MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45
SHA3-384 hash: 936a98241bb3f493650edc80f9cdb8f74cad759a33ac0dd1002bbd1d3515ef8f8df8b26c9af826ca3ea905f8736b32b2
SHA1 hash: bb8e5a0206f8909afbf5b32a1493e686e596c040
MD5 hash: cb1fa9b5d0509372c8299742a9a36228
humanhash: speaker-blue-ink-april
File name:cb1fa9b5d0509372c8299742a9a36228.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:391'147 bytes
First seen:2024-04-28 14:56:53 UTC
Last seen:2024-04-28 15:37:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:nuDVaPk2lPJXTFeDesiljumKYkgJTZHuNp1j2kgotz298P/uH8hzJr9dPYM25PEB:uDVaPkaPJXheUumKYkgJZWp1j2szh+8H
TLSH T1B18423266F6DA37BE54F00B65F1329C12728B2A123DFD7B8C2D47060A476764A834B79
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
New Text Document.bin.exe
Verdict:
Malicious activity
Analysis date:
2024-04-27 17:10:29 UTC
Tags:
hausbomber loader opendir stealer risepro phorpiex raccoonclipper evasion rat quasar remote asyncrat dbatloader exfiltration amadey botnet xworm gcleaner stealc adware neoreklami meta metastealer redline telegram leak stormkitty rhadamanthys gh0st purplefox backdoor socks5systemz proxy
Link:
https://app.any.run/tasks/5b260113-d154-4cab-bc42-af53c170fd39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connecting to a non-recommended domain
Sending a UDP request
Running batch commands
Launching cmd.exe command interpreter
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Creating a process from a recently created file
Creating a process with a hidden window
Searching for analyzing tools
Creating a file in the %temp% directory
Modifying a system file
Using the Windows Management Instrumentation requests
Replacing files
Reading critical registry keys
Creating a window
Launching a service
Creating a file in the %AppData% subdirectories
Connection attempt to an infection source
Query of malicious DNS domain
Blocking the Windows Defender launch
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/662e63c1d0e2a012b4263239/reports/f1d878b5-234d-4aed-9a02-e7b165722f9f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c7f62962-cd99-4651-9f0f-252d42754183
Result
Threat name:
Glupteba, Mars Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1432956
Signature
.NET source code references suspicious native API functions
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432956 Sample: w0rLhtV1ui.exe Startdate: 28/04/2024 Architecture: WINDOWS Score: 100 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 Antivirus detection for dropped file 2->133 135 16 other signatures 2->135 8 w0rLhtV1ui.exe 3 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 1 2->13         started        15 14 other processes 2->15 process3 dnsIp4 173 Found many strings related to Crypto-Wallets (likely being stolen) 8->173 175 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->175 177 Writes to foreign memory regions 8->177 183 3 other signatures 8->183 18 CasPol.exe 15 215 8->18         started        23 WerFault.exe 19 16 8->23         started        25 conhost.exe 8->25         started        27 CasPol.exe 8->27         started        179 Changes security center settings (notifications, updates, antivirus, firewall) 11->179 181 Query firmware table information (likely to detect VMs) 13->181 123 23.221.242.90 TISCALI-IT United States 15->123 125 20.190.190.195 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->125 127 4 other IPs or domains 15->127 29 chrome.exe 15->29         started        31 WerFault.exe 2 15->31         started        33 chrome.exe 15->33         started        35 2 other processes 15->35 signatures5 process6 dnsIp7 95 107.167.110.211 OPERASOFTWAREUS United States 18->95 97 185.172.128.59 NADYMSS-ASRU Russian Federation 18->97 105 9 other IPs or domains 18->105 67 C:\Users\...\zDgmnpxV3pCt4JPVQcZHjq3h.exe, PE32 18->67 dropped 69 C:\Users\...