MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08
SHA3-384 hash: 930fa510d52023611d22ebc7aea5dc60cc45dbd4ff293284bf8932b4603b6112e1a035053c4797778ffaf4aed25086f9
SHA1 hash: 3f8b87db9799d205b66bb219bb385261b13c6990
MD5 hash: 5655432921d1f7ba0005a97a19904ca5
humanhash: delaware-nine-lake-neptune
File name:5655432921d1f7ba0005a97a19904ca5
Download: download sample
Signature Glupteba
Create hunting rule
File size:15'863'160 bytes
First seen:2023-11-14 15:01:41 UTC
Last seen:2023-11-14 16:32:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 196608:yH3soW5wpjr2Wr0TFL7pftFHPEjX/KcxvRmteH:03sohszcjS4z
TLSH T125F66C51D2F2A64DE8DA85368E3073F462B36422B713E395CC54E925743C7EB8EC8663
TrID 30.6% (.SCR) Windows screen saver (13097/50/3)
24.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe Glupteba signed

Code Signing Certificate

Organisation:install rox inc
Issuer:install rox inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-14T00:40:20Z
Valid to:2024-11-14T00:40:20Z
Serial number: 559517263cd53941a808cd01cf168a89
Thumbprint Algorithm:SHA256
Thumbprint: c8209e141f2b1bf1871de9407a7f2c61a011df7db6ff11eed91db957c9c678c6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
369
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.9716.21121.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Creating a window
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint lolbin msbuild msdeploy overlay packed remote replace
Link:
https://www.filescan.io/uploads/65538bf18dc4c0f22309be97/reports/f19fa278-6e79-44f5-acb5-bce5c0426bf9/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39228266-1869-48a0-8d9c-107264e7dd12
Result
Threat name:
Glupteba, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1342420
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking computer name)
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1342420 Sample: Syutqxpe7O.exe Startdate: 14/11/2023 Architecture: WINDOWS Score: 100 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 Antivirus detection for dropped file 2->100 102 10 other signatures 2->102 9 Syutqxpe7O.exe 2 4 2->9         started        12 cmd.exe 2->12         started        14 cmd.exe 2->14         started        16 2 other processes 2->16 process3 signatures4 114 Writes to foreign memory regions 9->114 116 Allocates memory in foreign processes 9->116 118 Adds a directory exclusion to Windows Defender 9->118 120 2 other signatures 9->120 18 CasPol.exe 15 209 9->18         started        23 powershell.exe 23 9->23         started        25 oVKHz6rQcPq9heKWU1HuSwDN.exe 12->25         started        27 conhost.exe 12->27         started        29 i9Biekkrnwpa2gyxwequ3Y1D.exe 14->29         started        31 conhost.exe 14->31         started        33 conhost.exe 16->33         started        35 conhost.exe 16->35         started        37 Qn3RqlSjJip1lYSTZKZHqdwT.exe 16->37         started        process5 dnsIp6 78 91.92.243.139 THEZONEBG Bulgaria 18->78 80 111.90.146.230 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 18->80 82 5 other IPs or domains 18->82 62 C:\Users\...\zzKJwrXKq9ybqMwZMqV4iOlt.exe, PE32 18->62 dropped 64 C:\Users\...\y9UOo04WHQnP0jIFYBEWSXnD.exe, PE32 18->64 dropped 66 C:\Users\...\xqX0ylBgjxnDM6kfe028wO93.exe, PE32 18->66 dropped 68 192 other malicious files 18->68 dropped 104 Drops script or batch files to the startup folder 18->104 106 Creates HTML files with .exe extension (expired dropper behavior) 18->106 39 VkNBduX1S7v4QpQWsYcXHLoo.exe 38 18->39         started        44 GmQctXJx0jH1t9faSA23484c.exe 18->44         started        46 SRI21TYKqdWS2gH0Za8Qbhm4.exe 18->46         started        50 26 other processes 18->50 48 conhost.exe 23->48         started        108 Detected unpacking (changes PE section rights) 25->108 110 Detected unpacking (overwrites its own PE header) 25->110 112 Multi AV Scanner detection for dropped file 29->112 file7 signatures8 process9 dnsIp10 84 5.182.38.138 VMAGE-ASRU Russian Federation 39->84 86 149.154.167.99 TELEGRAMRU United Kingdom 39->86 88 116.203.7.211 HETZNER-ASDE Germany 39->88 70 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 39->70 dropped 72 C:\Users\user\AppData\...\softokn3[1].dll, PE32 39->72 dropped 74 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 39->74 dropped 76 10 other files (6 malicious) 39->76 dropped 122 Detected unpacking (changes PE section rights) 39->122 124 Detected unpacking (overwrites its own PE header) 39->124 126 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->126 134 6 other signatures 39->134 128 Found Tor onion address 44->128 130 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->130 52 powershell.exe 44->52         started        54 GmQctXJx0jH1t9faSA23484c.exe 44->54         started        56 powershell.exe 46->56         started        90 74.201.73.52 DEDICATEDUS United States 50->90 92 1.1.1.1 CLOUDFLARENETUS Australia 50->92 94 2 other IPs or domains 50->94 132 Multi AV Scanner detection for dropped file 50->132 file11 signatures12 process13 process14 58 conhost.exe 52->58         started        60 conhost.exe 56->60         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-11-14 12:32:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jvdm4bck7yhujnnyds3di6o5k6lzmmlmpenqpamzomi7beojiea._file
Verdict:
malicious
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231114-seflzadb3w/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
9eaa5c4db23137740aa651545a8900c53beeed33f2b555daae838c770e53620c
MD5 hash:
cee7e501fa9f1677d10324cf714c2d6b
SHA1 hash:
9892bc0d1602d49f83abd209ac10b4ae2aaede98
Link:
https://www.unpac.me/results/ee420f60-8c58-4065-851a-b3d4ecb7ccbe/
SH256 hash:
e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08
MD5 hash:
5655432921d1f7ba0005a97a19904ca5
SHA1 hash:
3f8b87db9799d205b66bb219bb385261b13c6990
Link:
https://www.unpac.me/results/ee420f60-8c58-4065-851a-b3d4ecb7ccbe/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e26a36702257/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2730665/

Comments


Avatar
zbet commented on 2023-11-14 15:01:42 UTC

url : hxxp://91.92.243.139/files/InstallSetup4.exe