MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
SHA3-384 hash: 97e74b877bd442ce64ba71756348d2128bf8b2661ace200101d9cb6b111d5960c047d2ba8774db852b7dea25ef471282
SHA1 hash: c3e36a8ed0952db30676d5cf77b3671238c19272
MD5 hash: c59b5442a81703579cded755bddcc63e
humanhash: hotel-charlie-social-salami
File name:SecuriteInfo.com.Win64.Evo-gen.247.3191
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'252'384 bytes
First seen:2024-03-24 15:28:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6cb129ed43fdb4b64636582dff56a11 (1 x Glupteba)
ssdeep 49152:JtW1B+dRs6iY7idGOL8/actfDdAvNgFzzP/v0x5+TXwwF:L1F0OpF
Threatray 68 similar samples on MalwareBazaar
TLSH T1CA168D06ABD406E1E46BC634C67ADB32D7B2BC5E0735838B0954F35E1E33A915F6B221
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-24T11:28:24Z
Valid to:2025-03-24T11:28:24Z
Serial number: 364021ba451aaa24e11a3f496ec30570
Thumbprint Algorithm:SHA256
Thumbprint: c6bf2ea89244091307147adf6da7cdd9101866f153150bca1b8884c8b1badbae
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
504
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
glupteba
Create hunting rule
ID:
1
File name:
cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774.exe
Verdict:
Malicious activity
Analysis date:
2024-03-24 15:30:06 UTC
Tags:
loader stealer stealc rhadamanthys evasion privateloader glupteba trojan risepro lumma
Link:
https://app.any.run/tasks/e0a6e30d-f3de-4650-a884-b08a3e9584bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Running batch commands
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Sending an HTTP GET request to an infection source
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a window
Creating a file in the %AppData% subdirectories
Searching for analyzing tools
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug fingerprint masquerade overlay packed
Link:
https://www.filescan.io/uploads/660046c1b81a555db48d8e31/reports/bcde511f-53bd-4c74-80a7-8bc94c10bd5f/overview
Verdict:
Malicious
Labled as:
Win64/Kryptik.EFM trojan
Link:
https://www.hybrid-analysis.com/sample/cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cde19f9a-6077-4dd2-acf4-e2eab67c0447
Result
Threat name:
Glupteba, Mars Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1414740
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Drops script or batch files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1414740 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 24/03/2024 Architecture: WINDOWS Score: 100 142 Malicious sample detected (through community Yara rule) 2->142 144 Multi AV Scanner detection for dropped file 2->144 146 Multi AV Scanner detection for submitted file 2->146 148 19 other signatures 2->148 9 SecuriteInfo.com.Win64.Evo-gen.247.3191.exe 1 2 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        process3 file4 84 C:\Users\user\.BLRVzdv\svchost.exe, PE32+ 9->84 dropped 164 Writes to foreign memory regions 9->164 166 Allocates memory in foreign processes 9->166 168 Adds a directory exclusion to Windows Defender 9->168 170 Drops PE files with benign system names 9->170 17 AddInProcess32.exe 15 624 9->17         started        22 cmd.exe 1 9->22         started        24 powershell.exe 23 9->24         started        172 Multi AV Scanner detection for dropped file 13->172 174 Sample uses process hollowing technique 13->174 176 Injects a PE file into a foreign processes 13->176 26 powershell.exe 13->26         started        28 RegSvcs.exe 13->28         started        signatures5 process6 dnsIp7 104 107.167.110.211 OPERASOFTWAREUS United States 17->104 106 107.167.110.216 OPERASOFTWAREUS United States 17->106 108 19 other IPs or domains 17->108 66 C:\Users\...\zf7gZ6ad4HuFJQfOG7IY5ydZ.exe, PE32 17->66 dropped 68 C:\Users\...\wFVPirdXCb5zBdt87tSztIBW.exe, PE32 17->68 dropped 70 C:\Users\...