MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b
SHA3-384 hash: c8e7f433cae7ced695974acb0483d65903a08fd0eea8896ba0447d82e49cb0cc97406d20090a90f83481c560718e5ccd
SHA1 hash: 54c197630201ec81831d96686dd92f1c86e557a6
MD5 hash: a56481f1b2b6f46167861f473c76b500
humanhash: moon-three-happy-wolfram
File name:a56481f1b2b6f46167861f473c76b500
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'651'048 bytes
First seen:2021-09-04 03:38:11 UTC
Last seen:2021-09-04 05:22:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 193b8a18b82d2d8f5b36c7239901d2c7 (4 x ArkeiStealer, 3 x Glupteba, 3 x Stop)
ssdeep 98304:9jjqa5YSMDd5wN7Jtf1poF7HDVHdALj/v2wx0YyvY0NCr6+:9jj8SMDkVREs32BPvtl+
Threatray 161 similar samples on MalwareBazaar
TLSH T1ED2633206A40C077F8AA25F88E7AC6F8A57C6D615B3051CF92C16EED637D6E5ED30603
dhash icon 60e8e8e8aa66a499 (24 x RaccoonStealer, 14 x RedLineStealer, 7 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a56481f1b2b6f46167861f473c76b500
Verdict:
Suspicious activity
Analysis date:
2021-09-04 03:40:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/70fdade8-2ff2-4892-8a3f-ae2a62451f13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185244/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.9585.11918.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a service
Sending a UDP request
Connection attempt to an infection source
Running batch commands
Creating a process with a hidden window
Launching the process to change the firewall settings
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Creating a file in the %temp% subdirectories
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Disabling the operating system update service
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Malware family:
Glupteba
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ecfcbec-f167-44b6-9aa7-2ffba4dc30a6
Result
Threat name:
Glupteba Metasploit
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845121
Signature
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Yara detected Glupteba
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477552 Sample: L1DT0e7Zmk Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 81 Found malware configuration 2->81 83 Antivirus detection for URL or domain 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 10 other signatures 2->87 9 L1DT0e7Zmk.exe 19 2->9         started        12 csrss.exe 2->12         started        14 csrss.exe 2->14         started        16 csrss.exe 2->16         started        process3 signatures4 97 Detected unpacking (changes PE section rights) 9->97 99 Modifies the windows firewall 9->99 101 Drops PE files with benign system names 9->101 18 L1DT0e7Zmk.exe 11 2 9->18         started        23 csrss.exe 12->23         started        25 csrss.exe 14->25         started        27 csrss.exe 16->27         started        process5 dnsIp6 73 humisnee.com 104.21.21.120, 443, 49706 CLOUDFLARENETUS United States 18->73 63 C:\Windows\rss\csrss.exe, PE32 18->63 dropped 89 Drops executables to the windows directory (C:\Windows) and starts them 18->89 91 Creates an autostart registry key pointing to binary in C:\Windows 18->91 29 csrss.exe 4 7 18->29         started        34 cmd.exe 1 18->34         started        file7 signatures8 process9 dnsIp10 75 server2.ninhaine.com 104.21.9.31, 443, 49709, 49710 CLOUDFLARENETUS United States 29->75 77 hammersd.info 172.67.138.206, 443, 49717 CLOUDFLARENETUS United States 29->77 79 3 other IPs or domains 29->79 65 C:\Users\user\AppData\Local\...