MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90c705c231a5e9e61a41474b00d64b321e85df7f814b398fe11ba16287d98864. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90c705c231a5e9e61a41474b00d64b321e85df7f814b398fe11ba16287d98864
SHA3-384 hash: 8c241ecd092fb86f847bffa7f6cd2e840ea4b0cddfa26a7918d29e59695aa79aade6e14e99691e4e8c90f3bf1e6ffc6d
SHA1 hash: aa79d755536cc1598f523c15696c3b379a4f77ba
MD5 hash: b8bb79b499c399e6aaad382a3b7b6122
humanhash: asparagus-wisconsin-five-minnesota
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:1'933'160 bytes
First seen:2023-12-02 14:44:42 UTC
Last seen:2023-12-02 23:00:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:UZAKxmPierLANEgTfdygjow14OCrHhi6unzIjxFAwSgmZX9uWfm2Yysm2YyhZX9A:kLmPyrMgUw5+ijnsjpQZXfizZXS
Threatray 18 similar samples on MalwareBazaar
TLSH T1F995E00773328659F713E8BC7134929E2A74BE2DE79FB627E17AAB5121030781D8B1D4
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:Filego inc
Issuer:Filego inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-02T13:56:58Z
Valid to:2024-12-02T13:56:58Z
Serial number: da1b330750ae12c20360bbcc0b5dfedc
Thumbprint Algorithm:SHA256
Thumbprint: f59e9ac3c51fc345ae202eac292a0690d5c4eb3f1b2d7ff84d177cbd8f2f259a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.241.91/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
326
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461893/
Detection(s):
SecuriteInfo.com.TrojanX-gen.4449.3092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a window
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Running batch commands
Launching the process to interact with network services
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin overlay packed
Link:
https://www.filescan.io/uploads/656b62562efa450749b46142/reports/ab56844d-c18a-4dde-ac9c-c67c043966ea/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/90c705c231a5e9e61a41474b00d64b321e85df7f814b398fe11ba16287d98864
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f339454-6d07-431d-bb66-021fd63da06a
Result
Threat name:
HTMLPhisher, Glupteba, Petite Virus, Soc
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1352072
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected BlockedWebSite
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected onlyLogger
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1352072 Sample: file.exe Startdate: 02/12/2023 Architecture: WINDOWS Score: 100 148 Multi AV Scanner detection for domain / URL 2->148 150 Malicious sample detected (through community Yara rule) 2->150 152 Antivirus detection for URL or domain 2->152 154 14 other signatures 2->154 10 file.exe 2 4 2->10         started        process3 signatures4 160 Writes to foreign memory regions 10->160 162 Allocates memory in foreign processes 10->162 164 Adds extensions / path to Windows Defender exclusion list (Registry) 10->164 166 3 other signatures 10->166 13 CasPol.exe 15 386 10->13         started        18 powershell.exe 22 10->18         started        process5 dnsIp6 134 91.92.241.91 THEZONEBG Bulgaria 13->134 136 107.167.110.216 OPERASOFTWAREUS United States 13->136 138 9 other IPs or domains 13->138 114 C:\Users\...\zh8JJPdWrgpHmclS6NcW8baJ.exe, PE32 13->114 dropped 116 C:\Users\...\zdyayR2nrYWacSPKUJ3dAXgl.exe, PE32 13->116 dropped 118 C:\Users\...\zLlY65Q0xpi9Mo5d0GrWXuUg.exe, PE32 13->118 dropped 120 306 other malicious files 13->120 dropped 178 Drops script or batch files to the startup folder 13->178 180 Creates HTML files with .exe extension (expired dropper behavior) 13->180 182 Writes many files with high entropy 13->182 20 FHzntuHFK8rUz68yy3rvPDD5.exe 13->20         started        23 msECiIPwOOrAXufKz4c9xdCI.exe 13->23         started        25 guN0D7eP6heJD9pgWs9BxVm3.exe 13->25         started        31 15 other processes 13->31 29 conhost.exe 18->29         started        file7 signatures8 process9 dnsIp10 92 C:\Users\...\FHzntuHFK8rUz68yy3rvPDD5.tmp, PE32 20->92 dropped 33 FHzntuHFK8rUz68yy3rvPDD5.tmp 20->33         started        94 C:\Users\...\msECiIPwOOrAXufKz4c9xdCI.tmp, PE32 23->94 dropped 37 msECiIPwOOrAXufKz4c9xdCI.tmp 23->37         started        122 107.167.110.211 OPERASOFTWAREUS United States 25->122 124 107.167.110.217 OPERASOFTWAREUS United States 25->124 130 3 other IPs or domains 25->130 96 Opera_installer_2312021451088407948.dll, PE32 25->96 dropped 98 C:\Users\user\AppData\Local\...