MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 919a4877c1435674718c7ffd0c8c5ff7f5876be471fd8419875fb5dc1bdf3dd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Glupteba
Vendor detections: 7
| SHA256 hash: | 919a4877c1435674718c7ffd0c8c5ff7f5876be471fd8419875fb5dc1bdf3dd9 |
|---|---|
| SHA3-384 hash: | c0c468d0460251e3a5e8a12b81bbbf3cfbc6a5370a9d9cbccb97a118010c9837e3d99a8b49141cc75fdd7d717d6a1aad |
| SHA1 hash: | 24fe6bd49ca4c8ce497534a32f3ec9a998960e87 |
| MD5 hash: | 7a85a5a4542ab10ebf165aa13b329a27 |
| humanhash: | mountain-grey-vermont-monkey |
| File name: | file.exe |
| Download: | download sample |
| Signature | Glupteba |
| File size: | 4'656'128 bytes |
| First seen: | 2021-05-23 17:43:55 UTC |
| Last seen: | 2021-05-23 18:00:49 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 48d2401545bc23ddf9125d8d09f6c7f1 (4 x RaccoonStealer, 1 x Glupteba, 1 x CryptBot) |
| ssdeep | 98304:h1VWkzfEVIdBRj+Aq2gcyZ/D9jvTpNnk77c6ALzomKgTRlX:1MVIHMA5gVZ/hC3AJKWR |
| Threatray | 94 similar samples on MalwareBazaar |
| TLSH | 892633206463C034F0BF12F08876416966267FA09B2784FBE2C576EEA93A5F56D3174F |
| Reporter | Anonymous |
| Tags: | exe Glupteba |
Anonymous
unknown sourceIntelligence
File Origin
# of uploads :
2
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
No threats detected
Analysis date:
2021-05-23 17:46:19 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Changing a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Launching a service
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Sigma detected: Suspicious Service DACL Modification
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected Glupteba
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Caynamer
Status:
Malicious
First seen:
2021-05-23 17:44:10 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 84 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Score:
10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XPACK
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
3) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
4) [C0049] File System Micro-objective::Get File Attributes
5) [C0051] File System Micro-objective::Read File
6) [C0052] File System Micro-objective::Writes File
7) [C0033] Operating System Micro-objective::Console
8) [C0040] Process Micro-objective::Allocate Thread Local Storage
9) [C0043] Process Micro-objective::Check Mutex
10) [C0041] Process Micro-objective::Set Thread Local Storage Value
11) [C0018] Process Micro-objective::Terminate Process
12) [C0039] Process Micro-objective::Terminate Thread