MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 17


Intelligence 17 IOCs YARA 51 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
SHA3-384 hash: ab9d8dc2b93e0e03bb6ea67a938c59af0d88610562a4ca0c9ce230604a1e4809659ab4d729e0ca378ec833b8ad845e78
SHA1 hash: 68e53829368abd4f1d23cb531131223881df97f7
MD5 hash: 8c819f7e632740c87d694356afc931ed
humanhash: east-two-autumn-lion
File name:231210-08-Glupteba-68a8fe.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:9'362'944 bytes
First seen:2024-07-24 12:11:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep 98304:gHxMZDJ1TRpxYVX9u2iazANfLhZytTD5iqa:GxEvYjHzANDhwN
Threatray 637 similar samples on MalwareBazaar
TLSH T171966B91FA9B00F5EA13543084A7623F9331BD064B25CFCBD6506F2AED73AD20E36659
TrID 29.1% (.EXE) Win64 Executable (generic) (10523/12/4)
27.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.4% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Anonymous
Tags:exe Glupteba


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Win.Worm.VB-698
Create hunting rule

PUA.Win.Packer.Exesplitter-8
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Dropper.Glupteba-9949444-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a0efa3a97e13ad9de7ae85
Tags:
Execution Generic Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Modifying an executable file
Launching a service
Restart of the analyzed sample
Creating a file in the Windows subdirectories
Adding an access-denied ACE
Running batch commands
Launching the process to change the firewall settings
Query of malicious DNS domain
Connection attempt to an infection source
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm evasive expand fingerprint go golang hacktool lolbin packed shell32 stealer update
Link:
https://www.filescan.io/uploads/66a0ef9d8f66298c01f35695/reports/ccd7cb54-c795-486d-a575-cdacb1b1a4ea/overview
Verdict:
Malicious
Labled as:
Wapomi.BA virus
Link:
https://www.hybrid-analysis.com/sample/8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
Result
Verdict:
MALICIOUS
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4f35975-e9bf-4fe5-9330-30c540844425
Result
Threat name:
Bdaejec, Glupteba
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480030
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected Bdaejec
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480030 Sample: 231210-08-Glupteba-68a8fe.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 50 ddos.dnsnb8.net 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 11 other signatures 2->58 9 231210-08-Glupteba-68a8fe.exe 13 1 2->9         started        signatures3 process4 file5 38 C:\Users\user\AppData\Local\Temp\pCrEUV.exe, PE32 9->38 dropped 70 Found Tor onion address 9->70 13 231210-08-Glupteba-68a8fe.exe 1 9->13         started        17 pCrEUV.exe 14 9->17         started        20 powershell.exe 24 9->20         started        signatures6 process7 dnsIp8 40 C:\Windows\Temp\pCrEUV.exe, PE32 13->40 dropped 72 Found Tor onion address 13->72 22 pCrEUV.exe 11 13->22         started        26 powershell.exe 13->26         started        48 ddos.dnsnb8.net 44.221.84.105, 49710, 49712, 799 AMAZON-AESUS United States 17->48 42 C:\Program Files\7-Zip\Uninstall.exe, PE32 17->42 dropped 44 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 17->44 dropped 46 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 17->46 dropped 74 Antivirus detection for dropped file 17->74 76 Multi AV Scanner detection for dropped file 17->76 78 Detected unpacking (changes PE section rights) 17->78 82 2 other signatures 17->82 28 WerFault.exe 22 16 17->28         started        80 Loading BitLocker PowerShell Module 20->80 30 conhost.exe 20->30         started        file9 signatures10 process11 file12 34 C:\Program Files (x86)\...\wabmig.exe, PE32 22->34 dropped 36 C:\Program Files (x86)\Windows Mail\wab.exe, PE32 22->36 dropped 60 Antivirus detection for dropped file 22->60 62 Multi AV Scanner detection for dropped file 22->62 64 Detected unpacking (changes PE section rights) 22->64 68 2 other signatures 22->68 66 Loading BitLocker PowerShell Module 26->66 32 conhost.exe 26->32         started        signatures13 process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891/
Threat name:
Win32.Virus.Wapomi
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 12:12:12 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmauq5cegxlctdjlop7gsamugpfghe7bmsxu4udqtn65us3erciq._file
Verdict:
malicious
Similar samples:
08dcd62ba2989e93c04ce28b5619d9aae32d1fa40ea8003eb85d211be9772089
Glupteba
09f72f18c0c70401b82ed7295831c1bf26e158b1b0288f6ed871d7283133d0f0
Glupteba
22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db
Glupteba
27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
Glupteba
295daf4708da6e3b7613e4ea7637739054656332c3dfdfb0499431ef267e6a39
Glupteba
2aa1983e8bebb5c132a6c844c690b9c2fce8c6a3a3022983984c96192e541f81
Glupteba
a94c46db65430f4dfd0f41a6c054733038c26b11b584f8bb622d9553df129d2b
Glupteba
c83c77725de84951075d9bbdd2c67317090af73b9329c4702023738f8c4ffd12
Glupteba
cf2ba11b6ae9a9893d6f7a65f6b6251a110e51c1eee656455c4a3caf68c738d9
Glupteba
f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
Glupteba
+ 627 additional samples on MalwareBazaar