\injector.exe, PE32+ 29->65 dropped 67 C:\Users\...67tQuerySystemInformationHook.dll, PE32+ 29->67 dropped 69 C:FI\Microsoft\Boot\bootmgfw.efi, MS-DOS 29->69 dropped 71 4 other files (none is malicious) 29->71 dropped 103 Multi AV Scanner detection for dropped file 29->103 105 Detected unpacking (changes PE section rights) 29->105 107 Machine Learning detection for dropped file 29->107 111 2 other signatures 29->111 36 injector.exe 29->36         started        39 mountvol.exe 1 29->39         started        41 mountvol.exe 1 29->41         started        47 4 other processes 29->47 109 Uses netsh to modify the Windows network and firewall settings 34->109 43 netsh.exe 3 34->43         started        45 conhost.exe 34->45         started        file11 signatures12 process13 signatures14 93 Multi AV Scanner detection for dropped file 36->93 49 conhost.exe 36->49         started        51 conhost.exe 39->51         started        53 conhost.exe 41->53         started        95 Creates files in the system32 config directory 43->95 55 conhost.exe 43->55         started        57 conhost.exe 47->57         started        59 conhost.exe 47->59         started        61 conhost.exe 47->61         started        process15
Detection:
glupteba
Create hunting rule
Link:
https://mwdb.cert.pl/sample/de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 01:23:12 UTC
AV detection:
10 of 27 (37.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3y4wbxgsoseonw7ztiglx7vutiihccdk3rskkr2gbiy7ydtgronq._file
Verdict:
suspicious
Similar samples:
07792a24e211c9addd2b46ff799ecda7ab119edb6b043d66031097ae03c70c5f
Glupteba
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
Glupteba
20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1
Glupteba
68d83afa2dc4272e54c4ebb1ab8981e7f00442dfe6e66c8b7299c30a230be997
Glupteba
7648e6caa40622f2d5c625f3b05b3a5c985592f845c26126311a769c7e256c78
Glupteba
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
Glupteba
b6c20b3a2c6ecd2f50faf45c41218417dadfadc6b4230ca7c8fd1e4439d1046e
Glupteba
+ 151 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit backdoor dropper loader trojan
Link:
https://tria.ge/reports/210904-d7mhnadff3/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtCreateUserProcessOtherParentProcess
Glupteba
Glupteba Payload
MetaSploit
Unpacked files
SH256 hash:
bd2d2444229feb677e127cd341e336202ec33688626cbe0661b7414b3e481ad3
MD5 hash:
ca7c9a0345b1a820d48b9c5db50a5050
SHA1 hash:
0284ba81dc1d3ff686cbadd69bef68e58dfef5d8
Detections:
win_zloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/898386ce-0ce7-4673-ad2c-d0c9992a3052/
Parent samples :
79123c765ff9f7d116bbf4bd64a52c2bc33195a1287666ea379d89a5eaf0ec40
b6c20b3a2c6ecd2f50faf45c41218417dadfadc6b4230ca7c8fd1e4439d1046e
7648e6caa40622f2d5c625f3b05b3a5c985592f845c26126311a769c7e256c78
68d83afa2dc4272e54c4ebb1ab8981e7f00442dfe6e66c8b7299c30a230be997
20586a2f58155f672c3a5356ede6d6eb515246da481d92c724971c1536ced8d1
2374688ef4bb51c7a7477bd3cac94db24f00f3707094e569aa4e4681d06a5176
df0a2b50cba47cba62df3b128948dead529e8ccfbf59225e24bb47eadd2c4a81
07792a24e211c9addd2b46ff799ecda7ab119edb6b043d66031097ae03c70c5f
de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b
15e0683d932a4c4896482a9ad0ac354ad129f656803245a3cccc12cec9621559
6ac8f87ce26a0a9ad330c8b42342b6891d12df43be535f9c487855182a39aa1f
SH256 hash:
de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b
MD5 hash:
a56481f1b2b6f46167861f473c76b500
SHA1 hash:
54c197630201ec81831d96686dd92f1c86e557a6
Link:
https://www.unpac.me/results/898386ce-0ce7-4673-ad2c-d0c9992a3052/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe de3960dcd27488e6dbf99a0cbbfeb49a1071086adc64a547460a31fc0e668b9b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185244/

Comments


Avatar
zbet commented on 2021-09-04 03:38:11 UTC

url : hxxp://qwertys.info/82550150ac3397ed391e34aa99d35be4.exe