MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba9b6e4e3c24b040f6a0cb4b6e6e37e0f0529c75bcc357f6abaca8561a67434f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba9b6e4e3c24b040f6a0cb4b6e6e37e0f0529c75bcc357f6abaca8561a67434f
SHA3-384 hash: bfe6ddd248dfa7d11aed549a798ff2cc7702d213f99e1c981e89d1d833ab59e3c79ab0ec53efafd6a8811fd536a28715
SHA1 hash: 6ac066c55d7b0b827b615ce5f7bb3123873f9a0d
MD5 hash: b8516f15dc4bbc3bc6ecaea73db3ce6c
humanhash: utah-alabama-muppet-mexico
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:153'464 bytes
First seen:2023-11-22 18:36:50 UTC
Last seen:2023-11-23 15:07:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:Dg3z1gmoYu6MhCcXOp5JRH8j/MxyIT+SSw:DgD1gmXu6oCSOpp+kL
TLSH T125E3DF218B488BD4F03EA73548A5502EBBBAB4C53602C759B3C5F1864A67F476D70B2F
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:installrox Inc
Issuer:installrox Inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-22T18:02:12Z
Valid to:2024-11-22T18:02:12Z
Serial number: 2ea711ded30675cb3a3ec1e610331fee
Thumbprint Algorithm:SHA256
Thumbprint: 6daefcf7055721c897d95ab82f5daad2f14aa8d66dd9ed7256581d7802a9fb00
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.243.139/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
352
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459748/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.9970.25128.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Creating a window
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/655e4a4f4ad9ae08369bf1da/reports/d8a962e3-ff94-4a72-9bfc-be08f4cbd39c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ba9b6e4e3c24b040f6a0cb4b6e6e37e0f0529c75bcc357f6abaca8561a67434f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Threat 2
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3bd2138-1e7c-42cf-a9aa-ecf05bd8c84c
Result
Threat name:
Glupteba, Neoreklami, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1346564
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Neoreklami
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1346564 Sample: file.exe Startdate: 22/11/2023 Architecture: WINDOWS Score: 100 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for URL or domain 2->122 124 Antivirus detection for dropped file 2->124 126 13 other signatures 2->126 9 file.exe 2 5 2->9         started        12 cmd.exe 2->12         started        14 cmd.exe 2->14         started        process3 signatures4 148 Writes to foreign memory regions 9->148 150 Allocates memory in foreign processes 9->150 152 Adds a directory exclusion to Windows Defender 9->152 154 2 other signatures 9->154 16 CasPol.exe 15 161 9->16         started        21 powershell.exe 21 9->21         started        23 conhost.exe 9->23         started        25 wXKCeeYR2mXah3nYV9pnxVUE.exe 12->25         started        27 conhost.exe 12->27         started        29 K7Qd5mYbsfvNNF5iOyIrT2hP.exe 14->29         started        31 conhost.exe 14->31         started        process5 dnsIp6 102 91.92.243.139 THEZONEBG Bulgaria 16->102 104 107.167.110.211 OPERASOFTWAREUS United States 16->104 106 10 other IPs or domains 16->106 62 C:\Users\...\z0TB1Q5XMXkN1HiekNOgbsFv.exe, PE32 16->62 dropped 64 C:\Users\...\yFetN7CRm6ElhmhKdxIfxVmF.exe, PE32 16->64 dropped 66 C:\Users\...\xs8U1rXtzVbPICbAzbeSdK7I.exe, PE32 16->66 dropped 68 153 other malicious files 16->68 dropped 128 Drops script or batch files to the startup folder 16->128 33 g94qVmXbDFX6KHEt0GP5oclo.exe 25 16->33         started        38 7VCXl0pCBH6QhOXk6xv1xHk7.exe 16->38         started        40 wGKThx6LXWZnS0u7L25a8xD2.exe 16->40         started        44 19 other processes 16->44 42 conhost.exe 21->42         started        130 Detected unpacking (changes PE section rights) 25->130 132 Detected unpacking (overwrites its own PE header) 25->132 134 Multi AV Scanner detection for dropped file 29->134 file7 signatures8 process9 dnsIp10 108 149.154.167.99 TELEGRAMRU United Kingdom 33->108 110 195.201.46.42 HETZNER-ASDE Germany 33->110 70 C:\Users\user\AppData\...