\opera_package, PE32 25->98 dropped 106 5 other malicious files 25->106 dropped 168 Writes many files with high entropy 25->168 39 guN0D7eP6heJD9pgWs9BxVm3.exe 25->39         started        41 guN0D7eP6heJD9pgWs9BxVm3.exe 25->41         started        43 guN0D7eP6heJD9pgWs9BxVm3.exe 25->43         started        126 85.209.11.204 SYNGB Russian Federation 31->126 128 194.5.249.115 NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLRO Romania 31->128 132 2 other IPs or domains 31->132 100 C:\Users\...\YUl9AoZiopDegGX7FMGMCiAC.tmp, PE32 31->100 dropped 102 C:\Users\...\yszo9dvB6Roic2A8Nab5c7Sm.tmp, PE32 31->102 dropped 104 C:\Users\...\HB6lFwhgR3SqP1xdji68Acc5.tmp, PE32 31->104 dropped 108 14 other malicious files 31->108 dropped 170 Detected unpacking (changes PE section rights) 31->170 172 Detected unpacking (overwrites its own PE header) 31->172 174 Found Tor onion address 31->174 176 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->176 45 zh8JJPdWrgpHmclS6NcW8baJ.tmp 31->45         started        48 yszo9dvB6Roic2A8Nab5c7Sm.tmp 31->48         started        50 6oKcD5p0ZMxIAT548NZDLJZ5.exe 31->50         started        52 5 other processes 31->52 file11 signatures12 process13 dnsIp14 82 59 other files (47 malicious) 33->82 dropped 156 Uses schtasks.exe or at.exe to add and modify task schedules 33->156 54 SupportCD.exe 33->54         started        57 net.exe 33->57         started        59 schtasks.exe 33->59         started        61 SupportCD.exe 33->61         started        84 57 other files (45 malicious) 37->84 dropped 74 Opera_installer_2312021451117487016.dll, PE32 39->74 dropped 64 guN0D7eP6heJD9pgWs9BxVm3.exe 39->64         started        76 Opera_installer_2312021451094808008.dll, PE32 41->76 dropped 78 Opera_installer_2312021451106848128.dll, PE32 43->78 dropped 140 185.93.1.244 CDN77GB Czech Republic 45->140 86 4 other files (3 malicious) 45->86 dropped 158 Writes many files with high entropy 45->158 88 2 other files (1 malicious) 48->88 dropped 80 Opera_installer_2312021451165067852.dll, PE32 50->80 dropped 90 2 other malicious files 52->90 dropped 66 conhost.exe 52->66         started        file15 signatures16 process17 dnsIp18 110 C:\ProgramData\TLGAdapter\TLGAdapter.exe, PE32 54->110 dropped 68 conhost.exe 57->68         started        70 net1.exe 57->70         started        72 conhost.exe 59->72         started        142 185.196.8.22 SIMPLECARRER2IT Switzerland 61->142 144 45.155.250.90 MEER-ASmeerfarbigGmbHCoKGDE Germany 61->144 146 95.216.227.177 HETZNER-ASDE Germany 61->146 112 Opera_installer_2312021451124306892.dll, PE32 64->112 dropped file19 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90c705c231a5e9e61a41474b00d64b321e85df7f814b398fe11ba16287d98864
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90c705c231a5e9e61a41474b00d64b321e85df7f814b398fe11ba16287d98864/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-02 14:45:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sddqlqrruxu6mgsbi5fqbvslgipilx37qffttd7bdoqwfb6zrbsa._file
Verdict:
malicious
Similar samples:
2382a65e62ea823df4d480c958ba0df9712521d74cbf85327f1279c6729f4797
Glupteba
4408ca4867bf10664da86178ed9d1730f0b405964f6bcd1c5ad87353ac1f5dca
Glupteba
599f6f6172b21eda210d42e71d1ae8dee8e2019b874182e6aaae72d659f3cc6a
Glupteba
672a61ad27f7bafa74b86dffa95262a18256d48cf3f1aa74c5b6907cefd9cad1
Glupteba
6f07901b9de8f7b889d3fd929e96fa0c8067e5afce9947be6363adf43bae2fe3
Glupteba
9e8c945e4dce2949d4c36405c11ad924f4aa57bcc9dc32a409cef23fbc725710
Glupteba
a173731d16e9140be26ee0a16e6416109b684b71a3523a3c4b85cf101bcd3b1e
Glupteba
b3bf127d92baf2b9ff0875df1afd73fb550f21bd25b39aafaafb9ce3af6794db
Glupteba
dae07c0c93ddde9c93128b15ba4fd8ec83a07538d3b03eda7374cfcb5441c84f
Glupteba
+ 8 additional samples on MalwareBazaar
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/231202-r4qb2ade79/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
90c705c231a5e9e61a41474b00d64b321e85df7f814b398fe11ba16287d98864
MD5 hash:
b8bb79b499c399e6aaad382a3b7b6122
SHA1 hash:
aa79d755536cc1598f523c15696c3b379a4f77ba
Link:
https://www.unpac.me/results/ab156942-6959-4374-b16a-006314e56d48/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90c705c231a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/90c705c231a5e9e61a41474b00d64b321e85df7f814b398fe11ba16287d98864

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/461893/
  
URLhaus
https://urlhaus.abuse.ch/url/2735609/

Comments