MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8578846ede366f0408345227eac93e186ab1af6b6937209fecb7b4de117a098a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8578846ede366f0408345227eac93e186ab1af6b6937209fecb7b4de117a098a
SHA3-384 hash: 6ab2ac281a7184db9857c45d3b3f04f1ac7af34482e7b3831436c28d840537c56a27877f74b9699778b13596aae24150
SHA1 hash: 249bb3a10bfd4f1347021243305e9124322600c0
MD5 hash: c6a17f436fd10da6775f69183b20630c
humanhash: mountain-four-zebra-tango
File name:BlumBot.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:3'998'023 bytes
First seen:2025-01-23 14:45:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep 98304:YUtJnSZ5hE8rnNwIz0WEkeSwEEj9nFSKql79FXTNp+HgKpcx:7UTE8rnKIQjE8FEFHDNIzcx
TLSH T1BE06336F76D08119CC5230F35B96E768D6EEEF5E282E088D5701FE5848B02536B1DECA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon f0b270d0ccccf0e0 (1 x Glupteba)
Reporter aachum
Tags:exe PentagonStealer


Avatar
iamaachum
https://github.com/Frolowbokk/TelegramBlumBot/releases/download/build/Build_Win64.zip

Pentagon C2: https://pentagon.cy

Intelligence

File Origin
# of uploads :
1
# of downloads :
421
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://github.com/Frolowbokk/TelegramBlumBot
Verdict:
Malicious activity
Analysis date:
2025-01-23 11:32:38 UTC
Tags:
telegram stealer miner
Link:
https://app.any.run/tasks/10345e59-46a2-4800-8adf-38155af255b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679254cdb5602ee8cdb03481
Tags:
injection obfusc spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Running batch commands
Deleting a system file
Launching a process
Launching a tool to kill processes
Forced shutdown of a browser
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/6792562d1f825ff95babc8ef/reports/b721d95a-1457-4cf3-bec5-b3a13d6901c8/overview
Verdict:
Malicious
Labled as:
Doina.Generic
Link:
https://www.hybrid-analysis.com/sample/8578846ede366f0408345227eac93e186ab1af6b6937209fecb7b4de117a098a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/18cc4583-e64c-48c5-80a5-0e72933e2482
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1597670
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Attempt to bypass Chrome Application-Bound Encryption
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites Mozilla Firefox settings
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1597670 Sample: BlumBot.exe Startdate: 23/01/2025 Architecture: WINDOWS Score: 100 110 api.telegram.org 2->110 112 slkpanel3458647.site 2->112 114 2 other IPs or domains 2->114 122 Suricata IDS alerts for network traffic 2->122 124 Malicious sample detected (through community Yara rule) 2->124 126 Antivirus / Scanner detection for submitted sample 2->126 130 13 other signatures 2->130 10 BlumBot.exe 3 19 2->10         started        13 WindowsAutHost 2->13         started        16 svchost.exe 1 2->16         started        signatures3 128 Uses the Telegram API (likely for C&C communication) 110->128 process4 dnsIp5 100 C:\Users\user\AppData\...\Installer.exe, PE32+ 10->100 dropped 102 C:\Users\user\AppData\Roaming\1337\al.vbs, ASCII 10->102 dropped 104 C:\Users\user\AppData\Local\...\System.dll, PE32 10->104 dropped 19 Installer.exe 3 10->19         started        24 wscript.exe 10->24         started        106 C:\Windows\Temp\afioaaeuwupn.sys, PE32+ 13->106 dropped 164 Multi AV Scanner detection for dropped file 13->164 166 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->166 168 Query firmware table information (likely to detect VMs) 13->168 170 9 other signatures 13->170 26 powershell.exe 13->26         started        28 cmd.exe 13->28         started        30 sc.exe 13->30         started        32 6 other processes 13->32 108 127.0.0.1 unknown unknown 16->108 file6 signatures7 process8 dnsIp9 116 biteblob.com 71.179.14.4, 443, 49731, 49732 UUNETUS United States 19->116 118 api.telegram.org 149.154.167.220, 443, 49739 TELEGRAMRU United Kingdom 19->118 96 C:\Users\user\AppData\Local\Temp\...\Main.exe, PE32+ 19->96 dropped 98 C:\Users\user\AppData\Local\...\Bypass.exe, PE32+ 19->98 dropped 148 Multi AV Scanner detection for dropped file 19->148 150 Installs new ROOT certificates 19->150 34 Main.exe 1 2 19->34         started        38 Bypass.exe 10 19->38         started        152 Loading BitLocker PowerShell Module 26->152 41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        45 wusa.exe 28->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        51 conhost.exe 32->51         started        53 3 other processes 32->53 file10 signatures11 process12 dnsIp13 90 C:\ProgramData\...