215
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
1e662d2a9bc77dc09ff39c21dbd8f11968da7c1dea6f4bbcfc5216c0d8f8c8fd
27ea24685a6d2531295871e4ddafb9c9a47873e0bc434d0fef0706d5487dc42c
7406f239a9fbb2d5b2f04043795102fda05e04706d2445f2a538d621298dabda
62256fe57905ac3855bd6d2e200162e3692a47f3bb32946fbf6d85a97fb74a8d
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
336e13cf278f9d39ac6d95cede295d3af1c903b5f0ca9c865f1a44f07683bcd8
0ed14c1e8965c13065a00f7d3159a4c711faa24643b4c4815e88299cba495ba0
a09d7d79ba4e1177ee17cc8f10e21508b3b69cf2a29c0f8b3bb478a65ad60846
27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
4c4e0c61380662adc756d147f9c51ead1d3a6913f49510eae2766270b778f427
010fe481ba6275ebbf71e102e66d73f5d819252f2b4b1893d2acf53c04f4200f
ace208a4aebe9ac1b659808b108c795961d1160de5b147be47b5624f6de46830
475fc6c207d89eed272ef4d2c8096de644c476d6b6d6b295f2ea81b0d404c01a
08dcd62ba2989e93c04ce28b5619d9aae32d1fa40ea8003eb85d211be9772089
ab1a8ab5aa1f5c62fa6f2027c9bc4ed91a30385ec847cf92226ae144493df35d
7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a
18acbe225a09abaf3a67f12e79b67d498b3d809faa526b69b40170f4a7beff0d
530ba3e07e01ded69f648ab41bf6967677526630e0b78dd91e03304622871680
ff2190173c71d9e4a5a7c9b5356cd2a5b762a735b3bc0e920113735735c625c4
bbe7c155c748f15faa3994f66075b46daeeac61a929d8c9bc247af0a5c2d8e4c
cf2ba11b6ae9a9893d6f7a65f6b6251a110e51c1eee656455c4a3caf68c738d9
70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
d822320e69cb0ddf07bd762ddf9d56bf46bae93a37ed1abc7d37485faf56761a
173cf6b50cfad4fa06f6826452aeceae743a49fb7c2cdc6445961c01dc11da92
a754eb655af6114a85fe5d32bc3a42b0038fec86c2d557fef2d3f2f92d68b942
b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60
98e2336afe9aed01d8859c988cb984a017800bf5a5760a643b9f5579c8936e40
31c5da8614998e7836aaf3c70559f7710edbd4b536b840e0c63babfdc95c5921
0c620ad9e0327c9397c2e869a45e3c24cf234f6da22df60ae7fcd802c63d0e8c
8d833183ab5dcf4f622de22dd3bb6df752725339804906f7bb374b6df7c3c354
78d20bb0f3344b725617819f4f2c2246a3c1d1cada81d931d63603f67a1b7aa7
f9bc3ddfb1e5e253dac94c91d2d678ad2f1c61537207e71fc04d42af28b04520
8f3054ea1c4adfcafc009a413324aec4d47357384e1f57c08a4cdc8ec3863826
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
96a8fc693eb17083f2fc31beffbbda57741ddec7b3ff38d29554a55bac7909a7
2cf8ca0a1593e5ef380c8d8e9207f4257bbc4ef1ad2a5a5315f321ffecdc70ec
66da62cc89a98f16d5e1abd5668d91e04be2f024354b1dab5b805610cf482ed4
93ec2f65e8dcbd9bf755573667f9bc5d085e3533f1c0a67391fd2feed16899ed
90ea61df57638931a932194ba370a6b0e68c2e149a3a79c350437a11c63a2d9a
d1fba6a4c016f0c76ca578d5f7e656fe12f4abc260eec61e668c398a6e3e8bad
03e8ce6519475df85008e4abed555b02150fb60d8afb039b98a3fae433679c4c
2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
c057351817aed450137d0445d192900399d35498d8523bcb52264edf7e56b54c
31095cd8210c0dc8061090055014e5bf7990e5835378bdfd0372c416355b9cac
295daf4708da6e3b7613e4ea7637739054656332c3dfdfb0499431ef267e6a39
ebf0fbb2d06f3a42839c341b052cfe7b8b4e0b7e93a5f37a3c426f27a762e63a
e30d175069d8b2cfacb4ae58ef031a817141a320ab6c69923239afffdc897bf6
1d72961d502e70a02b703d2ea171d370ab8d62281aa9d6200a81b4a5e210e55f
dfe54b78172996677a5847633964338462e29277e09e28f6db7beec2d3d01244
82ece5e948ab466f78cc02f5cec49ded063af38623f32fd5bf9b00538e00cace
6a9ca8cd0fe53e1036bc16b292926a413dc4aa896f4da8a29afd10c65138799f
0ff5066a1c9caf9db55ddca514049faa9badfd6bee0a6e8ba825ee8198b65efb
adb6d89cae18f5501ce8c7e25a22de907bec44d74f583f9c5b2499a5e955534b
a75f981326ea2802a6255e99d414aad4ebc4871b9547897dd70fea3b8105ed42
8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
4aa80d6935201d51bc5be593908289cc2e239be14991a5dc6054bb19e7f90c44
7b101e4c3f86d6b121d25c79d718af9b24ad1ba2bbf9ad83dc285b8ba2e4756a
c4a2e403dc091a191ae09578bf914baf70fd9b2d9593f8061dc953cbd431e5b5
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc
746b5874dbdfcd6168d395a2da5cd43dabadad8ec4a38c1c87d8c3779d41f5f7
0e11a6be0205a2a9ffbe57ac11c8057c2d72fbd794c6303f445c3ddfc2fa6c97
bada456f7b51709847d11d6b7d17a2e1d4322dec3c36abbd87ed594242ea2b59
f24d47bd9cc9daa71c869a1d06551801395ba2bbbff0c33a102e79d32c0a630d
3434aa61c95c3ec240471fc0fdfca1143a50281314a8e61c3a7d8887b0233ce3
c39a990dc179128a4d4136de519676636ad393b77f43913fb0d5c238b20c95d7
d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d
SH256 hash:
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93
MD5 hash:
1d5c8c5f65ece8bd6c534c2a4dab103f
SHA1 hash:
cb982786f558208767bc171a4c3b718b0db0ce3f
Link:
https://www.unpac.me/results/659d0c67-4002-4808-bf45-f7a3d43dd05e/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8308179514d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/397004/
  
URLhaus
https://urlhaus.abuse.ch/url/2639761/

Comments