MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c99f57b763d90598609eb0b585ca8399057531d171021d3052efdefe26289117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c99f57b763d90598609eb0b585ca8399057531d171021d3052efdefe26289117
SHA3-384 hash: 3f99a6430fdac7fba73d659a49f51a80f8c06c218be5cc59d39177f60aafdf2668ed50f91e0f497523bf541790245f9f
SHA1 hash: 85b04a55e86df8a4404e34c8d3344c3982ca3988
MD5 hash: 4a00bfe737f5e4d59657139be86ce95f
humanhash: monkey-pennsylvania-solar-beryllium
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'180'336 bytes
First seen:2023-11-16 01:55:42 UTC
Last seen:2023-11-16 15:37:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:sOxAFStryyqCIldeSdVvogcnPBBGnGqGttviRshAU+vkcLHmGPkZn/CU2brTNdyg:s3ShqJXsPBBEGqklQrVHknkkETwU
TLSH T17C166C40E2F2A64CF4EA85319E70A7F85273B423A722D359CC58E519747EAD78FC0762
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter andretavare5
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:optimam inc
Issuer:optimam inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-16T00:45:28Z
Valid to:2024-11-16T00:45:28Z
Serial number: 58589904ab282b64462f723f66b3f8ce
Thumbprint Algorithm:SHA256
Thumbprint: f1b553fedda2e7aa6f0c1065111b5367b07974679bee53d80f4c3d469c4880b3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.243.139/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
360
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458789/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.19808.8522.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Blocking the User Account Control
Forced shutdown of a system process
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint lolbin msbuild msdeploy overlay packed remote replace
Link:
https://www.filescan.io/uploads/655576b318918145a8154d76/reports/2864ee08-8e78-430b-ae7b-95483c8e0bf3/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/c99f57b763d90598609eb0b585ca8399057531d171021d3052efdefe26289117
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5b3dd65d-df29-4b1b-b923-be4a71436eba
Result
Threat name:
Glupteba, Neoreklami, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1343364
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Neoreklami
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1343364 Sample: file.exe Startdate: 16/11/2023 Architecture: WINDOWS Score: 100 139 Multi AV Scanner detection for domain / URL 2->139 141 Found malware configuration 2->141 143 Malicious sample detected (through community Yara rule) 2->143 145 17 other signatures 2->145 12 file.exe 2 4 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 powershell.exe 2->19         started        process3 signatures4 183 Writes to foreign memory regions 12->183 185 Allocates memory in foreign processes 12->185 187 Adds a directory exclusion to Windows Defender 12->187 189 2 other signatures 12->189 21 CasPol.exe 15 197 12->21         started        26 powershell.exe 20 12->26         started        28 zYcGE2I7GKUi7j7yeT5WVTjY.exe 15->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        process5 dnsIp6 129 91.92.243.139 THEZONEBG Bulgaria 21->129 131 194.49.94.85 EQUEST-ASNL unknown 21->131 133 6 other IPs or domains 21->133 111 C:\Users\...\z4RDD1NZgQa57okPMFGCGIF9.exe, PE32 21->111 dropped 113 C:\Users\...\xxhzizldsh60kiDdw0qscuCp.exe, PE32 21->113 dropped 115 C:\Users\...\w8PUcuIUBPjlLfRtQNVF3KuE.exe, PE32 21->115 dropped 117 160 other malicious files 21->117 dropped 171 Drops script or batch files to the startup folder 21->171 173 Creates HTML files with .exe extension (expired dropper behavior) 21->173 175 Writes many files with high entropy 21->175 34 ElmDH98DO7jDSQv4ZnrGv5Kd.exe 21->34         started        38 iRStDnrgzEox7zdooEaRiVHF.exe 36 21->38         started        41 JOI98vke3OcDkL6MGKTMQFQ8.exe 21->41         started        45 16 other processes 21->45 43 conhost.exe 26->43         started        177 Multi AV Scanner detection for dropped file 28->177 179 Detected unpacking (changes PE section rights) 28->179 181 Detected unpacking (overwrites its own PE header) 28->181 file7 signatures8 process9 dnsIp10 93 C:\Users\user\AppData\Local\...\Install.exe, PE32 34->93 dropped 95 C:\Users\user\AppData\Local\...