MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93f4f7dd1458ebc9caa287fe4a81737a417a75ab8e3a4a150c5c907f87b51d11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93f4f7dd1458ebc9caa287fe4a81737a417a75ab8e3a4a150c5c907f87b51d11
SHA3-384 hash: 79007d9b5da4b52946b78a51ff802b32daec3e1da3bb5673048eaa09757d0874f4d66b1e2319823d382851c2031f3e89
SHA1 hash: e63e7cb07f36d6583987eb5af74f68320c901bb8
MD5 hash: dca73d055e1bfc4466bc9ac6a4f4f90b
humanhash: cat-stairway-autumn-maine
File name:SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065
Download: download sample
Signature Glupteba
Create hunting rule
File size:22'709'128 bytes
First seen:2023-11-15 03:16:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 196608:Wk3rl/JJM8vz9ZgCldbshh1BrB/WxsJwG9afGjPAn7b91FhQYImmsyr3XS1Y18YN:WkJcru2iAc7b91FhQYImmsuDvQE/
TLSH T129371824E1FAA54DF1F79976CED0B2E9A57AA4223703D2A6DC10D302782D5C7CEC2476
TrID 45.5% (.EXE) Win64 Executable (generic) (10523/12/4)
19.4% (.EXE) Win32 Executable (generic) (4505/5/1)
8.9% (.ICL) Windows Icons Library (generic) (2059/9)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:installcapital Inc
Issuer:installcapital Inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-15T00:32:12Z
Valid to:2024-11-15T00:32:12Z
Serial number: e00534be702d87d1d6b4bd639ab65853
Thumbprint Algorithm:SHA256
Thumbprint: 8acf77272f424b00e0aa412852e3a0ea9388bbcff9f65a207c161b1a6d9f6036
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
356
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a window
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Blocking the User Account Control
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/65543833d7cd4aca4a8d189b/reports/261fd713-eb7e-4dc1-806f-ce57809772b4/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/93f4f7dd1458ebc9caa287fe4a81737a417a75ab8e3a4a150c5c907f87b51d11
Result
Verdict:
MALICIOUS
Result
Threat name:
Vidar, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1342783
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Disables UAC (registry)
Drops script or batch files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected onlyLogger
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1342783 Sample: SecuriteInfo.com.IL.Trojan.... Startdate: 15/11/2023 Architecture: WINDOWS Score: 100 116 Multi AV Scanner detection for domain / URL 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus detection for URL or domain 2->120 122 10 other signatures 2->122 9 SecuriteInfo.com.IL.Trojan.MSILZilla.30386.5839.12065.exe 2 4 2->9         started        12 cmd.exe 2->12         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        process3 signatures4 142 Writes to foreign memory regions 9->142 144 Adds a directory exclusion to Windows Defender 9->144 146 Disables UAC (registry) 9->146 148 Injects a PE file into a foreign processes 9->148 18 CasPol.exe 15 215 9->18         started        23 powershell.exe 23 9->23         started        25 conhost.exe 12->25         started        27 rrsUPQ1Lk7sptvmWtKi7NYZb.exe 12->27         started        29 conhost.exe 14->29         started        31 conhost.exe 16->31         started        process5 dnsIp6 110 85.209.11.204 SYNGB Russian Federation 18->110 112 111.90.146.230 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 18->112 114 7 other IPs or domains 18->114 76 C:\Users\...\zLzNt5HZT8AaGdjqavFqtb0c.exe, PE32 18->76 dropped 78 C:\Users\...\xn7UDsEhZlKKp8jd2UL8mcl5.exe, PE32 18->78 dropped 80 C:\Users\...\x6xsMyZ3tDssm20qsycTCJAp.exe, PE32 18->80 dropped 82 173 other malicious files 18->82 dropped 138 Drops script or batch files to the startup folder 18->138 140 Creates HTML files with .exe extension (expired dropper behavior) 18->140 33 49sMJWRAWIIK8WwDI9otMs90.exe 36 18->33         started        38 SdLKfjy9G5HVukf5Js15wCJH.exe 18->38         started        40 x6xsMyZ3tDssm20qsycTCJAp.exe 18->40         started        44 22 other processes 18->44 42 conhost.exe 23->42         started        file7 signatures8 process9 dnsIp10 104 149.154.167.99 TELEGRAMRU United Kingdom 33->104 106 116.203.7.211 HETZNER-ASDE Germany 33->106 64 C:\Users\user\AppData\...\softokn3[1].dll, PE32 33->64 dropped 66 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 33->66 dropped 68 C:\Users\user\AppData\...\mozglue[1].dll, PE32 33->68 dropped 74 10 other files (6 malicious) 33->74 dropped 124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->124 126 Tries to harvest and steal ftp login credentials 33->126 128 Tries to harvest and steal browser information (history, passwords, etc) 33->128 70 C:\Users\user\AppData\Local\...\Install.exe, PE32 38->70 dropped 46 Install.exe 38->46         started        130 Contains functionality to inject code into remote processes 40->130 132 Injects a PE file into a foreign processes 40->132 49 x6xsMyZ3tDssm20qsycTCJAp.exe 40->49         started        72 C:\Users\user\AppData\Local\...\Install.exe, PE32 44->72 dropped 134 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->134 136 Sample uses process hollowing technique 44->136 52 JADBThtmmkUYIFiBoMiLSqHc.exe 44->52         started        54 rlkfcCiIkWzwdLwTZMimSH4V.exe 44->54         started        56 JTaPOxVgJHFJO23dTvd5Aqsx.exe 44->56         started        58 2 other processes 44->58 file11 signatures12 process13 dnsIp14 88 C:\Users\user\AppData\Local\...\Install.exe, PE32 46->88 dropped 60 Install.exe 46->60         started        108 199.188.204.145 NAMECHEAP-NETUS United States 49->108 90 C:\Users\user\AppData\...\hostsdreive[1].exe, PE32 49->90 dropped 92 C:\Users\user\AppData\...\hostsdreive[1].exe, PE32 52->92 dropped 94 C:\Users\user\AppData\...\hostsdreive[2].exe, PE32 52->94 dropped 96 C:\Users\user\AppData\...\hostsdreive[2].exe, PE32 54->96 dropped 98 C:\Users\user\AppData\...\hostsdreive[1].exe, PE32 56->98 dropped 100 C:\Users\user\AppData\...\hostsdreive[1].exe, PE32 58->100 dropped 102 C:\Users\user\AppData\...\hostsdreive[3].exe, PE32 58->102 dropped file15 process16 file17 84 C:\Users\user\AppData\Local\...\TiGNolU.exe, PE32 60->84 dropped 86 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 60->86 dropped 150 Modifies Group Policy settings 60->150 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/93f4f7dd1458ebc9caa287fe4a81737a417a75ab8e3a4a150c5c907f87b51d11
Gathering data
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-15 03:17:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sp2ppxiuldv4tsvcq77evaltpjaxu5nlry5eufimlsih7b5vduiq._file
Verdict:
malicious
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba collection discovery dropper evasion loader persistence rootkit spyware stealer trojan
Link:
https://tria.ge/reports/231115-ds2n2ace5t/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
UAC bypass
Windows security bypass
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/93f4f7dd1458/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/93f4f7dd1458ebc9caa287fe4a81737a417a75ab8e3a4a150c5c907f87b51d11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe 93f4f7dd1458ebc9caa287fe4a81737a417a75ab8e3a4a150c5c907f87b51d11

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2730658/
  
Delivery method
Distributed via web download

Comments