\mozglue[1].dll, PE32 33->70 dropped 72 C:\Users\user\AppData\...\freebl3[1].dll, PE32 33->72 dropped 74 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 33->74 dropped 84 2 other malicious files 33->84 dropped 136 Detected unpacking (changes PE section rights) 33->136 138 Detected unpacking (overwrites its own PE header) 33->138 140 Tries to harvest and steal browser information (history, passwords, etc) 33->140 142 Multi AV Scanner detection for dropped file 38->142 144 Found Tor onion address 38->144 146 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->146 76 C:\Users\user\AppData\Local\...\Install.exe, PE32 40->76 dropped 46 Install.exe 40->46         started        112 107.167.110.217 OPERASOFTWAREUS United States 44->112 114 107.167.125.189 OPERASOFTWAREUS United States 44->114 116 2 other IPs or domains 44->116 78 Opera_installer_2311221838393706308.dll, PE32 44->78 dropped 80 Opera_installer_2311221838347851524.dll, PE32 44->80 dropped 82 Opera_installer_2311221838282835812.dll, PE32 44->82 dropped 86 6 other malicious files 44->86 dropped 49 Broom.exe 44->49         started        52 IkVfUvHicj9YnYYegjzGCbEp.exe 44->52         started        54 lH2cUpPFuovstNnO5qeA1kli.exe 44->54         started        56 5 other processes 44->56 file11 signatures12 process13 file14 92 C:\Users\user\AppData\Local\...\Install.exe, PE32 46->92 dropped 58 Install.exe 46->58         started        118 Multi AV Scanner detection for dropped file 49->118 94 Opera_installer_2311221838347911100.dll, PE32 52->94 dropped 96 Opera_installer_2311221838393696104.dll, PE32 54->96 dropped 98 Opera_installer_2311221838467846664.dll, PE32 56->98 dropped 100 Opera_installer_2311221838390584816.dll, PE32 56->100 dropped signatures15 process16 file17 88 C:\Users\user\AppData\Local\...\wLrJBun.exe, PE32 58->88 dropped 90 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 58->90 dropped 156 Modifies Group Policy settings 58->156 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ba9b6e4e3c24b040f6a0cb4b6e6e37e0f0529c75bcc357f6abaca8561a67434f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba9b6e4e3c24b040f6a0cb4b6e6e37e0f0529c75bcc357f6abaca8561a67434f/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2023-11-22 18:37:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xknw4tr4esyeb5vaznfw43rx4dyffhdvxtbvp5vlvsufmgthinhq._file
Verdict:
malicious
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231122-w9gdjaea99/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
NSIS installer
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Registers COM server for autorun
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
26ced7dd6b90f79363d30848df5f0b44455469ea465ed731af406add875aee70
MD5 hash:
262c22542e4713daf14afe1bfc498ace
SHA1 hash:
65ae7614a9088366267014ee73d76b8f410a8615
Link:
https://www.unpac.me/results/c52e80ae-eeb9-4d4b-b451-290be8ae7e4f/
SH256 hash:
ba9b6e4e3c24b040f6a0cb4b6e6e37e0f0529c75bcc357f6abaca8561a67434f
MD5 hash:
b8516f15dc4bbc3bc6ecaea73db3ce6c
SHA1 hash:
6ac066c55d7b0b827b615ce5f7bb3123873f9a0d
Link:
https://www.unpac.me/results/c52e80ae-eeb9-4d4b-b451-290be8ae7e4f/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba9b6e4e3c24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ba9b6e4e3c24b040f6a0cb4b6e6e37e0f0529c75bcc357f6abaca8561a67434f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2730658/
Cape
Cape
https://www.capesandbox.com/analysis/459748/

Comments