MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b41f401bf6daa04d28c5ee89492a5c2c3c36d0bdab6b1babf14af6f394a07803. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 8


Intelligence 8 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b41f401bf6daa04d28c5ee89492a5c2c3c36d0bdab6b1babf14af6f394a07803
SHA3-384 hash: f986a646fd872080e7da81c3c7d8549523e39df4911a85001d4c1a69d62c65308e43a5aab8de99b970455d2022c0a7ac
SHA1 hash: 7c59bd5a24f3cd21d054d3be7363de1007ec7072
MD5 hash: f1cc93a34b0a13a612f8cae82ac8a95b
humanhash: delaware-network-blossom-washington
File name:f1cc93a34b0a13a612f8cae82ac8a95b.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'660'224 bytes
First seen:2021-05-25 07:11:05 UTC
Last seen:2021-05-25 08:04:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b64eecec5bf93098572cd0eb71a8ec40 (1 x TeamBot, 1 x Glupteba)
ssdeep 98304:hy7XQojoB/HFIaTUpU9+GvFW2zSnbYfHk9W4r1jP9bHEii:+XQDE7GU2wOk9W4r1FEi
Threatray 98 similar samples on MalwareBazaar
TLSH C126333069A1CC39E1BF117816A6CAF9693A78719774C0EF10D53BDA8A3C5E17C3126B
Reporter abuse_ch
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
388
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161743/
Detection(s):
Win.Ransomware.Generickdz-9864351-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a service
DNS request
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791267
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423664 Sample: Ywska8grah.exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 94 Antivirus detection for URL or domain 2->94 96 Antivirus detection for dropped file 2->96 98 Antivirus / Scanner detection for submitted sample 2->98 100 10 other signatures 2->100 9 Ywska8grah.exe 19 2->9         started        12 svchost.exe 2->12         started        14 csrss.exe 2->14         started        16 10 other processes 2->16 process3 dnsIp4 110 Detected unpacking (changes PE section rights) 9->110 112 Detected unpacking (overwrites its own PE header) 9->112 114 Modifies the windows firewall 9->114 116 Drops PE files with benign system names 9->116 19 Ywska8grah.exe 11 2 9->19         started        118 Changes security center settings (notifications, updates, antivirus, firewall) 12->118 24 csrss.exe 14->24         started        74 127.0.0.1 unknown unknown 16->74 26 csrss.exe 16->26         started        28 csrss.exe 16->28         started        signatures5 process6 dnsIp7 76 humisnee.com 172.67.206.104, 443, 49722 CLOUDFLARENETUS United States 19->76 64 C:\Windows\rss\csrss.exe, PE32 19->64 dropped 102 Drops executables to the windows directory (C:\Windows) and starts them 19->102 104 Creates an autostart registry key pointing to binary in C:\Windows 19->104 30 csrss.exe 4 8 19->30         started        35 cmd.exe 1 19->35         started        file8 signatures9 process10 dnsIp11 78 spolaect.info 172.67.161.225, 443, 49731 CLOUDFLARENETUS United States 30->78 80 sndvoices.com 30->80 82 3 other IPs or domains 30->82 66 C:\Windows\System32\drivers\Winmon.sys, PE32+ 30->66 dropped 68 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 30->68 dropped 70 C:\Users\...70tQuerySystemInformationHook.dll, PE32+ 30->70 dropped 72 3 other files (none is malicious) 30->72 dropped 84 Antivirus detection for dropped file 30->84 86 Multi AV Scanner detection for dropped file 30->86 88 Detected unpacking (changes PE section rights) 30->88 92 5 other signatures 30->92 37 injector.exe 30->37         started        40 schtasks.exe 1 30->40         started        42 mountvol.exe 1 30->42         started        48 4 other processes 30->48 90 Uses netsh to modify the Windows network and firewall settings 35->90 44 netsh.exe 3 35->44         started        46 conhost.exe 35->46         started        file12 signatures13 process14 signatures15 106 Multi AV Scanner detection for dropped file 37->106 50 conhost.exe 37->50         started        52 conhost.exe 40->52         started        54 conhost.exe 42->54         started        108 Creates files in the system32 config directory 44->108 56 conhost.exe 48->56         started        58 conhost.exe 48->58         started        60 conhost.exe 48->60         started        62 conhost.exe 48->62         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b41f401bf6daa04d28c5ee89492a5c2c3c36d0bdab6b1babf14af6f394a07803/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 06:59:15 UTC
AV detection:
25 of 47 (53.19%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
02e3af4e6de5b587d1bb7ffe0b9346f48034dfacca31fda114a5632fd47090f1
Glupteba
0631f79b64656ff71ed923284acc5ee41ebb530eb42cecbd78846b6ddd180b9f
Glupteba
0de430b38bdccba626c6c0c5c8297057fd434ccc7a0d4c84bc066eb9dde07420
Glupteba
10ca39f81fb42e95a9dc694244aa826b0d7b8132a12e861732f59add8bb37256
Glupteba
129da3e565d7ab1c5e5c3705be3811b629e058be9af50d354bf7949605062416
Glupteba
1f9578b50263a8f756344b1f1a7c9d8b9e3dcc651aa34ec07bf46e8cc68470eb
Glupteba
397bfeb1261e2856bde7456470832206f54b77ef6a2ad5d1bda8c50a71cd2936
Glupteba
4ae0156d1ccca584c5ed35708b150e0649cd470f5b192653a578c215e5118c08
Glupteba
919a4877c1435674718c7ffd0c8c5ff7f5876be471fd8419875fb5dc1bdf3dd9
Glupteba
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
Glupteba
+ 88 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210525-4745bjkvpe/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Glupteba
Glupteba Payload
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b41f401bf6daa04d28c5ee89492a5c2c3c36d0bdab6b1babf14af6f394a07803

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:QnapCrypt
Create hunting rule
Author:Intezer Labs
Reference:https://www.intezer.com
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_zloader_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe b41f401bf6daa04d28c5ee89492a5c2c3c36d0bdab6b1babf14af6f394a07803

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1279245/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/161743/

Comments