MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b5320743f143e52e4d186b1244b9940a3538893eb22f324ef568e1ab2495b8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b5320743f143e52e4d186b1244b9940a3538893eb22f324ef568e1ab2495b8d
SHA3-384 hash: c9f27033888d1365507f9655ee28dc9b4a2faa45a9cd536474aa447a9fe1ab607feddaf33ae1f3936d3cc5a4155cbe88
SHA1 hash: b095f1490de665504f220c8f0fb6b40f658bd440
MD5 hash: 3fffa3952204057bdeba31076c428f71
humanhash: snake-purple-william-ack
File name:3fffa3952204057bdeba31076c428f71
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'939'776 bytes
First seen:2022-10-04 12:34:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0e9c847d831a8ac3efa55818acb90d72 (4 x Glupteba, 1 x CryptOne)
ssdeep 98304:62h+pKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:6JbFmS3VjVEOeTtJHbdnrz7
Threatray 7 similar samples on MalwareBazaar
TLSH T12336DF2ABB0981B6CA7173F199AB55DE9430DC30906540F8AE832B49F536F7743BA347
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316510/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Running batch commands
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41073/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/633c28785c60ccc9fcff32fa/reports/ad350ecb-74d4-427f-9b8e-7b6943bf0afd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/011af687-d644-4d63-8539-3cf54dea6bda
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083230
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715785 Sample: FSV3WBdiYJ.exe Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 33 Antivirus detection for URL or domain 2->33 35 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 3 other signatures 2->39 7 FSV3WBdiYJ.exe 2->7         started        process3 dnsIp4 29 217.195.155.154, 49702, 8081 SHOCK-1US Netherlands 7->29 31 get.geojs.io 104.26.1.100, 443, 49703 CLOUDFLARENETUS United States 7->31 41 Detected unpacking (changes PE section rights) 7->41 43 Detected unpacking (overwrites its own PE header) 7->43 45 Tries to harvest and steal browser information (history, passwords, etc) 7->45 11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        15 WMIC.exe 1 7->15         started        17 13 other processes 7->17 signatures5 process6 process7 19 WMIC.exe 1 11->19         started        21 conhost.exe 11->21         started        23 WMIC.exe 1 13->23         started        25 conhost.exe 13->25         started        27 conhost.exe 15->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b5320743f143e52e4d186b1244b9940a3538893eb22f324ef568e1ab2495b8d/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-10-04 12:35:13 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnjsa5b7cq7ffzgrq2ysis4zicrvhcet5mrpgjhpk2hbvmsjlogq._file
Verdict:
malicious
Similar samples:
2e6e8729d76dc13a750db437a1677e60d579f785714e7c5bbff65085be0f08bf
Glupteba
5f2f29011be6cf5de2a601ddd3ea58224a73f663725f81a87a8659b520000e36
Glupteba
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
Glupteba
7b1e00c9b305c4355432682a1d67a2bc1fc35bd4dccf53419d01a7986d8053e7
Glupteba
883e12a7cd81c09838284e4dbda9caa9d8df6ac57234e14ee0ee02bb2fcc2329
Glupteba
8eb6ae80fd83cdfb03f10de49649d97029f10c3074e0683b9c9c9094b469289d
Glupteba
eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362
Glupteba
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221004-psckpabcbl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Gathering data
Unpacked files
SH256 hash:
69d043f055680cbd141f3b1f02d9f893d0984596f1702b85aa960f8980bc6b6e
MD5 hash:
9b48c7427e6d09b88e0f40453f1b5e7b
SHA1 hash:
f40bcd1863f21f6fe9ec914ff432d84492860aa0
Link:
https://www.unpac.me/results/2d978b12-a4e7-4c0f-be66-9d7db0d644fd/
SH256 hash:
8b5320743f143e52e4d186b1244b9940a3538893eb22f324ef568e1ab2495b8d
MD5 hash:
3fffa3952204057bdeba31076c428f71
SHA1 hash:
b095f1490de665504f220c8f0fb6b40f658bd440
Link:
https://www.unpac.me/results/2d978b12-a4e7-4c0f-be66-9d7db0d644fd/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b5320743f14/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b5320743f143e52e4d186b1244b9940a3538893eb22f324ef568e1ab2495b8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 8b5320743f143e52e4d186b1244b9940a3538893eb22f324ef568e1ab2495b8d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/316510/

Comments


Avatar
zbet commented on 2022-10-04 12:34:12 UTC

url : hxxp://179.43.163.115/intersock.exe