\WindowsAutHost, PE32+ 34->90 dropped 92 C:\Windows\System32\drivers\etc\hosts, ASCII 34->92 dropped 132 Multi AV Scanner detection for dropped file 34->132 134 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->134 136 Query firmware table information (likely to detect VMs) 34->136 144 10 other signatures 34->144 55 dialer.exe 34->55         started        58 powershell.exe 23 34->58         started        60 cmd.exe 34->60         started        68 13 other processes 34->68 120 pentagon.cy 104.21.16.1, 443, 49747, 49748 CLOUDFLARENETUS United States 38->120 94 C:\Users\user\AppData\...\cookies-copy.sqlite, SQLite 38->94 dropped 138 Detected unpacking (creates a PE file in dynamic memory) 38->138 140 Attempt to bypass Chrome Application-Bound Encryption 38->140 142 Found many strings related to Crypto-Wallets (likely being stolen) 38->142 146 4 other signatures 38->146 62 chrome.exe 38->62         started        64 msedge.exe 38->64         started        66 taskkill.exe 1 38->66         started        70 3 other processes 38->70 file14 signatures15 process16 signatures17 154 Contains functionality to inject code into remote processes 55->154 156 Writes to foreign memory regions 55->156 158 Allocates memory in foreign processes 55->158 162 3 other signatures 55->162 86 5 other processes 55->86 160 Loading BitLocker PowerShell Module 58->160 72 conhost.exe 58->72         started        74 conhost.exe 60->74         started        76 wusa.exe 60->76         started        78 chrome.exe 1 62->78         started        80 msedge.exe 64->80         started        82 conhost.exe 68->82         started        84 conhost.exe 68->84         started        88 11 other processes 68->88 process18
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8578846ede366f0408345227eac93e186ab1af6b6937209fecb7b4de117a098a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8578846ede366f0408345227eac93e186ab1af6b6937209fecb7b4de117a098a/
Threat name:
Win32.Trojan.Doina
Create hunting rule
Status:
Malicious
First seen:
2025-01-23 14:40:16 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qv4ii3w6gzxqicbukit6vsj6dbvldl3lne3sbh7mw62n4el2bgfa._file
Result
Malware family:
pentagonstealer
Create hunting rule
Score:
  10/10
Tags:
family:pentagonstealer credential_access defense_evasion discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250123-r5ab7ssqfw/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Drops file in Drivers directory
Stops running service(s)
Uses browser remote debugging
Pentagon Stealer
Pentagonstealer family
Malware Config
C2 Extraction:
https://pentagon.cy
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b426aa9-bccc-4de3-86be-bbc48e6dea43
Unpacked files
SH256 hash:
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
MD5 hash:
2ae993a2ffec0c137eb51c8832691bcb
SHA1 hash:
98e0b37b7c14890f8a599f35678af5e9435906e1
Link:
https://www.unpac.me/results/0e166d76-c020-4e10-8dec-1463d581f7dc/
SH256 hash:
dcf407601d692c437ddd3e8535c4e101584c7914bc5df99d8bd3a02ff4620dc1
MD5 hash:
77f2fdb37c37415561c973821ae74508
SHA1 hash:
6d349c71b9b72648b09948f56f2cd9151c8d2072
Detections:
Sliver
Create hunting rule
Link:
https://www.unpac.me/results/0e166d76-c020-4e10-8dec-1463d581f7dc/
Parent samples :
8578846ede366f0408345227eac93e186ab1af6b6937209fecb7b4de117a098a
dcf407601d692c437ddd3e8535c4e101584c7914bc5df99d8bd3a02ff4620dc1
SH256 hash:
8578846ede366f0408345227eac93e186ab1af6b6937209fecb7b4de117a098a
MD5 hash:
c6a17f436fd10da6775f69183b20630c
SHA1 hash:
249bb3a10bfd4f1347021243305e9124322600c0
Link:
https://www.unpac.me/results/0e166d76-c020-4e10-8dec-1463d581f7dc/
Malware family:
CryptBot.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8578846ede36/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8578846ede366f0408345227eac93e186ab1af6b6937209fecb7b4de117a098a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 8578846ede366f0408345227eac93e186ab1af6b6937209fecb7b4de117a098a

(this sample)

CoinMiner

Executable exe dcf407601d692c437ddd3e8535c4e101584c7914bc5df99d8bd3a02ff4620dc1

  
Link
https://tria.ge/250123-rywxmatrbl/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 dcf407601d692c437ddd3e8535c4e101584c7914bc5df99d8bd3a02ff4620dc1
  
Dropping
MD5 77f2fdb37c37415561c973821ae74508
  
Dropping
SHA256 93f357da57abc8674b201846e4284568b121ae4c06be4889d5092b6d23cb0146
  
Dropping
MD5 dc90e23f17f655ac704536b554696a0e
  
Dropping
SHA256 b3bcbd59e3ebbc3b5ecc7289d8ed6780c282158598c00af265622b2ee6485e2b
  
Dropping
MD5 80a87fb8cc8973208d110a4684791ea0

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments