MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a136132c812d85311e6b7f9c8b7178ad7b855d6ab112cf8d9126bbc9e1ba12b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a136132c812d85311e6b7f9c8b7178ad7b855d6ab112cf8d9126bbc9e1ba12b
SHA3-384 hash: 764a57c0b7fbbef43abdb0908ca7df9ed7236549e33d3f03211a96633a754a539550a556cc35ec3ff42e77f8d49f0024
SHA1 hash: 84600689cef2e3402deaab8235592773da1f0300
MD5 hash: 67ca5ad06e6fd3106c88061a5963dbbc
humanhash: nine-hawaii-mango-beer
File name:67ca5ad06e6fd3106c88061a5963dbbc
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'756'480 bytes
First seen:2021-06-24 07:50:03 UTC
Last seen:2021-06-24 09:02:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e17a996886aa2657a4de6c042170d2c (3 x RedLineStealer, 2 x Glupteba, 1 x Formbook)
ssdeep 98304:10R/Wfl8C8BIdeMdzDTXIsY1OiTwyiIqhuqrsoLBXCjsNhliZ+KooQfp182k:6mCC6ElzDTXVsmrsEwQaZdQf
Threatray 129 similar samples on MalwareBazaar
TLSH F8263340BAA1C439F6B213BC98399258B43E3A715B7550CB57E2D6CE863D7E2DD3130A
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
67ca5ad06e6fd3106c88061a5963dbbc
Verdict:
Suspicious activity
Analysis date:
2021-06-24 07:50:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/842a3b54-55f4-40bd-a6e2-865b9be739dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167879/
Detection(s):
SecuriteInfo.com.Packed-GDT67CA5AD06E6F.19746.6912.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3dc11636-5d89-43ae-8bd2-48dbe49c863a
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807237
Signature
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439648 Sample: xXitOR6S1L Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 82 Multi AV Scanner detection for domain / URL 2->82 84 Antivirus detection for URL or domain 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 9 other signatures 2->88 10 xXitOR6S1L.exe 19 2->10         started        13 csrss.exe 2->13         started        15 csrss.exe 2->15         started        17 csrss.exe 2->17         started        process3 signatures4 98 Detected unpacking (changes PE section rights) 10->98 100 Detected unpacking (overwrites its own PE header) 10->100 102 Modifies the windows firewall 10->102 104 Drops PE files with benign system names 10->104 19 xXitOR6S1L.exe 11 2 10->19         started        24 csrss.exe 13->24         started        26 csrss.exe 15->26         started        process5 dnsIp6 74 humisnee.com 104.21.93.73, 443, 49717 CLOUDFLARENETUS United States 19->74 64 C:\Windows\rss\csrss.exe, PE32 19->64 dropped 94 Drops executables to the windows directory (C:\Windows) and starts them 19->94 96 Creates an autostart registry key pointing to binary in C:\Windows 19->96 28 csrss.exe 4 7 19->28         started        33 cmd.exe 1 19->33         started        file7 signatures8 process9 dnsIp10 76 blinkroast.info 172.67.131.148, 443, 49725 CLOUDFLARENETUS United States 28->76 78 spolaect.info 172.67.161.225, 443, 49724 CLOUDFLARENETUS United States 28->78 80 3 other IPs or domains 28->80 66 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 28->66 dropped 68 C:\Users\...68tQuerySystemInformationHook.dll, PE32+ 28->68 dropped 70 C:FI\Microsoft\Boot\bootmgfw.efi, MS-DOS 28->70 dropped 72 2 other files (none is malicious) 28->72 dropped 106 Detected unpacking (changes PE section rights) 28->106 108 Detected unpacking (overwrites its own PE header) 28->108 110 Machine Learning detection for dropped file 28->110 114 2 other signatures 28->114 35 injector.exe 28->35         started        38 mountvol.exe 1 28->38         started        40 schtasks.exe 1 28->40         started        46 4 other processes 28->46 112 Uses netsh to modify the Windows network and firewall settings 33->112 42 netsh.exe 3 33->42         started        44 conhost.exe 33->44         started        file11 signatures12 process13 signatures14 90 Multi AV Scanner detection for dropped file 35->90 48 conhost.exe 35->48         started        