\vjD8fxc754scKF8rQ5RFaqVW.exe, PE32 17->70 dropped 72 277 other malicious files 17->72 dropped 150 Drops script or batch files to the startup folder 17->150 152 Creates HTML files with .exe extension (expired dropper behavior) 17->152 30 tIXV5JzbzM33XVC5NDpWXvsp.exe 17->30         started        35 s6O1Tlf0H3hgyqqsw85xtsBD.exe 17->35         started        37 XEpt69mj19RrBVBgpjly2R9m.exe 17->37         started        47 21 other processes 17->47 154 Uses schtasks.exe or at.exe to add and modify task schedules 22->154 39 conhost.exe 22->39         started        41 schtasks.exe 22->41         started        43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        file8 signatures9 process10 dnsIp11 112 185.172.128.65 NADYMSS-ASRU Russian Federation 30->112 114 185.172.128.90 NADYMSS-ASRU Russian Federation 30->114 86 C:\Users\user\AppData\Local\Temp\u5yk.1.exe, PE32 30->86 dropped 88 C:\Users\user\AppData\Local\Temp\u5yk.0.exe, PE32 30->88 dropped 122 Detected unpacking (changes PE section rights) 30->122 124 Detected unpacking (overwrites its own PE header) 30->124 49 u5yk.0.exe 30->49         started        116 107.167.110.217 OPERASOFTWAREUS United States 35->116 118 107.167.125.189 OPERASOFTWAREUS United States 35->118 120 6 other IPs or domains 35->120 90 Opera_installer_2403241129556428136.dll, PE32 35->90 dropped 92 C:\Users\...\s6O1Tlf0H3hgyqqsw85xtsBD.exe, PE32 35->92 dropped 100 5 other malicious files 35->100 dropped 54 s6O1Tlf0H3hgyqqsw85xtsBD.exe 35->54         started        126 Query firmware table information (likely to detect VMs) 37->126 128 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->128 130 Hides threads from debuggers 37->130 138 3 other signatures 37->138 94 C:\Users\user\AppData\Local\Temp\u69g.1.exe, PE32 47->94 dropped 96 C:\Users\user\AppData\Local\Temp\u69g.0.exe, PE32 47->96 dropped 98 C:\Users\user\AppData\Local\Temp\u644.1.exe, PE32 47->98 dropped 102 3 other malicious files 47->102 dropped 132 Found Tor onion address 47->132 134 Contains functionality to inject code into remote processes 47->134 136 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->136 140 3 other signatures 47->140 56 RegAsm.exe 47->56         started        58 conhost.exe 47->58         started        60 conhost.exe 47->60         started        62 8 other processes 47->62 file12 signatures13 process14 dnsIp15 110 185.172.128.209 NADYMSS-ASRU Russian Federation 49->110 74 C:\Users\user\AppData\...\softokn3[1].dll, PE32 49->74 dropped 76 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 49->76 dropped 78 C:\Users\user\AppData\...\mozglue[1].dll, PE32 49->78 dropped 82 9 other files (1 malicious) 49->82 dropped 156 Detected unpacking (changes PE section rights) 49->156 158 Detected unpacking (overwrites its own PE header) 49->158 160 Tries to steal Mail credentials (via file / registry access) 49->160 162 4 other signatures 49->162 80 Opera_installer_2403241129588157244.dll, PE32 54->80 dropped 64 dialer.exe 56->64         started        file16 signatures17 process18
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-03-24 13:58:21 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zld7ysxjzf7lu5cvtevs2qket3rfp3cilrlcx7dsiwuqam5r252a._file
Verdict:
unknown
Similar samples:
48b0afb9f404d55c311994ab4da41e3aa6dacd23a1b8e0de1addfe6f9fea4d11
Glupteba
5de000c94215943f6ddbb15376ca07f67f9965ab58cbd3335279ae66baf56bb6
Glupteba
bbfd32be787e01f9b2514e32edfae246cf019ca6fb95c85d53a7776174f3becf
Glupteba
c54dec8c6c088c7b13267214dbc9ecb2f1e7aa3883e5bc4abe80accc83d32131
Glupteba
da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6
Glupteba
+ 58 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:rhadamanthys family:stealc family:zgrat discovery dropper evasion loader persistence rat rootkit spyware stealer themida trojan upx
Link:
https://tria.ge/reports/240324-swwphsgb9z/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
UPX packed file
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect ZGRat V1
Glupteba
Glupteba payload
Rhadamanthys
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Malware Config
C2 Extraction:
http://185.172.128.209
Unpacked files
SH256 hash:
cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774
MD5 hash:
c59b5442a81703579cded755bddcc63e
SHA1 hash:
c3e36a8ed0952db30676d5cf77b3671238c19272
Link:
https://www.unpac.me/results/bedfa867-90a8-4974-a9e0-1ab5f04f50d2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cac7fc4ae9c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2791207/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::VirtualAllocExNuma
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDecrypt
bcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptEncrypt
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptImportKey
bcrypt.dll::BCryptOpenAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments