MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2e138ea3c9e6424d54f592ffdd5db5fd7cd5c762e34b76a598b0b6e709f12a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2e138ea3c9e6424d54f592ffdd5db5fd7cd5c762e34b76a598b0b6e709f12a4
SHA3-384 hash: 26f247095fa51c33a2858877bb35e6e1580a8117a22e8b664e3def393fd800d2b4fe90372583561ab6dd2437cd588481
SHA1 hash: 6a33269d694e59b740e198a8f616d42d3f95138e
MD5 hash: fee14513b3ee3ba358da4937900b67c6
humanhash: india-equal-winter-video
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:636'800 bytes
First seen:2023-11-24 07:13:45 UTC
Last seen:2023-11-24 20:19:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:+BfqmY2c60z8qb9Iu0kGmuCNYeyd3H9AHngmgTlrp2EmU8d1WWcjAIxJ9mp9:vEM8A30XgNtydNAHMZr0bHTbhIx/mp9
Threatray 11 similar samples on MalwareBazaar
TLSH T13ED4F1902ACAB3AEC4DC617297D04C5D1396BD4E579ACA803E8DC34B9CF5B02995F273
TrID 27.3% (.SCR) Windows screen saver (13097/50/3)
22.0% (.EXE) Win64 Executable (generic) (10523/12/4)
13.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:Installsetup3 Inc
Issuer:Installsetup3 Inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-24T00:40:12Z
Valid to:2024-11-24T00:40:12Z
Serial number: 46ebc83fcd229d086cfa93c4d403e8f0
Thumbprint Algorithm:SHA256
Thumbprint: 16b1790e18250a94a771e624d3c7d9c19a6a9caf07b17069f93c5d498b20ed1a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.243.139/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
9
# of downloads :
333
Origin country :
US US
Vendor Threat Intelligence
Malware family:
nanocore
Create hunting rule
ID:
1
File name:
New Text Document.bin.zip
Verdict:
Malicious activity
Analysis date:
2023-11-24 06:50:50 UTC
Tags:
loader stealer nanocore rat remote privateloader evasion opendir stealc amadey botnet arechclient2 backdoor miner smoke risepro kelihos trojan lumma redline zgrat socks5systemz
Link:
https://app.any.run/tasks/44d0ad6f-d31d-4038-b723-8e2d87c28c2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459966/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.65.21766.20242.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% directory
Searching for the window
Creating a file in the %AppData% subdirectories
Moving a recently created file
Launching the process to interact with network services
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed remcos
Link:
https://www.filescan.io/uploads/65604d3a380413dc0c1dd03e/reports/42b3580a-62f4-4e3d-a366-0eb6eed73efd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b2e138ea3c9e6424d54f592ffdd5db5fd7cd5c762e34b76a598b0b6e709f12a4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ceab99f-6b55-4cf1-9449-387db1d24f26
Result
Threat name:
Glupteba, Neoreklami, Vidar, Socks5Systemz, Vid
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347247
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Neoreklami
Yara detected Socks5Systemz
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1347247 Sample: file.exe Startdate: 24/11/2023 Architecture: WINDOWS Score: 100 207 Multi AV Scanner detection for domain / URL 2->207 209 Found malware configuration 2->209 211 Malicious sample detected (through community Yara rule) 2->211 213 19 other signatures 2->213 12 file.exe 2 4 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 3 other processes 2->19 process3 dnsIp4 249 Writes to foreign memory regions 12->249 251 Allocates memory in foreign processes 12->251 253 Adds a directory exclusion to Windows Defender 12->253 255 2 other signatures 12->255 22 CasPol.exe 15 32 12->22         started        27 powershell.exe 23 12->27         started        29 WerFault.exe 22 16 12->29         started        31 4RJiWNd17IMlBvJXyXqNI7p4.exe 15->31         started        33 conhost.exe 15->33         started        35 Nb06iATmec3ks1Adn4hXWq4h.exe 17->35         started        37 conhost.exe 17->37         started        179 20.190.151.6 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->179 181 69.164.0.0 LLNWUS United States 19->181 183 2 other IPs or domains 19->183 39 WerFault.exe 2 19->39         started        signatures5 process6 dnsIp7 185 91.92.243.139 THEZONEBG Bulgaria 22->185 187 107.167.110.211 OPERASOFTWAREUS United States 22->187 191 9 other IPs or domains 22->191 125 C:\Users\...\uBmc5gs7lOrdUzOmyQmp39vu.exe, PE32 22->125 dropped 127 C:\Users\...\aLIzzJtJFwzcdxkfjOC0FZfa.exe, PE32 22->127 dropped 129 C:\Users\...\QIB9cYYghT8vJ99v6JU0mgx1.exe, PE32 22->129 dropped 139 20 other malicious files 22->139 dropped 223 Drops script or batch files to the startup folder 22->223 225 Writes many files with high entropy 22->225 41 QIB9cYYghT8vJ99v6JU0mgx1.exe 22->41         started        46 1dW4kbD1egMcFzAylUIhCv4W.exe 22->46         started        48 1FUWisGJVCET4YaVErDkRi5P.exe 22->48         started        54 3 other processes 22->54 50 conhost.exe 27->50         started        189 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->189 141 5 other malicious files 31->141 dropped 227 Detected unpacking (changes PE section rights) 31->227 229 Detected unpacking (overwrites its own PE header) 31->229 231 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->231 233 2 other signatures 31->233 131 Opera_installer_2311240731041757728.dll, PE32 35->131 dropped 133 C:\Users\user\AppData\Local\...\opera_package, PE32 35->133 dropped 135 C:\Users\...135b06iATmec3ks1Adn4hXWq4h.exe, PE32 35->135 dropped 137 Opera_105.0.4970.2...toupdate_x64[1].exe, PE32 35->137 dropped 52 Nb06iATmec3ks1Adn4hXWq4h.exe 35->52         started        file8 signatures9 process10 dnsIp11 193 107.167.110.218 OPERASOFTWAREUS United States 41->193 195 107.167.125.189 OPERASOFTWAREUS United States 41->195 201 5 other IPs or domains 41->201 161 Opera_installer_2311240730420294864.dll, PE32 41->161 dropped 163 C:\Users\user\AppData\Local\...\opera_package, PE32 41->163 dropped 175 5 other malicious files 41->175 dropped 235 Writes many files with high entropy 41->235 56 QIB9cYYghT8vJ99v6JU0mgx1.exe 41->56         started        59 QIB9cYYghT8vJ99v6JU0mgx1.exe 41->59         started        61 QIB9cYYghT8vJ99v6JU0mgx1.exe 41->61         started        165 C:\Users\...\1dW4kbD1egMcFzAylUIhCv4W.tmp, PE32 46->165 dropped 63 1dW4kbD1egMcFzAylUIhCv4W.tmp 46->63         started        167 C:\Users\user\AppData\Local\...\Install.exe, PE32 48->167 dropped 169 C:\Users\user\AppData\Local\...\config.txt, data 48->169 dropped 66 Install.exe 48->66         started        171 Opera_installer_2311240731048095548.dll, PE32 52->171 dropped 197 149.154.167.99 TELEGRAMRU United Kingdom 54->197 199 195.201.255.35 HETZNER-ASDE Germany 54->199 173 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 54->173 dropped 177 13 other files (9 malicious) 54->177 dropped 237 Detected unpacking (changes PE section rights) 54->237 239 Detected unpacking (overwrites its own PE header) 54->239 241 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 54->241 243 3 other signatures 54->243 68 Broom.exe 54->68         started        file12 signatures13 process14 file15 143 Opera_installer_2311240730478057624.dll, PE32 56->143 dropped 157 23 other malicious files 56->157 dropped 70 QIB9cYYghT8vJ99v6JU0mgx1.exe 56->70         started        145 Opera_installer_2311240730436407204.dll, PE32 59->145 dropped 147 Opera_installer_2311240730465737464.dll, PE32 61->147 dropped 149 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 63->149 dropped 151 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 63->151 dropped 153 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 63->153 dropped 159 12 other files (11 malicious) 63->159 dropped 257 Uses schtasks.exe or at.exe to add and modify task schedules 63->257 73 CrossTV.exe 63->73         started        75 net.exe 63->75         started        77 schtasks.exe 63->77         started        79 CrossTV.exe 63->79         started        155 C:\Users\user\AppData\Local\...\Install.exe, PE32 66->155 dropped 82 Install.exe 66->82         started        signatures16 process17 dnsIp18 117 Opera_installer_2311240730539507672.dll, PE32 70->117 dropped 119 C:\ProgramData\...\TLGraphicsMode.exe, PE32 73->119 dropped 85 conhost.exe 75->85         started        87 net1.exe 75->87         started        89 conhost.exe 77->89         started        203 185.141.63.253 BELCLOUDBG Bulgaria 79->203 205 88.80.147.105 BELCLOUDBG Bulgaria 79->205 121 C:\Users\user\AppData\Local\...\vGkqNlx.exe, PE32 82->121 dropped 123 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 82->123 dropped 215 Modifies Windows Defender protection settings 82->215 217 Adds extensions / path to Windows Defender exclusion list 82->217 219 Modifies Group Policy settings 82->219 91 forfiles.exe 82->91         started        94 forfiles.exe 82->94         started        96 schtasks.exe 82->96         started        file19 signatures20 process21 signatures22 245 Modifies Windows Defender protection settings 91->245 247 Adds extensions / path to Windows Defender exclusion list 91->247 98 cmd.exe 91->98         started        101 conhost.exe 91->101         started        103 cmd.exe 94->103         started        105 conhost.exe 94->105         started        107 conhost.exe 96->107         started        process23 signatures24 221 Uses cmd line tools excessively to alter registry or file data 98->221 109 reg.exe 98->109         started        111 reg.exe 98->111         started        113 reg.exe 103->113         started        115 reg.exe 103->115         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b2e138ea3c9e6424d54f592ffdd5db5fd7cd5c762e34b76a598b0b6e709f12a4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2e138ea3c9e6424d54f592ffdd5db5fd7cd5c762e34b76a598b0b6e709f12a4/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-11-24 03:22:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wlqtr2r4tzscjvkplex73vo3l7l42xdwfy2lo2szrmfw44e7cksa._file
Verdict:
malicious
Similar samples:
4329b1deaf46731c0e7a55e4ca9adaefa6daa9f8f6015c8ece22dee784898c18
Glupteba
474f06b633df4bd1a96c607939cca087c7326eeeea52b28d9d925f7da35d03dc
Glupteba
67c8c2aa16bc4a0da7b2d121808e2971ef4ac58f1ba1a048511ade93c5a8e5de
Glupteba
79c6fb90545837f8ac314eaf24336831bf482b9dcc089d7002b990161002458a
Glupteba
86a7de9388ee50b02a57d831d4539ba2c32877402a952ac8dcd1c7cf7c3e4ced
Glupteba
93be4f14d79c66f35b32d4c27e86f554d85f0f44dadad705f07420ef382a3395
Glupteba
a8fa0f3fc329d7dc807d49af679fcfea9d573bf965482632b34a0b730a87a4f7
Glupteba
cb15630de2fc38b0f07691ab16cfebcc1a6a940c867c0fc41a811c26525d9fc4
Glupteba
f2ef4aecdf3304be6f7f7b729eea019ae8af63befc4c0736e71c722c169e3eab
Glupteba
+ 1 additional samples on MalwareBazaar
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231124-h2mzfsge33/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Registers COM server for autorun
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
d113f7aa419061646c663fa8aad836170e4e5e8384c5700334c88250fcaaedfc
MD5 hash:
febaee26ee8b398ceaefc2d9eebf804b
SHA1 hash:
8b06a6887636c58e25cbcf365139a31827d4ed1b
Link:
https://www.unpac.me/results/0fd44024-7ba0-4192-a084-053b19b91694/
SH256 hash:
b2e138ea3c9e6424d54f592ffdd5db5fd7cd5c762e34b76a598b0b6e709f12a4
MD5 hash:
fee14513b3ee3ba358da4937900b67c6
SHA1 hash:
6a33269d694e59b740e198a8f616d42d3f95138e
Link:
https://www.unpac.me/results/0fd44024-7ba0-4192-a084-053b19b91694/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2e138ea3c9e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2e138ea3c9e6424d54f592ffdd5db5fd7cd5c762e34b76a598b0b6e709f12a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2730658/
Cape
Cape
https://www.capesandbox.com/analysis/459966/

Comments