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba aspackv2 discovery dropper evasion execution loader persistence privilege_escalation rootkit trojan
Link:
https://tria.ge/reports/240724-pc7e5aybrd/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Manipulates WinMon driver.
Manipulates WinMonFS driver.
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3e07d65f-42f2-48b0-b4f9-d73f13014fc6
Unpacked files
SH256 hash:
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
MD5 hash:
09031a062610d77d685c9934318b4170
SHA1 hash:
880f744184e7774f3d14c1bb857e21cc7fe89a6d
Link:
https://www.unpac.me/results/dd280a7f-26f5-481e-82ff-1277bc85c90c/
SH256 hash:
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
MD5 hash:
d98e78fd57db58a11f880b45bb659767
SHA1 hash:
ab70c0d3bd9103c07632eeecee9f51d198ed0e76
Detections:
MAL_ME_RawDisk_Agent_Jan20_2
Create hunting rule
Link:
https://www.unpac.me/results/dd280a7f-26f5-481e-82ff-1277bc85c90c/
Parent samples :
452c2fae1cf93f933ef30e73cd3ae5d8afc14286b0aa58a512c40f3e81e5a922
036fc2001553cd4b3e6105febc6f6dcef40b5ba169816f4a32b48ae06f9bf930
887ee8b0f7c4f46b4bc8f19019625b5bf14f4d404d869ffdb9832c27abc57d38
68d3f9a99b088216e7825a88db2d5ff0ccc669050abd9574ad101b8a2c536581
6110c7a02fe334fd3cfda9a7be565b4bd3ce59661fba7b744fec1c5a8d46a229
5d60502a5cb4d285aa1292f7d1fd6297e07e310babf6fc52bcdc86ef0c9e06bb
61b0b285e4e111e959317e8abd5ba9ab82e531ec6358952c64bb8fa20e8e3a94
8d1f1605046b4f5989903aeb1970cab44da9b1e974e957e2459f0603f628b6f5
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78
1ad9131850474561beb17f304b1264ca9a73fc9a53355a153c43bbdfa920e642
f61ea31ba042cb4b9640ed853b792cf3a5984c56bac9f937fd638bb6e1efbe30
693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda
ec045ab4c0957a1930d5effe265d30a1624713ea2897b78b7fddb5322d9960f1
e31eca26eebc6c55841ba9012aef2e64af914e13d85be5eed4cfee7d18b7cc44
22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db
8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
328af6e2b02c62db3b533a84e0b403d1c99f682bdff7ef0941d711d4d607501d
dd093b7ac1890eb8847181a375c99d4e97a0acf00180017cc4ef279a285bd24c
845b6a3db4889461e89e3dbfdae360f63d506dd8e029dc033ce0745489041ee8
780b1ff0c005269630be0aa4234842367b8d310810ce79a1df6b1c11c2d637ed
5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d
81b8d673c51e5f98a4690c11f4f4f156349b2ab850733cbac4119c7c6ec3d804
ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078
SH256 hash:
5e4145650e1133fea25c19dfe9bf6b132b89c98e3b92d77f6fa947ce40eb032a
MD5 hash:
772e4de91558d4c8b4783a3cbc10dfad
SHA1 hash:
34d32e4406aedad766e34e3665d5aac22c5f8610
Detections:
SUSP_Modified_SystemExeFileName_in_File
Create hunting rule
Link:
https://www.unpac.me/results/dd280a7f-26f5-481e-82ff-1277bc85c90c/
Parent samples :
8d1f1605046b4f5989903aeb1970cab44da9b1e974e957e2459f0603f628b6f5
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78
1ad9131850474561beb17f304b1264ca9a73fc9a53355a153c43bbdfa920e642
f61ea31ba042cb4b9640ed853b792cf3a5984c56bac9f937fd638bb6e1efbe30
942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6
693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda
ec045ab4c0957a1930d5effe265d30a1624713ea2897b78b7fddb5322d9960f1
e31eca26eebc6c55841ba9012aef2e64af914e13d85be5eed4cfee7d18b7cc44
22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db
8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
328af6e2b02c62db3b533a84e0b403d1c99f682bdff7ef0941d711d4d607501d
dd093b7ac1890eb8847181a375c99d4e97a0acf00180017cc4ef279a285bd24c
845b6a3db4889461e89e3dbfdae360f63d506dd8e029dc033ce0745489041ee8
780b1ff0c005269630be0aa4234842367b8d310810ce79a1df6b1c11c2d637ed
5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d
65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078
SH256 hash:
caa8e02d91cf6ded2cd6a9d0b218f536bdb99dbe2d19727df1ef899b619f5c01
MD5 hash:
ded1bb3a4536a459954fe78b7ef24994
SHA1 hash:
287e32ac702b9a66d73d959f76fefdfd1296aa2b
Link:
https://www.unpac.me/results/dd280a7f-26f5-481e-82ff-1277bc85c90c/
SH256 hash:
5dfd6eb519b114f61731b959b989797b1f2e9ae95ee4c1a7a69370b3842d8c24
MD5 hash:
b18f9e70d07bec7e3efac6de192db871
SHA1 hash:
6af1f424c9379f939a037d5a8d71d5f3e2faafd5
Link:
https://www.unpac.me/results/dd280a7f-26f5-481e-82ff-1277bc85c90c/
SH256 hash:
8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
MD5 hash:
8c819f7e632740c87d694356afc931ed
SHA1 hash:
68e53829368abd4f1d23cb531131223881df97f7
Detections:
Glupteba
Create hunting rule
Link:
https://www.unpac.me/results/dd280a7f-26f5-481e-82ff-1277bc85c90c/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b0148744435/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:crime_ZZ_botnet_aicm
Create hunting rule
Author:imp0rtp3
Description:DDoS Golang Botnet sample for linux called 'aicm'
Reference:https://twitter.com/IntezerLabs/status/1401869234511175683
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifacts associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many varying, potentially fake Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UroburosVirtualBoxDriver
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Exploit_Generic_e95cc41c
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Glupteba

Executable exe 8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleW
kernel32.dll::SetConsoleCtrlHandler
kernel32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetSystemDirectoryA

Comments