MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 20


Intelligence 20 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
SHA3-384 hash: ffabebecdb635519f4364476a5ac4079748c91e80d99753e5e1e524efae3de58bb7a201f9ae93334e7e1b376ea23aaf7
SHA1 hash: 6a03f4f11301ce9f5b9090d4229b9863d7dbe8ae
MD5 hash: bf4f6b1cb7b18366585309cb7331e356
humanhash: september-sink-glucose-florida
File name:JaffaCakes118_ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'253'736 bytes
First seen:2024-12-29 22:09:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2298a85f6209121c0300386104921291 (8 x RedLineStealer, 7 x Smoke Loader, 4 x CoinMiner)
ssdeep 98304:p6UvZFqVGEXRN1bqH6+y2D/lttdZAlthCe3A32tHT9faq5tjXVwV:Yg/qVGoRN1bJp2BttdZAlE3sxhFs
Threatray 42 similar samples on MalwareBazaar
TLSH T1FC16337606E70A39DC9CC0B8B40A9AF64C7A7268E7E5CC436F51084D26751FC6FAA47C
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 480c1c4c4f594904 (9 x Smoke Loader, 7 x RedLineStealer, 6 x Amadey)
Reporter JaffaCakes118
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
449
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
glupteba
Create hunting rule
ID:
1
File name:
JaffaCakes118_ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
Verdict:
Malicious activity
Analysis date:
2024-12-29 22:09:11 UTC
Tags:
uac trojan glupteba discord antivm golang github xmrig
Link:
https://app.any.run/tasks/38c7c667-ba33-45f5-ac03-9eedea70f8fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Pwsx-9975723-0
Create hunting rule

Win.Dropper.Tofsee-9975728-0
Create hunting rule

Win.Dropper.Tofsee-9975734-0
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6771c8861bb06b8884795b41
Tags:
injection emotet obfusc crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching a service
Restart of the analyzed sample
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Creating a service
DNS request
Launching a process
Creating a file in the %temp% subdirectories
Connection attempt
Sending a UDP request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Disabling the operating system update service
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6771c8bd03bf7f0bdb5bda23/reports/065ed86f-c44f-4e7d-99f1-f17691e81df3/overview
Verdict:
Malicious
Labled as:
Mint.Zard.Generic
Link:
https://www.hybrid-analysis.com/sample/ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f6451f1-597e-4160-b814-76d5877f6905
Result
Threat name:
Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582074
Signature
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found Tor onion address
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4/
Threat name:
Win32.Trojan.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 06:04:28 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zz4d6wgxr5usddf43tz5wnhl3srooum2r7fzkcyapxaopdobrdka._file
Verdict:
malicious
Label(s):
glupteba
Create hunting rule
shellcode_loader_002
Create hunting rule
Similar samples:
147b5d6c844bd5f6962ca6ab96a0ce8103eac401ec77a61f3632e14757c199c2
Glupteba
3f7646cd60e5f51c13eb35ef9f00d10c66fc309b486498a1978cccc2405d3373
Glupteba
6b23195ae6f7219126fb7344a50effd49a93ecb29c580ba8470280f48818e34a
Glupteba
9fef942a89db70d1bfb0c5c9efb6e7c4c4e180b0038e61df58936e794a6323dc
Glupteba
ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
Glupteba
error
Glupteba
f63dc116cf6f2bf6c2f33898d73ef0b974ed3fa9de67d840b50b35ee2d9390d9
Glupteba
+ 32 additional samples on MalwareBazaar
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence privilege_escalation rootkit trojan
Link:
https://tria.ge/reports/241229-13ch8ayjht/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Adds Run key to start application
Checks installed software on the system
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Executes dropped EXE
Loads dropped DLL
Windows security modification
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba family
Glupteba payload
Windows security bypass
Verdict:
Malicious
Tags:
Win.Packed.Pwsx-9975723-0
YARA:
n/a
Link:
https://app.threat.zone/submission/d5c26e44-5040-426e-9f1f-ac34fba132b1
Unpacked files
SH256 hash:
132e7c320d58329dd4b8e6fda210f7acbcbd425313931103e39d73091d781a3f
MD5 hash:
5c4d187c49ff1823326841138adf6315
SHA1 hash:
5d06a98573ed214462b1970b965a2ee3d902d78a
Detections:
Glupteba
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/7a9e5d11-da22-4abf-9989-9546745196ef/
Parent samples :
81b8d673c51e5f98a4690c11f4f4f156349b2ab850733cbac4119c7c6ec3d804
ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
SH256 hash:
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
MD5 hash:
09031a062610d77d685c9934318b4170
SHA1 hash:
880f744184e7774f3d14c1bb857e21cc7fe89a6d
Link:
https://www.unpac.me/results/7a9e5d11-da22-4abf-9989-9546745196ef/
SH256 hash:
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
MD5 hash:
d98e78fd57db58a11f880b45bb659767
SHA1 hash:
ab70c0d3bd9103c07632eeecee9f51d198ed0e76
Detections:
MAL_ME_RawDisk_Agent_Jan20_2
Create hunting rule
Link:
https://www.unpac.me/results/7a9e5d11-da22-4abf-9989-9546745196ef/
Parent samples :
452c2fae1cf93f933ef30e73cd3ae5d8afc14286b0aa58a512c40f3e81e5a922
036fc2001553cd4b3e6105febc6f6dcef40b5ba169816f4a32b48ae06f9bf930
887ee8b0f7c4f46b4bc8f19019625b5bf14f4d404d869ffdb9832c27abc57d38
68d3f9a99b088216e7825a88db2d5ff0ccc669050abd9574ad101b8a2c536581
6110c7a02fe334fd3cfda9a7be565b4bd3ce59661fba7b744fec1c5a8d46a229
5d60502a5cb4d285aa1292f7d1fd6297e07e310babf6fc52bcdc86ef0c9e06bb
61b0b285e4e111e959317e8abd5ba9ab82e531ec6358952c64bb8fa20e8e3a94
8d1f1605046b4f5989903aeb1970cab44da9b1e974e957e2459f0603f628b6f5
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78
1ad9131850474561beb17f304b1264ca9a73fc9a53355a153c43bbdfa920e642
f61ea31ba042cb4b9640ed853b792cf3a5984c56bac9f937fd638bb6e1efbe30
693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda
ec045ab4c0957a1930d5effe265d30a1624713ea2897b78b7fddb5322d9960f1
e31eca26eebc6c55841ba9012aef2e64af914e13d85be5eed4cfee7d18b7cc44
22e20fbd8e95ac7b3a77b815e1a438e545354adb5a1bd5a90220a9c17b4008db
8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
328af6e2b02c62db3b533a84e0b403d1c99f682bdff7ef0941d711d4d607501d
dd093b7ac1890eb8847181a375c99d4e97a0acf00180017cc4ef279a285bd24c
845b6a3db4889461e89e3dbfdae360f63d506dd8e029dc033ce0745489041ee8
780b1ff0c005269630be0aa4234842367b8d310810ce79a1df6b1c11c2d637ed
5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d
81b8d673c51e5f98a4690c11f4f4f156349b2ab850733cbac4119c7c6ec3d804
ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
65df23849c6a6722b36b8d3bd101c9b58ec82ab0f91ef09524a7b9c91fe76078
SH256 hash:
caa8e02d91cf6ded2cd6a9d0b218f536bdb99dbe2d19727df1ef899b619f5c01
MD5 hash:
ded1bb3a4536a459954fe78b7ef24994
SHA1 hash:
287e32ac702b9a66d73d959f76fefdfd1296aa2b
Link:
https://www.unpac.me/results/7a9e5d11-da22-4abf-9989-9546745196ef/
SH256 hash:
7f75ad59f4647e5d3b2d0594930d9e7492918365c4d8491935db40607457607c
MD5 hash:
064b4bc7767943b853aa58e470f13616
SHA1 hash:
d2a106efba5b4dfe0761de638109650ceb5a404c
Link:
https://www.unpac.me/results/7a9e5d11-da22-4abf-9989-9546745196ef/
SH256 hash:
5dfd6eb519b114f61731b959b989797b1f2e9ae95ee4c1a7a69370b3842d8c24
MD5 hash:
b18f9e70d07bec7e3efac6de192db871
SHA1 hash:
6af1f424c9379f939a037d5a8d71d5f3e2faafd5
Link:
https://www.unpac.me/results/7a9e5d11-da22-4abf-9989-9546745196ef/
SH256 hash:
ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4
MD5 hash:
bf4f6b1cb7b18366585309cb7331e356
SHA1 hash:
6a03f4f11301ce9f5b9090d4229b9863d7dbe8ae
Link:
https://www.unpac.me/results/7a9e5d11-da22-4abf-9989-9546745196ef/
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce783f58d78f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe ce783f58d78f69218cbcdcf3db34ebdca2e7519a8fcb950b007dc0e78dc188d4

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetFirmwareEnvironmentVariableA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleAliasesLengthW
KERNEL32.dll::GetConsoleAliasExesA
KERNEL32.dll::GetConsoleAliasW
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::GetFileAttributesW

Comments