50 conhost.exe 38->50         started        52 conhost.exe 40->52         started        92 Creates files in the system32 config directory 42->92 54 conhost.exe 46->54         started        56 conhost.exe 46->56         started        58 conhost.exe 46->58         started        60 conhost.exe 46->60         started        process15 process16 62 csrss.exe 50->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a136132c812d85311e6b7f9c8b7178ad7b855d6ab112cf8d9126bbc9e1ba12b/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 07:50:27 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rijwcmwiclmfgepgw744rnyxrll3qvowvmisz6gzcjv3zhq3uevq._file
Verdict:
malicious
Similar samples:
07d9cc94a464997e7b768b4186bec3897e22650577d73aa6f9f924ba769648ea
Glupteba
0898957c40396d42ccd8e4d39800e2835bf537fe9c0206015c6f7968c687fe7d
Glupteba
0e2bcbe99b84383cfa549598d998bddce096daa94e1eb6dfbfa66d3cf12cc1e4
Glupteba
3ed60a60c3aeb99f383ef97de1581827c535d082cf9f33c5fe6ef572fc186a94
Glupteba
8e8ce2e7aded8560037718928e891ddc0831e7be68d906c93f91509e71756d72
Glupteba
b40d3f5493f03dd8fa6efc0d3f02c7f67d3ca76daa45dbec75887cb6eb013461
Glupteba
bf348bb3548e36fc86c7cd916f08be6f2b6e870ba20475e9aa660bf81cccb525
Glupteba
e718a8778287f4e364f7351a0c40b8342f98da515601921d1844b3efa5ced16e
Glupteba
fb6dc575c8c198be8af4f170e7ff62ab2301ebef1720cb5ae6a835abd0d3a1b6
Glupteba
feb5dbea1297cdc29c07e451063f3d81ceccf0476e445f88d86e03bbaee5f277
Glupteba
+ 119 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210624-b3gg8198dx/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
da9ed78f513805cd8f0a87052a89c4f84fe4b3c5630e38e5de02e878e720ed3f
MD5 hash:
c73e243bd95ca8c49e5b4f52e6c47557
SHA1 hash:
423fe8473eaf7aa5759f2c1a0e4c252ca07dec42
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/4f7e25e2-b1a2-4bdc-9cb8-d2ddd67b7824/
Parent samples :
83c43f97e3004978fdf9f8b74c914ef8569fcef4bce255021c05b71a7ed0828e
146f903893804a1301d94cd7a0c391f4d49b04e0d166a53f08eb99eb79b2fed8
50057a2614e252437ab59d90a17c32a2279cf063a972046ec984f01b87bcdd4f
07d9cc94a464997e7b768b4186bec3897e22650577d73aa6f9f924ba769648ea
8e8ce2e7aded8560037718928e891ddc0831e7be68d906c93f91509e71756d72
0e2bcbe99b84383cfa549598d998bddce096daa94e1eb6dfbfa66d3cf12cc1e4
fb6dc575c8c198be8af4f170e7ff62ab2301ebef1720cb5ae6a835abd0d3a1b6
bf348bb3548e36fc86c7cd916f08be6f2b6e870ba20475e9aa660bf81cccb525
0898957c40396d42ccd8e4d39800e2835bf537fe9c0206015c6f7968c687fe7d
b40d3f5493f03dd8fa6efc0d3f02c7f67d3ca76daa45dbec75887cb6eb013461
3ed60a60c3aeb99f383ef97de1581827c535d082cf9f33c5fe6ef572fc186a94
feb5dbea1297cdc29c07e451063f3d81ceccf0476e445f88d86e03bbaee5f277
91654caf527c8419b947ebe9d028432b8266a08a4bea7e1290bbf07b55d8afe7
e718a8778287f4e364f7351a0c40b8342f98da515601921d1844b3efa5ced16e
8a136132c812d85311e6b7f9c8b7178ad7b855d6ab112cf8d9126bbc9e1ba12b
644ac8a4124578b48412c2c5bd65b4be358fc6b1b99b035327fe1a04b41aabc1
0d08230ed56d3391dc2eaae90e49e5c4ad3be5adffc25dbb177b840b9c035cb8
cece43c0d14d452f66849e0d6eacc97947e65291b280785f345b403f4d0952ea
204fb10c44b1bc7bdb6edcb23fc05e9fbe0e26920df2ae618994b40989b0c951
d8a5f706531b7ce2e2416e05269537bcd5380384d8adabe13809412e74412e61
ee03c1f9d13e4a81a04a57d7d9aa6ec9bf3ed416f4e9a3dd4913eda15b1a3a1c
e4094dbcaad2b2a1b0d0abdaa5c937d0fdb721284242f2afb95a5e618d49c8ac
3b658e18aaa3a2e85db5479368328239962111a4eccfe5677c238b26a2de9521
8e0ee387d0c15f1025517b335dce057306e1278ee77a338e0800018226ba2433
SH256 hash:
8a136132c812d85311e6b7f9c8b7178ad7b855d6ab112cf8d9126bbc9e1ba12b
MD5 hash:
67ca5ad06e6fd3106c88061a5963dbbc
SHA1 hash:
84600689cef2e3402deaab8235592773da1f0300
Link:
https://www.unpac.me/results/4f7e25e2-b1a2-4bdc-9cb8-d2ddd67b7824/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a136132c812d85311e6b7f9c8b7178ad7b855d6ab112cf8d9126bbc9e1ba12b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 8a136132c812d85311e6b7f9c8b7178ad7b855d6ab112cf8d9126bbc9e1ba12b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167879/

Comments