\config.txt, data 34->95 dropped 147 Writes many files with high entropy 34->147 47 Install.exe 34->47         started        135 149.154.167.99 TELEGRAMRU United Kingdom 38->135 137 116.202.189.41 HETZNER-ASDE Germany 38->137 107 13 other files (9 malicious) 38->107 dropped 149 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->149 151 Found many strings related to Crypto-Wallets (likely being stolen) 38->151 153 Found evasive API chain (may stop execution after checking computer name) 38->153 161 3 other signatures 38->161 97 C:\Users\user\AppData\Local\...\Install.exe, PE32 41->97 dropped 99 C:\Users\user\AppData\Local\...\config.txt, data 41->99 dropped 50 Install.exe 41->50         started        101 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 45->101 dropped 103 C:\Users\user\AppData\Local\...\Install.exe, PE32 45->103 dropped 105 C:\Users\user\AppData\Local\...\Install.exe, PE32 45->105 dropped 109 2 other malicious files 45->109 dropped 155 Multi AV Scanner detection for dropped file 45->155 157 Detected unpacking (changes PE section rights) 45->157 159 Detected unpacking (overwrites its own PE header) 45->159 163 2 other signatures 45->163 52 Broom.exe 45->52         started        55 Broom.exe 45->55         started        57 Broom.exe 45->57         started        59 2 other processes 45->59 file11 signatures12 process13 file14 125 C:\Users\user\AppData\Local\...\Install.exe, PE32 47->125 dropped 61 Install.exe 47->61         started        127 C:\Users\user\AppData\Local\...\Install.exe, PE32 50->127 dropped 65 Install.exe 50->65         started        169 Multi AV Scanner detection for dropped file 52->169 signatures15 process16 file17 119 C:\Users\user\AppData\Local\...\IcLvFkC.exe, PE32 61->119 dropped 121 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 61->121 dropped 193 Multi AV Scanner detection for dropped file 61->193 195 Uses schtasks.exe or at.exe to add and modify task schedules 61->195 197 Modifies Windows Defender protection settings 61->197 199 2 other signatures 61->199 67 forfiles.exe 61->67         started        70 forfiles.exe 61->70         started        72 schtasks.exe 61->72         started        74 schtasks.exe 61->74         started        123 C:\Users\user\AppData\Local\...\VtPXFeu.exe, PE32 65->123 dropped signatures18 process19 signatures20 165 Modifies Windows Defender protection settings 67->165 167 Adds extensions / path to Windows Defender exclusion list 67->167 76 cmd.exe 67->76         started        79 conhost.exe 67->79         started        81 cmd.exe 70->81         started        83 conhost.exe 70->83         started        85 conhost.exe 72->85         started        87 conhost.exe 74->87         started        process21 signatures22 191 Uses cmd line tools excessively to alter registry or file data 76->191 89 reg.exe 76->89         started        91 reg.exe 81->91         started        process23
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c99f57b763d90598609eb0b585ca8399057531d171021d3052efdefe26289117
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c99f57b763d90598609eb0b585ca8399057531d171021d3052efdefe26289117/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-11-16 01:56:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgpvpn3d3eczqye6wc2ylsudtecxkmoroebb2mcs57pp4jriselq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware stealer trojan
Link:
https://tria.ge/reports/231116-ccnxkagc61/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
83fdb5956b7176e4d34e4327f523bd8d7a4aef247b1700401d20cef944d4b63c
MD5 hash:
d076fcf8b65067579725ada8374de6ef
SHA1 hash:
0000998aba83eb0823f5c61e053b74d6719700e1
Link:
https://www.unpac.me/results/50b85f90-a8bb-4229-9186-32af4cd734ff/
SH256 hash:
c99f57b763d90598609eb0b585ca8399057531d171021d3052efdefe26289117
MD5 hash:
4a00bfe737f5e4d59657139be86ce95f
SHA1 hash:
85b04a55e86df8a4404e34c8d3344c3982ca3988
Link:
https://www.unpac.me/results/50b85f90-a8bb-4229-9186-32af4cd734ff/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c99f57b763d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c99f57b763d90598609eb0b585ca8399057531d171021d3052efdefe26289117

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2730658/
Cape
Cape
https://www.capesandbox.com/analysis/458789/

Comments