MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7cedaa26031eaa3bd108abb42e4a90738ca4606e7b305166b12a360f98cc251. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7cedaa26031eaa3bd108abb42e4a90738ca4606e7b305166b12a360f98cc251
SHA3-384 hash: 3ae5d6f13b7c4b7af98e18e448652a819c0c227ad65209cc608b7393bb1f6a8c7419638b0f259a999cc0319e36457d52
SHA1 hash: 4f299c65ac4ac4aa7c8b15d96d6cb10b107fb143
MD5 hash: b49845866d2e9edda2f7d77a1da07718
humanhash: bluebird-mountain-william-helium
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:543'584 bytes
First seen:2023-11-30 04:22:57 UTC
Last seen:2023-11-30 16:30:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:sOlP78EAoAvnMrC8OKetw5peVM4sNLfpc5TgA5JjLnFl:sORFA18OHa3eCvNLS5bl
Threatray 7 similar samples on MalwareBazaar
TLSH T178C4E0B0EC6A8C09D774B7F8059C661FD6E1768B0D91492D2FDFA9CCB96C0A0D22453E
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:1Mg Inc
Issuer:1Mg Inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-30T01:51:03Z
Valid to:2024-11-30T01:51:03Z
Serial number: 2c4277d0a46d997b496ef323af8aa609
Thumbprint Algorithm:SHA256
Thumbprint: 923b3aee0e581ec9653c0de3ca7937548180a1ee461d2bf1057ee3494160993d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.241.91/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
327
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461293/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5350.20504.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a recently created file
Creating a service
Launching the process to interact with network services
Blocking the User Account Control
Enabling autorun for a service
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b7cedaa26031eaa3bd108abb42e4a90738ca4606e7b305166b12a360f98cc251
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b899f20-617d-4bed-9b2f-3a7483cda40b
Result
Threat name:
Glupteba, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1350316
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1350316 Sample: file.exe Startdate: 30/11/2023 Architecture: WINDOWS Score: 100 128 Multi AV Scanner detection for domain / URL 2->128 130 Malicious sample detected (through community Yara rule) 2->130 132 Antivirus detection for URL or domain 2->132 134 15 other signatures 2->134 10 file.exe 2 4 2->10         started        process3 signatures4 138 Writes to foreign memory regions 10->138 140 Allocates memory in foreign processes 10->140 142 Adds extensions / path to Windows Defender exclusion list (Registry) 10->142 144 3 other signatures 10->144 13 CasPol.exe 15 299 10->13         started        18 powershell.exe 23 10->18         started        process5 dnsIp6 122 91.92.241.91 THEZONEBG Bulgaria 13->122 124 107.167.110.216 OPERASOFTWAREUS United States 13->124 126 10 other IPs or domains 13->126 102 C:\Users\...\xhQ1lU2KeTV7E7EEq8Gs7MjH.exe, PE32 13->102 dropped 104 C:\Users\...\whTtvppNeIZFaWSDQsVxXicg.exe, PE32 13->104 dropped 106 C:\Users\...\wJBeMBIAtR0NFz054zzN2UHM.exe, PE32 13->106 dropped 108 238 other malicious files 13->108 dropped 156 Drops script or batch files to the startup folder 13->156 158 Creates HTML files with .exe extension (expired dropper behavior) 13->158 160 Writes many files with high entropy 13->160 20 Sj8OmJRWNAHj13OcJo49hI54.exe 13->20         started        23 4CtrHL2ccMFhhxAlRHKzPG32.exe 13->23         started        25 WC3l0Dr72fun3OlVk4D18N9B.exe 13->25         started        31 17 other processes 13->31 29 conhost.exe 18->29         started        file7 signatures8 process9 dnsIp10 80 C:\Users\...\Sj8OmJRWNAHj13OcJo49hI54.tmp, PE32 20->80 dropped 33 Sj8OmJRWNAHj13OcJo49hI54.tmp 20->33         started        82 C:\Users\...