MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90a3094c222cdadd6986b4d18e2c6ee5172484316ebd18a05167e2f458e17270. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90a3094c222cdadd6986b4d18e2c6ee5172484316ebd18a05167e2f458e17270
SHA3-384 hash: 3a427057e343e39af19e603b4438c587da2ccd7c94795dca05549eec35b22ee73034f36f5fd592fa0ac036bf22ae40d2
SHA1 hash: 56dc3716f41cc0159f425c949c344f97c0443a01
MD5 hash: 631a53494c133f38982b1c8e73f1a42c
humanhash: magazine-oklahoma-victor-nine
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:1'502'208 bytes
First seen:2023-11-27 16:14:54 UTC
Last seen:2023-11-27 23:28:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:gJec4OMGLQSYI0YEFPwUhWWrREY01IJDvHvF:JcBn84fYPF
TLSH T190657C187BC5FE62D21D93B4C5764404A779E9973A03E31B1742EAB8B8EB77DCD82042
TrID 27.3% (.SCR) Windows screen saver (13097/50/3)
22.0% (.EXE) Win64 Executable (generic) (10523/12/4)
13.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe Glupteba


Avatar
andretavare5
Sample downloaded from http://91.92.241.91/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
332
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460760/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.12095.1522.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Searching for the window
Moving a recently created file
Creating a file in the %AppData% subdirectories
Creating a service
Launching the process to interact with network services
Using the Windows Management Instrumentation requests
Running batch commands
Blocking the User Account Control
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Launching a tool to kill processes
Enabling autorun for a service
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6564c0882efa450749a98032/reports/ef2841a5-ee83-4cc5-a875-934f8cc439c9/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/90a3094c222cdadd6986b4d18e2c6ee5172484316ebd18a05167e2f458e17270
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71a7f0d3-5314-47ac-abc1-bf8adeaa7414
Result
Threat name:
Glupteba, Socks5Systemz, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348728
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Socks5Systemz
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1348728 Sample: file.exe Startdate: 27/11/2023 Architecture: WINDOWS Score: 100 156 Multi AV Scanner detection for domain / URL 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 Antivirus detection for URL or domain 2->160 162 14 other signatures 2->162 10 file.exe 2 4 2->10         started        13 powershell.exe 2->13         started        15 apphost.exe 2->15         started        process3 dnsIp4 170 Writes to foreign memory regions 10->170 172 Allocates memory in foreign processes 10->172 174 Adds extensions / path to Windows Defender exclusion list (Registry) 10->174 176 3 other signatures 10->176 18 CasPol.exe 15 392 10->18         started        23 powershell.exe 23 10->23         started        25 conhost.exe 13->25         started        150 74.201.73.52 DEDICATEDUS United States 15->150 152 1.1.1.1 CLOUDFLARENETUS Australia 15->152 154 127.0.0.1 unknown unknown 15->154 signatures5 process6 dnsIp7 128 91.92.241.91 THEZONEBG Bulgaria 18->128 130 91.92.243.139 THEZONEBG Bulgaria 18->130 132 16 other IPs or domains 18->132 80 C:\Users\...\zMvQir8shtDfAfDxMfaUUIhi.exe, PE32+ 18->80 dropped 82 C:\Users\...\zDcxgM2y12G02bwrYKdqIxIa.exe, PE32 18->82 dropped 84 C:\Users\...\ysqjaycjqoLKqShmMSasPw0u.exe, PE32 18->84 dropped 86 316 other malicious files 18->86 dropped 164 Drops script or batch files to the startup folder 18->164 166 Creates HTML files with .exe extension (expired dropper behavior) 18->166 168 Writes many files with high entropy 18->168 27 DR3EzmmKt3bC7cawFTVKSdJJ.exe 18->27         started        32 gi0lkDsANlWE4B1DiM5w1mh7.exe 18->32         started        34 gpHP7PQeUiGpJQbNfJZ6u3QK.exe 18->34         started        38 15 other processes 18->38 36 conhost.exe 23->36         started        file8 signatures9 process10 dnsIp11 140 107.167.110.217 OPERASOFTWAREUS United States 27->140 142 107.167.125.189 OPERASOFTWAREUS United States 27->142 148 5 other IPs or domains 27->148 110 Opera_installer_2311271616029337632.dll, PE32 27->110 dropped 112 C:\Users\user\AppData\Local\...