MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5445b7c8d5971a05495c3e0d3f56ab68bb5f372c3d687b24b5b8930c3368f54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Glupteba

Vendor detections: 12

Intelligence 12 IOCs YARA 8 File information Comments

SHA256 hash:	b5445b7c8d5971a05495c3e0d3f56ab68bb5f372c3d687b24b5b8930c3368f54
SHA3-384 hash:	9626393f15eb869154707d286b383becc12ee309c6498c520ca278cfb1d6c5eb2c4915a9ffb2232d0accd034c2945ca7
SHA1 hash:	8aed732bd5a2d58f38baa69387b86f103847a1e4
MD5 hash:	445010c5775fcde74fcb5f3813e6f3a9
humanhash:	stairway-blue-november-may
File name:	1.exe
Download:	download sample
Signature	Glupteba Create hunting rule
File size:	4'547'072 bytes
First seen:	2021-08-30 12:57:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6af2f376c26d45636195772a4c22fdda (12 x RaccoonStealer, 5 x Stop, 3 x Amadey)
ssdeep	98304:nAvO5zAsSEcn513RfBkwQWTWS+JHdisdEOyJqtj9vruhK1Z3igdUn:Av+zxSEcnn3RfBkD4/+JnETwthDuho
Threatray	130 similar samples on MalwareBazaar
TLSH	T1102633182C76C86AD8F6DAF9D19B85A0557F3BF98712C553238946337AA70C2323C1B7
dhash icon	4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter	Anonymous
Tags:	exe Glupteba

Intelligence

File Origin

# of uploads :

# of downloads :

1'253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

nemesis.loader+(2).7z-PLND-ADzQK2H0CAUAqkgCAFJPFwASAHdHt_UA.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-29 18:31:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ad77bc15-fb95-4363-bcc7-a96f44015b48

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/183756/

Detection(s):

Win.Dropper.Fragtor-9889202-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Deleting a recently created file

Changing a file

Launching a process

Launching the default Windows debugger (dwwin.exe)

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Launching a service

Connection attempt to an infection source

Running batch commands

Creating a process with a hidden window

Launching the process to change the firewall settings

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Creating a file

DNS request

Connection attempt

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Disabling the operating system update service

Adding exclusions to Windows Defender

Enabling autorun by creating a file

Malware family:

Glupteba

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/26189d7e-1f21-4a2c-ace6-71aadd88ceae

Result

Threat name:

Glupteba Metasploit

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/841571

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Found Tor onion address

Machine Learning detection for sample

May modify the system service descriptor table (often done to hook functions)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Glupteba

Yara detected Metasploit Payload

Behaviour

Behavior Graph:

Download SVG

Detection:

glupteba

Link:

https://mwdb.cert.pl/sample/b5445b7c8d5971a05495c3e0d3f56ab68bb5f372c3d687b24b5b8930c3368f54/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-08-29 18:27:08 UTC

AV detection:

32 of 46 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wvcfw7enlfy2avevypqnh5lkw2f3l43syplipmslloetbqzwr5ka._file

Verdict:

unknown

Glupteba

4df83e858a2d52987f6e9b8afcde20643ee1cd106089e412e25b1df186a57b29

Glupteba

a7a2d5e0d31d31e452252c14023420621e92967814dc6410f783c5f101c3de1b

Glupteba

a8647cfb02a8b8c077fb4285357c29f58afb1a8ffff6da199e6a3887030869fd

Glupteba

bf5bc18439ee4363f861058f1dc8a0fa74775be6efc44fbf7d8d6c511fd2a447

Glupteba

cf46c5f2cd03626cad846f9d3d55366a7b469704eae8ed7ba54eda6940dc9bba

Glupteba

d2f01f5182de940b27db63f60ca85d5f4421c75de628c03a63d8e92cf9f3681c

Glupteba

d6d3dd2923a9b46473abb1d811fb4b64bdcf2c0c15c1f48161353b1c220d7e23

Glupteba

dad7611f8df2b970dad82657205886a8b314472c59927c9ba29a484e1376e157

Glupteba

+ 120 additional samples on MalwareBazaar

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:glupteba family:metasploit backdoor dropper loader trojan

Link:

https://tria.ge/reports/210830-sqetfk5t7a/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Glupteba

Glupteba Payload

MetaSploit

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

42a5f7bb2f80330f8ae8a9e62fe6ae4410f8bb2796f24ac8e81db53352b76aea

MD5 hash:

c277ba9d6c9b17d2d27a5a22a2dd4c76

SHA1 hash:

0a043b6785a1bf6a249cf97cee66b012a30268bf

Detections:

win_zloader_g1

Link:

https://www.unpac.me/results/45bf4481-2788-48b8-b84e-bcd64a38be76/

Parent samples :

1c26aa5bcb8e5bc2170d8c7b8c2b0698d4e8a60f0d0f65c1a9a3d5e9b360cf58
b5445b7c8d5971a05495c3e0d3f56ab68bb5f372c3d687b24b5b8930c3368f54
4f71b2a4b8c2b49695b57ac172f6fc30e7f7816439c716d5f7b45ca7dcf0a182
74f19d23d99aed723ed2584ef1e558cf3d6995a1a3624a4454f9d4c4c53c2963
93ce6999d6249ff0b1cc363e50b91886fc87f832dbf819c33e4a7c9f01fbb431
0c535fc0755f04c889292d4bcae072d090f67030cb7a369b6a2113bfc37e1697

SH256 hash:

b5445b7c8d5971a05495c3e0d3f56ab68bb5f372c3d687b24b5b8930c3368f54

MD5 hash:

445010c5775fcde74fcb5f3813e6f3a9

SHA1 hash:

8aed732bd5a2d58f38baa69387b86f103847a1e4

Link:

https://www.unpac.me/results/45bf4481-2788-48b8-b84e-bcd64a38be76/

Malware family:

Glupteba

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b5445b7c8d59/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5445b7c8d5971a05495c3e0d3f56ab68bb5f372c3d687b24b5b8930c3368f54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Glupteba Create hunting rule

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing URLs to raw contents of a Github gist

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many varying, potentially fake Windows User-Agents