\4CtrHL2ccMFhhxAlRHKzPG32.tmp, PE32 23->82 dropped 37 4CtrHL2ccMFhhxAlRHKzPG32.tmp 23->37         started        110 107.167.110.218 OPERASOFTWAREUS United States 25->110 112 107.167.125.189 OPERASOFTWAREUS United States 25->112 120 4 other IPs or domains 25->120 84 Opera_installer_2311300423567124432.dll, PE32 25->84 dropped 86 C:\Users\user\AppData\Local\...\opera_package, PE32 25->86 dropped 94 5 other malicious files 25->94 dropped 146 Writes many files with high entropy 25->146 39 WC3l0Dr72fun3OlVk4D18N9B.exe 25->39         started        41 WC3l0Dr72fun3OlVk4D18N9B.exe 25->41         started        43 WC3l0Dr72fun3OlVk4D18N9B.exe 25->43         started        114 149.154.167.99 TELEGRAMRU United Kingdom 31->114 116 94.130.188.133 HETZNER-ASDE Germany 31->116 118 72.21.81.240 EDGECASTUS United States 31->118 88 C:\Users\...\2nLTy1XFk39ycRkbXTafCRW7.tmp, PE32 31->88 dropped 90 Opera_installer_2311300424190137764.dll, PE32 31->90 dropped 92 Opera_installer_2311300424107867276.dll, PE32 31->92 dropped 96 11 other malicious files 31->96 dropped 148 Detected unpacking (changes PE section rights) 31->148 150 Detected unpacking (overwrites its own PE header) 31->150 152 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->152 154 4 other signatures 31->154 45 SfKsdzTrcfDo8OmrNH7Q6PD4.exe 31->45         started        47 SfKsdzTrcfDo8OmrNH7Q6PD4.exe 31->47         started        49 nxd4d6x8AJbUbZvUxkDnDHOM.exe 31->49         started        51 4 other processes 31->51 file11 signatures12 process13 file14 76 15 other files (14 malicious) 33->76 dropped 136 Uses schtasks.exe or at.exe to add and modify task schedules 33->136 53 VolumeUTIL.exe 33->53         started        56 schtasks.exe 33->56         started        78 14 other files (13 malicious) 37->78 dropped 62 Opera_installer_2311300424003534332.dll, PE32 39->62 dropped 58 WC3l0Dr72fun3OlVk4D18N9B.exe 39->58         started        64 Opera_installer_2311300423576755284.dll, PE32 41->64 dropped 66 Opera_installer_2311300423587431680.dll, PE32 43->66 dropped 68 Opera_installer_2311300424053465384.dll, PE32 45->68 dropped 70 Opera_installer_2311300424105007260.dll, PE32 47->70 dropped 72 Opera_installer_2311300424135677380.dll, PE32 49->72 dropped 74 Opera_installer_2311300424219697572.dll, PE32 51->74 dropped signatures15 process16 file17 98 C:\ProgramData\TLGAdapter\TLGAdapter.exe, PE32 53->98 dropped 60 conhost.exe 56->60         started        100 Opera_installer_2311300424011925748.dll, PE32 58->100 dropped process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b7cedaa26031eaa3bd108abb42e4a90738ca4606e7b305166b12a360f98cc251
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7cedaa26031eaa3bd108abb42e4a90738ca4606e7b305166b12a360f98cc251/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-30 04:23:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7hnvitaghvkhpiqrk5ufzfja44murqg46zqkftlckrwb6mmyjiq._file
Verdict:
malicious
Similar samples:
2098861183af17f90540b06c78ca66f03cf2a33ddde87f1649fdec0e85270f48
Glupteba
addcd44ed648980e8bed20517c5fddf1dde5da3dac960339f4d049cd974daf5f
Glupteba
c1da889268db3a1dd91eda6f8696a9f9f6750012cf40f14fc3b38fc0d831610d
Glupteba
de202d2f7ee8a12500e6de9d1c9023bfeafee79cfcc1eef197e2629790b655ad
Glupteba
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence ransomware rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231130-ezsv5sfg53/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
b7cedaa26031eaa3bd108abb42e4a90738ca4606e7b305166b12a360f98cc251
MD5 hash:
b49845866d2e9edda2f7d77a1da07718
SHA1 hash:
4f299c65ac4ac4aa7c8b15d96d6cb10b107fb143
Link:
https://www.unpac.me/results/ce7bfe14-9f76-48d3-a933-eaa02b782932/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b7cedaa26031/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2735609/
Cape
Cape
https://www.capesandbox.com/analysis/461293/

Comments