MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db
SHA3-384 hash: a66d7b6ad62f31af12230ef7b39cd868b34eb76694ef0150b66f914f1192f3d65e7fa6dc54941f2be34cfd3c3f7e9219
SHA1 hash: 1a40995722dd0628a7b5ef5357f87fc4733d7315
MD5 hash: 2edfe2c1a5a005d157954b6155bd05f4
humanhash: queen-idaho-spaghetti-cola
File name:2edfe2c1a5a005d157954b6155bd05f4
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'650'024 bytes
First seen:2021-09-05 05:26:56 UTC
Last seen:2021-09-05 06:15:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f530acf7acd4a5c8880ba2a4704d4cbb (14 x RaccoonStealer, 4 x Glupteba, 2 x Tofsee)
ssdeep 98304:o4+8FLHnk2DwvU7/rcnub10nXmLzcYWoKZiwzR0e:o4DLE2DWUPcuh0nXmvlszRh
Threatray 162 similar samples on MalwareBazaar
TLSH T1F126330A6E90E4BFC021DAB045A9EBA0DD3E7C992C14641F3715FF6F9A13285932D3E5
dhash icon b27e7c7d727e6e76 (10 x RaccoonStealer, 5 x RedLineStealer, 5 x Stop)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'303
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2edfe2c1a5a005d157954b6155bd05f4
Verdict:
Suspicious activity
Analysis date:
2021-09-05 05:28:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/44ca2df3-44e1-4800-9444-0a6b8f048ba2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185360/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.7556.30539.29480.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Launching a service
Sending a UDP request
Connection attempt to an infection source
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/365a7401-0db4-4abc-847a-224dff7ee42c
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845423
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Found Tor onion address
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477854 Sample: aere0w43Yh Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 17 Multi AV Scanner detection for domain / URL 2->17 19 Found malware configuration 2->19 21 Antivirus detection for URL or domain 2->21 23 7 other signatures 2->23 6 aere0w43Yh.exe 19 2->6         started        process3 signatures4 25 Detected unpacking (changes PE section rights) 6->25 9 WerFault.exe 6->9         started        11 WerFault.exe 6->11         started        13 WerFault.exe 6->13         started        15 14 other processes 6->15 process5
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-05 05:27:07 UTC
AV detection:
13 of 43 (30.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgdmflk6r6akp2bi7gm53mv6cbpft2kyxjvvt3vy5ywvur3c67nq._file
Verdict:
unknown
Similar samples:
07792a24e211c9addd2b46ff799ecda7ab119edb6b043d66031097ae03c70c5f
Glupteba
0fc23c2e005cdfed1a0380dd7a06dda83b882f8d392c7f157b783822d21d78a1
Glupteba
15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559
Glupteba
2374688ef4bb51c7a7477bd3cac94db24f00f3707094e569aa4e4681d06a5176
Glupteba
44afe27cba5bc69958b37c9315d8de1c24324415883bbd7e368f9cc744639ed0
Glupteba
7648e6caa40622f2d5c625f3b05b3a5c985592f845c26126311a769c7e256c78
Glupteba
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
Glupteba
b6c20b3a2c6ecd2f50faf45c41218417dadfadc6b4230ca7c8fd1e4439d1046e
Glupteba
de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b
Glupteba
df0a2b50cba47cba62df3b128948dead529e8ccfbf59225e24bb47eadd2c4a81
Glupteba
+ 152 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210905-f5e2xaabck/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
dfc3dc63931b3197a9616b1297b1337a21032d1f2fb0c6e8eff0e8dc0cf69f7d
MD5 hash:
cc5d72eb4d87228d5b519675fbf06b39
SHA1 hash:
ce560038a870dbd3bd1b7af09693500bd8fa7a29
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/9480ee07-8dd5-434e-b67e-7fb662f5a679/
Parent samples :
a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db
27cc1c937c1756bd58ce0ec416d58c4db6dfcbde9e472f3e12f897b6e2a2e881
eddf51b647cdf3f3b1c93279ceff1e6967e36324126a24ed5d3301500ffdf66c
0898070f71015de41ab42ba5edc1d67214d3fe8ce10dfaf2f3d6c2ea4f108642
0d6bec529d7f1b3fb03745a8fa4054455c057ef930a58d823774e6b99132ec79
SH256 hash:
a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db
MD5 hash:
2edfe2c1a5a005d157954b6155bd05f4
SHA1 hash:
1a40995722dd0628a7b5ef5357f87fc4733d7315
Link:
https://www.unpac.me/results/9480ee07-8dd5-434e-b67e-7fb662f5a679/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a986c2ad5e8f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe a986c2ad5e8f80a7e828f999ddb2be105e59e958ba6b59eeb8ee2d5a4762f7db

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1593428/
Cape
Cape
https://www.capesandbox.com/analysis/185360/

Comments


Avatar
zbet commented on 2021-09-05 05:26:58 UTC

url : hxxps://mysters.info/5674d7511aa1fce0a68969dc57375b63.exe