MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5f297504744c01bec8a5903f55b7fcc149e39a334a1c1cb80960878604b5012. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5f297504744c01bec8a5903f55b7fcc149e39a334a1c1cb80960878604b5012
SHA3-384 hash: cf0a8e8b68966a79f524eddd0dc14ffa132f969141d73dfa564203368c7682da43bc131815385201e90a70c62bacc952
SHA1 hash: df23f4d993f1d7c2c596eeb79d2a4968747b314e
MD5 hash: bb83e8db740d3441abb88dc34fd3759e
humanhash: arizona-carolina-mobile-avocado
File name:bb83e8db740d3441abb88dc34fd3759e
Download: download sample
Signature Glupteba
Create hunting rule
File size:1'955'328 bytes
First seen:2023-11-27 17:34:42 UTC
Last seen:2023-11-27 19:19:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:Y2gnhjtlJEVGylDWYMl2q9SASTcfRYO1BguRF7/FgvfzckJrvSmbuvF:Y2scwylVMlVwqRhxFMBJWdF
Threatray 13 similar samples on MalwareBazaar
TLSH T1E6958D097F94EE65D2AD93F8C46144048779E99E3602E31A6341DAFCF9673FECD82092
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
2
# of downloads :
340
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460778/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.14419.15890.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Blocking the User Account Control
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6564d347380413dc0c238871/reports/16779400-653d-4fc8-aad8-c468f1e50468/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/e5f297504744c01bec8a5903f55b7fcc149e39a334a1c1cb80960878604b5012
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/771b9b65-b9b6-4c8d-ac4a-5c20606ccabf
Result
Threat name:
Glupteba, Socks5Systemz, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1348793
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
DLL side loading technique detected
Drops script or batch files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Socks5Systemz
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1348793 Sample: R2b44BGATA.exe Startdate: 27/11/2023 Architecture: WINDOWS Score: 100 197 Malicious sample detected (through community Yara rule) 2->197 199 Antivirus detection for URL or domain 2->199 201 Multi AV Scanner detection for dropped file 2->201 203 11 other signatures 2->203 10 R2b44BGATA.exe 2 4 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 5 other processes 2->17 process3 signatures4 219 Writes to foreign memory regions 10->219 221 Allocates memory in foreign processes 10->221 223 Adds extensions / path to Windows Defender exclusion list (Registry) 10->223 227 3 other signatures 10->227 19 CasPol.exe 15 26 10->19         started        24 powershell.exe 22 10->24         started        26 vd62qzuyzvsqh3EOlrCsekRr.exe 13->26         started        28 conhost.exe 13->28         started        30 Qkgel6h6aG7fNJRFYr3nJ1Vh.exe 15->30         started        32 conhost.exe 15->32         started        225 DLL side loading technique detected 17->225 34 pjuvtSOLLPlGSPM2OvQa5jBc.exe 17->34         started        36 conhost.exe 17->36         started        38 conhost.exe 17->38         started        process5 dnsIp6 175 91.92.243.139 THEZONEBG Bulgaria 19->175 177 107.167.110.216 OPERASOFTWAREUS United States 19->177 179 11 other IPs or domains 19->179 109 C:\Users\...\eBZXk4lGiSUv8behrL1TaKrc.exe, PE32 19->109 dropped 111 C:\Users\...\aekhBpNbpGJOZEJrVVQGXU34.exe, PE32 19->111 dropped 113 C:\Users\...\SwPWSdsTT6zaVc0eYEkxIzRh.exe, PE32 19->113 dropped 121 14 other malicious files 19->121 dropped 207 Drops script or batch files to the startup folder 19->207 209 Creates HTML files with .exe extension (expired dropper behavior) 19->209 40 39eW1VScer9uhBmf5sZMlWq0.exe 19->40         started        44 eBZXk4lGiSUv8behrL1TaKrc.exe 19->44         started        46 SwPWSdsTT6zaVc0eYEkxIzRh.exe 37 19->46         started        57 2 other processes 19->57 49 conhost.exe 24->49         started        115 C:\Users\...\vd62qzuyzvsqh3EOlrCsekRr.tmp, PE32 26->115 dropped 51 vd62qzuyzvsqh3EOlrCsekRr.tmp 26->51         started        123 6 other malicious files 30->123 dropped 211 Detected unpacking (changes PE section rights) 30->211 213 Detected unpacking (overwrites its own PE header) 30->213 215 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->215 217 2 other signatures 30->217 117 Opera_installer_2311271751114467240.dll, PE32 34->117 dropped 119 C:\Users\...\pjuvtSOLLPlGSPM2OvQa5jBc.exe, PE32 34->119 dropped 125 2 other malicious files 34->125 dropped 53 pjuvtSOLLPlGSPM2OvQa5jBc.exe 34->53         started        55 pjuvtSOLLPlGSPM2OvQa5jBc.exe 34->55         started        file7 signatures8 process9 dnsIp10 181 107.167.110.211 OPERASOFTWAREUS United States 40->181 183 107.167.110.217 OPERASOFTWAREUS United States 40->183 189 6 other IPs or domains 40->189 127 Opera_installer_2311271750247687084.dll, PE32 40->127 dropped 129 C:\Users\user\AppData\Local\...\opera_package, PE32 40->129 dropped 131 C:\Users\user\...\additional_file0.tmp, PE32 40->131 dropped 141 3 other malicious files 40->141 dropped 59 39eW1VScer9uhBmf5sZMlWq0.exe 40->59         started        62 Assistant_103.0.4928.25_Setup.exe_sfx.exe 40->62         started        64 39eW1VScer9uhBmf5sZMlWq0.exe 40->64         started        75 2 other processes 40->75 133 C:\Users\...\eBZXk4lGiSUv8behrL1TaKrc.tmp, PE32 44->133 dropped 66 eBZXk4lGiSUv8behrL1TaKrc.tmp 44->66         started        185 149.154.167.99 TELEGRAMRU United Kingdom 46->185 187 128.140.72.50 HETZNER-ASDE Germany 46->187 135 C:\Users\user\AppData\...\softokn3[1].dll, PE32 46->135 dropped 143 12 other files (8 malicious) 46->143 dropped 229 Detected unpacking (changes PE section rights) 46->229 231 Detected unpacking (overwrites its own PE header) 46->231 233 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->233 235 Found many strings related to Crypto-Wallets (likely being stolen) 46->235 69 cmd.exe 46->69         started        71 vd62qzuyzvsqh3EOlrCsekRr.exe 51->71         started        137 Opera_installer_2311271751118827504.dll, PE32 53->137 dropped 139 Opera_installer_2311271751123241288.dll, PE32 55->139 dropped 237 Found Tor onion address 57->237 239 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 57->239 73 HrUDAiSFkqhn2Q4LP7JtRQrl.exe 57->73         started        77 3 other processes 57->77 file11 signatures12 process13 file14 157 22 other malicious files 59->157 dropped 79 39eW1VScer9uhBmf5sZMlWq0.exe 59->79         started        159 6 other malicious files 62->159 dropped 145 Opera_installer_2311271750252116660.dll, PE32 64->145 dropped 147 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 66->147 dropped 149 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 66->149 dropped 151 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 66->151 dropped 161 12 other files (11 malicious) 66->161 dropped 205 Uses schtasks.exe or at.exe to add and modify task schedules 66->205 82 TVLand.exe 66->82         started        84 net.exe 66->84         started        92 2 other processes 66->92 95 2 other processes 69->95 153 C:\Users\...\vd62qzuyzvsqh3EOlrCsekRr.tmp, PE32 71->153 dropped 86 vd62qzuyzvsqh3EOlrCsekRr.tmp 71->86         started        88 powershell.exe 73->88         started        155 Opera_installer_2311271750259847204.dll, PE32 75->155 dropped 90 assistant_installer.exe 75->90         started        97 3 other processes 77->97 signatures15 process16 dnsIp17 163 Opera_installer_2311271750300987360.dll, PE32 79->163 dropped 165 C:\ProgramData\SpaceRaces\SpaceRaces.exe, PE32 82->165 dropped 99 conhost.exe 84->99         started        101 net1.exe 84->101         started        167 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 86->167 dropped 169 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 86->169 dropped 171 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 86->171 dropped 173 11 other files (10 malicious) 86->173 dropped 103 conhost.exe 88->103         started        191 69.30.233.162 WIIUS United States 92->191 193 45.155.250.90 MEER-ASmeerfarbigGmbHCoKGDE Germany 92->193 195 88.80.148.4 BELCLOUDBG Bulgaria 92->195 105 conhost.exe 92->105         started        107 conhost.exe 97->107         started        file18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e5f297504744c01bec8a5903f55b7fcc149e39a334a1c1cb80960878604b5012
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5f297504744c01bec8a5903f55b7fcc149e39a334a1c1cb80960878604b5012/
Threat name:
ByteCode-MSIL.Trojan.ScarletFlash
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 17:35:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4xzjouchitabx3ekleb7kw37zqkj4ondgsq4ds4asyehqyclkaja._file
Verdict:
malicious
Similar samples:
4329b1deaf46731c0e7a55e4ca9adaefa6daa9f8f6015c8ece22dee784898c18
Glupteba
474f06b633df4bd1a96c607939cca087c7326eeeea52b28d9d925f7da35d03dc
Glupteba
67c8c2aa16bc4a0da7b2d121808e2971ef4ac58f1ba1a048511ade93c5a8e5de
Glupteba
79c6fb90545837f8ac314eaf24336831bf482b9dcc089d7002b990161002458a
Glupteba
86a7de9388ee50b02a57d831d4539ba2c32877402a952ac8dcd1c7cf7c3e4ced
Glupteba
93be4f14d79c66f35b32d4c27e86f554d85f0f44dadad705f07420ef382a3395
Glupteba
a8fa0f3fc329d7dc807d49af679fcfea9d573bf965482632b34a0b730a87a4f7
Glupteba
cb15630de2fc38b0f07691ab16cfebcc1a6a940c867c0fc41a811c26525d9fc4
Glupteba
f2ef4aecdf3304be6f7f7b729eea019ae8af63befc4c0736e71c722c169e3eab
Glupteba
+ 3 additional samples on MalwareBazaar
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231127-v52cgaah96/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
e5f297504744c01bec8a5903f55b7fcc149e39a334a1c1cb80960878604b5012
MD5 hash:
bb83e8db740d3441abb88dc34fd3759e
SHA1 hash:
df23f4d993f1d7c2c596eeb79d2a4968747b314e
Link:
https://www.unpac.me/results/6995dec9-77ab-4d82-a725-e75b80929524/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e5f297504744/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5f297504744c01bec8a5903f55b7fcc149e39a334a1c1cb80960878604b5012

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe e5f297504744c01bec8a5903f55b7fcc149e39a334a1c1cb80960878604b5012

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/460778/
  
URLhaus
https://urlhaus.abuse.ch/url/2735837/

Comments


Avatar
zbet commented on 2023-11-27 17:34:43 UTC

url : hxxp://91.92.241.91/files/Random.exe