\opera_package, PE32 27->112 dropped 122 5 other malicious files 27->122 dropped 178 Found many strings related to Crypto-Wallets (likely being stolen) 27->178 180 Writes many files with high entropy 27->180 40 DR3EzmmKt3bC7cawFTVKSdJJ.exe 27->40         started        43 DR3EzmmKt3bC7cawFTVKSdJJ.exe 27->43         started        45 DR3EzmmKt3bC7cawFTVKSdJJ.exe 27->45         started        144 149.154.167.99 TELEGRAMRU United Kingdom 32->144 146 128.140.72.50 HETZNER-ASDE Germany 32->146 124 13 other files (9 malicious) 32->124 dropped 182 Detected unpacking (changes PE section rights) 32->182 184 Detected unpacking (overwrites its own PE header) 32->184 186 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->186 194 3 other signatures 32->194 114 C:\Users\...\gpHP7PQeUiGpJQbNfJZ6u3QK.tmp, PE32 34->114 dropped 47 gpHP7PQeUiGpJQbNfJZ6u3QK.tmp 34->47         started        116 C:\Users\...\oYLvMw36o08F3ftSirT690sH.tmp, PE32 38->116 dropped 118 C:\Users\...\1FqqMO0YBF0Vo0TSqTDCx8NJ.tmp, PE32 38->118 dropped 120 Opera_installer_2311271616184228104.dll, PE32 38->120 dropped 126 10 other malicious files 38->126 dropped 188 Creates an undocumented autostart registry key 38->188 190 Found Tor onion address 38->190 192 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->192 196 2 other signatures 38->196 50 1FqqMO0YBF0Vo0TSqTDCx8NJ.tmp 38->50         started        52 oYLvMw36o08F3ftSirT690sH.tmp 38->52         started        54 vVTvp04MbVlKpP0IRLHcE8PY.exe 38->54         started        56 4 other processes 38->56 file12 signatures13 process14 file15 96 15 other malicious files 40->96 dropped 58 DR3EzmmKt3bC7cawFTVKSdJJ.exe 40->58         started        88 Opera_installer_2311271616035777692.dll, PE32 43->88 dropped 90 Opera_installer_2311271616060047800.dll, PE32 45->90 dropped 98 15 other files (14 malicious) 47->98 dropped 198 Uses schtasks.exe or at.exe to add and modify task schedules 47->198 61 TVLand.exe 47->61         started        63 net.exe 47->63         started        65 schtasks.exe 47->65         started        67 TVLand.exe 47->67         started        92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->92 dropped 100 13 other files (12 malicious) 50->100 dropped 102 14 other files (13 malicious) 52->102 dropped 94 Opera_installer_2311271616180367812.dll, PE32 54->94 dropped 104 2 other malicious files 56->104 dropped 70 conhost.exe 56->70         started        72 conhost.exe 56->72         started        signatures16 process17 dnsIp18 106 Opera_installer_2311271616103378064.dll, PE32 58->106 dropped 108 C:\ProgramData\...\TLGraphicsMode.exe, PE32 61->108 dropped 74 conhost.exe 63->74         started        76 net1.exe 63->76         started        78 conhost.exe 65->78         started        134 69.30.233.162 WIIUS United States 67->134 136 142.132.202.219 UNIVERSITYOFWINNIPEG-ASNCA Canada 67->136 138 2 other IPs or domains 67->138 file19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90a3094c222cdadd6986b4d18e2c6ee5172484316ebd18a05167e2f458e17270/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 16:15:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=scrqstbcftnn22mgwtiy4ldo4ulsjbbrn26rricrm7rpiwhbojya._file
Verdict:
malicious
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/231127-tp87pshg4y/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Adds policy Run key to start application
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies WinLogon for persistence
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
90a3094c222cdadd6986b4d18e2c6ee5172484316ebd18a05167e2f458e17270
MD5 hash:
631a53494c133f38982b1c8e73f1a42c
SHA1 hash:
56dc3716f41cc0159f425c949c344f97c0443a01
Link:
https://www.unpac.me/results/618cf110-25e9-4475-bbee-14f5f931a8c7/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90a3094c222c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90a3094c222cdadd6986b4d18e2c6ee5172484316ebd18a05167e2f458e17270

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/460760/
  
URLhaus
https://urlhaus.abuse.ch/url/2735609/

Comments