MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Glupteba

Vendor detections: 14

Intelligence 14 IOCs YARA 50 File information Comments

SHA256 hash:	d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d
SHA3-384 hash:	dcd1ab03e8813e3b818afd6d3398f5768aa3ff23f020ce63283834a26522ab172e4d2b2c7433e0575e048b7bca2ab976
SHA1 hash:	13d1373d860140cf8df49f5f79c782a29d31356b
MD5 hash:	9acf5751d05a261a62aa928e3796d81c
humanhash:	ack-six-item-georgia
File name:	d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d
Download:	download sample
Signature	Glupteba Create hunting rule
File size:	4'390'256 bytes
First seen:	2023-11-09 12:42:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7f5ebfefac7f02e8617b9aa5659c8d4e (1 x Smoke Loader, 1 x Glupteba)
ssdeep	98304:Umw1LPDnxxF+Jqv82oqnb20jW7y9i795h4PUaS1EdSCrvUqdsW:MJn1h8gj59e9U61EdR1
TLSH	T12916330173F27C95EA721832A4699AB9733EF9206D6C726B2715C72F58B80E0C7B7345
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	70d0ded8d0c9d2dd (1 x RedLineStealer, 1 x Glupteba)
Reporter	adrian__luca
Tags:	exe Glupteba

Intelligence

File Origin

# of uploads :

# of downloads :

319

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Tofsee-10008793-0

Win.Packed.Dropperx-10008820-0

Win.Packed.Trojanx-10008988-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Launching a service

Restart of the analyzed sample

Creating a file in the Windows subdirectories

Running batch commands

Launching the process to change the firewall settings

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

amadey greyware overlay packed tofsee

Link:

https://www.filescan.io/uploads/654cd3ee3b0c3d662607fc7c/reports/e5e093ab-b60d-4224-8db8-515b5f1912d5/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Upgdsed

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8b0736ba-79d2-463c-977f-2d6b6d73fc1a

Result

Threat name:

Glupteba

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1339701

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found Tor onion address

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Glupteba

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d/

Threat name:

Win32.Trojan.StealC

Status:

Malicious

First seen:

2023-09-22 04:30:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2vtzevrsgv2qieppjba6d2rxaonf3mviqeaum42bck5q4ep7gzwq._file

Verdict:

malicious

Result

Malware family:

glupteba

Score:

10/10

Tags:

family:glupteba discovery dropper evasion loader persistence rootkit trojan upx

Link:

https://tria.ge/reports/231109-pxxfnaag25/

Behaviour

Creates scheduled task(s)

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Drops file in System32 directory

Adds Run key to start application

Checks installed software on the system

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Drops file in Drivers directory

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Modifies boot configuration data using bcdedit

Glupteba

Glupteba payload

Windows security bypass

Unpacked files

SH256 hash:

e206de78f87b7d3f73242e179261d0bd7a91524bc2ef6cb043789c4b8e8b3e69

MD5 hash:

139a0ba2600e97aae458a2db1324fc08

SHA1 hash:

afbeaa6d4008abb99596e19747deb92d8a22a45f

Detections:

Glupteba

Link:

https://www.unpac.me/results/c1fa9e31-10de-4205-b58e-a15b81ccaa6a/

Parent samples :