\wr4YVnjdlU0fi2sBIyCYQxMb.exe, MS-DOS 18->69 dropped 71 C:\Users\...\wPetYtZSVDseBsNNfdjVElRt.exe, PE32 18->71 dropped 73 126 other malicious files 18->73 dropped 145 Installs new ROOT certificates 18->145 147 Drops script or batch files to the startup folder 18->147 149 Creates HTML files with .exe extension (expired dropper behavior) 18->149 151 Writes many files with high entropy 18->151 37 UX5S1uhgG9MF6CyCFIN5Hc1f.exe 18->37         started        42 SjfGIS6nYZ7ZCbep9QRYBksU.exe 18->42         started        44 4wwZW87M9Eva8gbryjdyMQQw.exe 18->44         started        46 11 other processes 18->46 99 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->99 101 142.251.167.102 GOOGLEUS United States 29->101 103 142.251.167.94 GOOGLEUS United States 29->103 107 4 other IPs or domains 29->107 file8 signatures9 process10 dnsIp11 109 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 37->109 111 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 37->111 117 18 other IPs or domains 37->117 75 C:\Users\...\zgQZcFNfevaph6BJqvjx03L_.exe, MS-DOS 37->75 dropped 77 C:\Users\...\x33PPO580SbfRnaS3oSoDuHz.exe, PE32 37->77 dropped 79 C:\Users\...\w0VHAv96DXfT4L9dqdRnjICP.exe, PE32 37->79 dropped 85 23 other malicious files 37->85 dropped 153 Query firmware table information (likely to detect VMs) 37->153 155 Drops PE files to the document folder of the user 37->155 157 Creates HTML files with .exe extension (expired dropper behavior) 37->157 169 8 other signatures 37->169 119 3 other IPs or domains 42->119 87 5 other malicious files 42->87 dropped 159 Detected unpacking (overwrites its own PE header) 42->159 161 Writes many files with high entropy 42->161 48 u5r0.0.exe 42->48         started        89 5 other malicious files 44->89 dropped 53 u5vg.0.exe 44->53         started        113 107.167.110.217 OPERASOFTWAREUS United States 46->113 115 107.167.125.189 OPERASOFTWAREUS United States 46->115 121 2 other IPs or domains 46->121 81 C:\Users\user\AppData\Local\Temp\...\run.exe, PE32 46->81 dropped 83 C:\Users\user\AppData\Local\...\relay.dll, PE32 46->83 dropped 91 25 other malicious files 46->91 dropped 163 Detected unpacking (changes PE section rights) 46->163 165 Tries to detect sandboxes and other dynamic analysis tools (window names) 46->165 167 Found many strings related to Crypto-Wallets (likely being stolen) 46->167 171 3 other signatures 46->171 55 W6DLdQlWh8thllNjKTDVRRRD.exe 46->55         started        file12 signatures13 process14 dnsIp15 93 185.172.128.150 NADYMSS-ASRU Russian Federation 48->93 57 C:\Users\user\AppData\...\softokn3[1].dll, PE32 48->57 dropped 59 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 48->59 dropped 61 C:\Users\user\AppData\...\mozglue[1].dll, PE32 48->61 dropped 65 9 other files (5 malicious) 48->65 dropped 137 Detected unpacking (changes PE section rights) 48->137 139 Detected unpacking (overwrites its own PE header) 48->139 141 Found many strings related to Crypto-Wallets (likely being stolen) 48->141 143 4 other signatures 48->143 63 Opera_installer_2404281459230439036.dll, PE32 55->63 dropped file16 signatures17
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-04-27 19:53:39 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2cpuonr4ehyafjqv5nshnfz47ed6xhckwfvr7gvdscpcabtfvrcq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240428-sbk3aaae9w/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Unpacked files
SH256 hash:
d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45
MD5 hash:
cb1fa9b5d0509372c8299742a9a36228
SHA1 hash:
bb8e5a0206f8909afbf5b32a1493e686e596c040
Link:
https://www.unpac.me/results/cefbc6a7-3731-4741-a87a-983004919cec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d09f47363c21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2819428/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments