MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7729036b9e69fd7dcf07e6ee0c8dd71a4b1432f55ab4e48572634de8d44b673. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7729036b9e69fd7dcf07e6ee0c8dd71a4b1432f55ab4e48572634de8d44b673
SHA3-384 hash: b0cf439d01aa054c399cf5ce026b8d36d356489cc3ce9083aa19e4a173364f934643d91351ea20f51ae1d722784c7e79
SHA1 hash: ced6438a7ef0674f1333d7fd8822ec9164b04881
MD5 hash: d612294134cc6395779111675e7f4333
humanhash: ceiling-red-maine-nebraska
File name:file
Download: download sample
Signature Glupteba
Create hunting rule
File size:1'084'792 bytes
First seen:2023-11-29 20:31:10 UTC
Last seen:2023-11-29 22:26:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:jP8WwW5NilGG01JVDXrMb6Y8U2gBLdNmP3WN7e7h2TGfpo:jP/wW5NqH0HVcbbV24dNUK
Threatray 17 similar samples on MalwareBazaar
TLSH T1B335E01223E06BC3F07451A07B7814A3C9636B07B62DA5059A5D385FADFBEF0766B0C9
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter andretavare5
Tags:exe Glupteba signed

Code Signing Certificate

Organisation:installrox inc
Issuer:installrox inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-29T17:48:18Z
Valid to:2024-11-29T17:48:18Z
Serial number: 31123b2e8d849e4954e86dba33595729
Thumbprint Algorithm:SHA256
Thumbprint: 328b92dfa70d4e37f168e8a397e8548020f5b88c5a6c16471143b8345b1e1c1c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://91.92.241.91/files/InstallSetup2.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
310
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/461258/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.23275.2146.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Searching for the window
Creating a file in the %AppData% subdirectories
Moving a recently created file
Creating a service
Launching the process to interact with network services
Blocking the User Account Control
Enabling autorun for a service
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e7729036b9e69fd7dcf07e6ee0c8dd71a4b1432f55ab4e48572634de8d44b673
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49970b45-2801-48af-8645-df7fb9ce81e9
Result
Threat name:
Glupteba, Socks5Systemz, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1350152
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Socks5Systemz
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1350152 Sample: file.exe Startdate: 29/11/2023 Architecture: WINDOWS Score: 100 127 Malicious sample detected (through community Yara rule) 2->127 129 Antivirus detection for URL or domain 2->129 131 Multi AV Scanner detection for dropped file 2->131 133 15 other signatures 2->133 10 file.exe 2 4 2->10         started        process3 signatures4 137 Writes to foreign memory regions 10->137 139 Allocates memory in foreign processes 10->139 141 Adds extensions / path to Windows Defender exclusion list (Registry) 10->141 143 3 other signatures 10->143 13 CasPol.exe 15 314 10->13         started        18 powershell.exe 23 10->18         started        process5 dnsIp6 115 91.92.241.91 THEZONEBG Bulgaria 13->115 117 107.167.110.211 OPERASOFTWAREUS United States 13->117 119 9 other IPs or domains 13->119 103 C:\Users\...\zqiHOUmkcFqMsgoHLdqzTsul.exe, PE32 13->103 dropped 105 C:\Users\...\zYNeSPyzfI7Tvlsk0kQ4NG7l.exe, PE32 13->105 dropped 107 C:\Users\...\z9Vx02dqBWm0hdVAlZMRzJtk.exe, PE32 13->107 dropped 109 300 other malicious files 13->109 dropped 153 Drops script or batch files to the startup folder 13->153 155 Creates HTML files with .exe extension (expired dropper behavior) 13->155 157 Writes many files with high entropy 13->157 20 wC7CmImsUESNhsNWqdAAnpl3.exe 13->20         started        23 zYNeSPyzfI7Tvlsk0kQ4NG7l.exe 13->23         started        25 UC7estiYUrhzDY51gxng1z3A.exe 13->25         started        29 14 other processes 13->29 27 conhost.exe 18->27         started        file7 signatures8 process9 dnsIp10 89 C:\Users\...\wC7CmImsUESNhsNWqdAAnpl3.tmp, PE32 20->89 dropped 33 wC7CmImsUESNhsNWqdAAnpl3.tmp 20->33         started        91 C:\Users\...\zYNeSPyzfI7Tvlsk0kQ4NG7l.tmp, PE32 23->91 dropped 37 zYNeSPyzfI7Tvlsk0kQ4NG7l.tmp 23->37         started        93 C:\Users\...\UC7estiYUrhzDY51gxng1z3A.tmp, PE32 25->93 dropped 39 UC7estiYUrhzDY51gxng1z3A.tmp 25->39         started        121 149.154.167.99 TELEGRAMRU United Kingdom 29->121 123 107.167.110.216 OPERASOFTWAREUS United States 29->123 125 6 other IPs or domains 29->125 95 C:\Users\...\FVsObwRLyuJbaTG7NAJlsCAE.tmp, PE32 29->95 dropped 97 Opera_installer_2311292033324211144.dll, PE32 29->97 dropped 99 Opera_installer_2311292033234718020.dll, PE32 29->99 dropped 101 14 other malicious files 29->101 dropped 145 Detected unpacking (changes PE section rights) 29->145 147 Detected unpacking (overwrites its own PE header) 29->147 149 Found Tor onion address 29->149 151 2 other signatures 29->151 41 HEo5YfZDTVZ2oAKuATsSODpD.exe 29->41         started        43 HEo5YfZDTVZ2oAKuATsSODpD.exe 29->43         started        45 HEo5YfZDTVZ2oAKuATsSODpD.exe 29->45         started        47 6 other processes 29->47 file11 signatures12 process13 file14 77 16 other files (15 malicious) 33->77 dropped 135 Uses schtasks.exe or at.exe to add and modify task schedules 33->135 49 VolumeUTIL.exe 33->49         started        52 net.exe 33->52         started        54 schtasks.exe 33->54         started        56 VolumeUTIL.exe 33->56         started        67 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 37->67 dropped 69 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 37->69 dropped 79 12 other files (11 malicious) 37->79 dropped 81 14 other files (13 malicious) 39->81 dropped 71 Opera_installer_2311292033202537824.dll, PE32 41->71 dropped 59 HEo5YfZDTVZ2oAKuATsSODpD.exe 41->59         started        73 Opera_installer_2311292033174907556.dll, PE32 43->73 dropped 75 Opera_installer_2311292033184907724.dll, PE32 45->75 dropped 83 3 other malicious files 47->83 dropped signatures15 process16 dnsIp17 85 C:\ProgramData\TLGAdapter\TLGAdapter.exe, PE32 49->85 dropped 61 conhost.exe 52->61         started        63 net1.exe 52->63         started        65 conhost.exe 54->65         started        111 185.196.8.22 SIMPLECARRER2IT Switzerland 56->111 113 152.89.198.214 NEXTVISIONGB United Kingdom 56->113 87 Opera_installer_2311292033209997896.dll, PE32 59->87 dropped file18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e7729036b9e69fd7dcf07e6ee0c8dd71a4b1432f55ab4e48572634de8d44b673
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7729036b9e69fd7dcf07e6ee0c8dd71a4b1432f55ab4e48572634de8d44b673/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-29 20:32:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45zjanvz42p5pxhqpzxobsg5ogslcqzpkwvu4scxey2n5dkewzzq._file
Verdict:
malicious
Similar samples:
217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786
Glupteba
3e9c5961ee8a2a0c30539e79f9ddfb8870f5488d9571562fb1d90c8440dffdf3
Glupteba
978708f8b2ce3fda82c9376420dc023396ee686d43962675dda5f18b3b749753
Glupteba
9967dbf940ce71c3aff8f0b62c7ef9324dd30e6ae4bbb2db4b16c0a184e383f7
Glupteba
a46064ad322eb51e7b32acbaf537aa504e504e9f1d8c260fd8bac07f9c46b1c1
Glupteba
d81e8511ca6925abf689f2f0e7c7ec5b1f14338a66b3329fa38e5a6d7b594392
Glupteba
e26a36702257f07a25adc0e5b1a3ceeabcbcb18b63c8d83c0ccb988f848e4a08
Glupteba
+ 7 additional samples on MalwareBazaar
Result
Malware family:
glupteba
Create hunting rule
Score:
  10/10
Tags:
family:glupteba discovery dropper evasion loader persistence ransomware rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231129-za9skscd72/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
e7729036b9e69fd7dcf07e6ee0c8dd71a4b1432f55ab4e48572634de8d44b673
MD5 hash:
d612294134cc6395779111675e7f4333
SHA1 hash:
ced6438a7ef0674f1333d7fd8822ec9164b04881
Link:
https://www.unpac.me/results/e20d49eb-d6ba-4b34-9395-0a2d0b7a03ea/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7729036b9e6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7729036b9e69fd7dcf07e6ee0c8dd71a4b1432f55ab4e48572634de8d44b673

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2735609/
Cape
Cape
https://www.capesandbox.com/analysis/461258/

Comments