265a9e7f1ceb8b4fd7f8bc18826b9eb68826af0e22d0ff074c19d7d0e77e8fd3
d571dbe3249950ebc2a8b600b9e3dcac5fa2393b84983709995df071d7f9a2be
222301a390730394fdfba560a8a0070c3571aaf9541d4c96cb5ee931b26ede59
f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
7d07d17c2783ceeee097dc94082d7991a7e27755065dc5f73be10321803fe80f
aa234447899c8ce342f8b90ddd3bc2ba20cb51ed6856835ba9c18e842f057215
08e61151199e31c2cf54f12f95c8ad95ee8467bb630166800114c0b912682a74
1e662d2a9bc77dc09ff39c21dbd8f11968da7c1dea6f4bbcfc5216c0d8f8c8fd
27ea24685a6d2531295871e4ddafb9c9a47873e0bc434d0fef0706d5487dc42c
7406f239a9fbb2d5b2f04043795102fda05e04706d2445f2a538d621298dabda
62256fe57905ac3855bd6d2e200162e3692a47f3bb32946fbf6d85a97fb74a8d
6531b801cc6cbf4139616803f9d43e9b886eed6c9ca82b86bb9c461c50f673a0
336e13cf278f9d39ac6d95cede295d3af1c903b5f0ca9c865f1a44f07683bcd8
0ed14c1e8965c13065a00f7d3159a4c711faa24643b4c4815e88299cba495ba0
a09d7d79ba4e1177ee17cc8f10e21508b3b69cf2a29c0f8b3bb478a65ad60846
27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
4c4e0c61380662adc756d147f9c51ead1d3a6913f49510eae2766270b778f427
010fe481ba6275ebbf71e102e66d73f5d819252f2b4b1893d2acf53c04f4200f
ace208a4aebe9ac1b659808b108c795961d1160de5b147be47b5624f6de46830
475fc6c207d89eed272ef4d2c8096de644c476d6b6d6b295f2ea81b0d404c01a
08dcd62ba2989e93c04ce28b5619d9aae32d1fa40ea8003eb85d211be9772089
ab1a8ab5aa1f5c62fa6f2027c9bc4ed91a30385ec847cf92226ae144493df35d
7b243fdb0e70c99ea3801a57b9916d61441ce66197d763246d9ef0f432c6812b
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a
18acbe225a09abaf3a67f12e79b67d498b3d809faa526b69b40170f4a7beff0d
530ba3e07e01ded69f648ab41bf6967677526630e0b78dd91e03304622871680
ff2190173c71d9e4a5a7c9b5356cd2a5b762a735b3bc0e920113735735c625c4
bbe7c155c748f15faa3994f66075b46daeeac61a929d8c9bc247af0a5c2d8e4c
cf2ba11b6ae9a9893d6f7a65f6b6251a110e51c1eee656455c4a3caf68c738d9
70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
d822320e69cb0ddf07bd762ddf9d56bf46bae93a37ed1abc7d37485faf56761a
173cf6b50cfad4fa06f6826452aeceae743a49fb7c2cdc6445961c01dc11da92
a754eb655af6114a85fe5d32bc3a42b0038fec86c2d557fef2d3f2f92d68b942
b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60
98e2336afe9aed01d8859c988cb984a017800bf5a5760a643b9f5579c8936e40
31c5da8614998e7836aaf3c70559f7710edbd4b536b840e0c63babfdc95c5921
0c620ad9e0327c9397c2e869a45e3c24cf234f6da22df60ae7fcd802c63d0e8c
8d833183ab5dcf4f622de22dd3bb6df752725339804906f7bb374b6df7c3c354
78d20bb0f3344b725617819f4f2c2246a3c1d1cada81d931d63603f67a1b7aa7
f9bc3ddfb1e5e253dac94c91d2d678ad2f1c61537207e71fc04d42af28b04520
8f3054ea1c4adfcafc009a413324aec4d47357384e1f57c08a4cdc8ec3863826
f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
96a8fc693eb17083f2fc31beffbbda57741ddec7b3ff38d29554a55bac7909a7
2cf8ca0a1593e5ef380c8d8e9207f4257bbc4ef1ad2a5a5315f321ffecdc70ec
66da62cc89a98f16d5e1abd5668d91e04be2f024354b1dab5b805610cf482ed4
93ec2f65e8dcbd9bf755573667f9bc5d085e3533f1c0a67391fd2feed16899ed
90ea61df57638931a932194ba370a6b0e68c2e149a3a79c350437a11c63a2d9a
d1fba6a4c016f0c76ca578d5f7e656fe12f4abc260eec61e668c398a6e3e8bad
03e8ce6519475df85008e4abed555b02150fb60d8afb039b98a3fae433679c4c
2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
c057351817aed450137d0445d192900399d35498d8523bcb52264edf7e56b54c
31095cd8210c0dc8061090055014e5bf7990e5835378bdfd0372c416355b9cac
295daf4708da6e3b7613e4ea7637739054656332c3dfdfb0499431ef267e6a39
ebf0fbb2d06f3a42839c341b052cfe7b8b4e0b7e93a5f37a3c426f27a762e63a
e30d175069d8b2cfacb4ae58ef031a817141a320ab6c69923239afffdc897bf6
1d72961d502e70a02b703d2ea171d370ab8d62281aa9d6200a81b4a5e210e55f
dfe54b78172996677a5847633964338462e29277e09e28f6db7beec2d3d01244
82ece5e948ab466f78cc02f5cec49ded063af38623f32fd5bf9b00538e00cace
6a9ca8cd0fe53e1036bc16b292926a413dc4aa896f4da8a29afd10c65138799f
0ff5066a1c9caf9db55ddca514049faa9badfd6bee0a6e8ba825ee8198b65efb
adb6d89cae18f5501ce8c7e25a22de907bec44d74f583f9c5b2499a5e955534b
a75f981326ea2802a6255e99d414aad4ebc4871b9547897dd70fea3b8105ed42
8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
4aa80d6935201d51bc5be593908289cc2e239be14991a5dc6054bb19e7f90c44
7b101e4c3f86d6b121d25c79d718af9b24ad1ba2bbf9ad83dc285b8ba2e4756a
c4a2e403dc091a191ae09578bf914baf70fd9b2d9593f8061dc953cbd431e5b5
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc
746b5874dbdfcd6168d395a2da5cd43dabadad8ec4a38c1c87d8c3779d41f5f7
0e11a6be0205a2a9ffbe57ac11c8057c2d72fbd794c6303f445c3ddfc2fa6c97
bada456f7b51709847d11d6b7d17a2e1d4322dec3c36abbd87ed594242ea2b59
f24d47bd9cc9daa71c869a1d06551801395ba2bbbff0c33a102e79d32c0a630d
3434aa61c95c3ec240471fc0fdfca1143a50281314a8e61c3a7d8887b0233ce3
c39a990dc179128a4d4136de519676636ad393b77f43913fb0d5c238b20c95d7
d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d

SH256 hash:

d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d

MD5 hash:

9acf5751d05a261a62aa928e3796d81c

SHA1 hash:

13d1373d860140cf8df49f5f79c782a29d31356b

Link:

https://www.unpac.me/results/c1fa9e31-10de-4205-b58e-a15b81ccaa6a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d56792563235750411ef4841e1ea37039a5db2a8810146734112bb0e11ff366d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	crime_ZZ_botnet_aicm Create hunting rule
Author:	imp0rtp3
Description:	DDoS Golang Botnet sample for linux called 'aicm'
Reference:	https://twitter.com/IntezerLabs/status/1401869234511175683

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	Glupteba Create hunting rule

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_SUSPICIOUS_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing artifcats associated with disabling Widnows Defender

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing URLs to raw contents of a Github gist

Rule name:	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many varying, potentially fake Windows User-Agents

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	SUSP_Websites Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference of suspicious sites that might be used to download further malware

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	UroburosVirtualBoxDriver Create hunting rule

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample