MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362
SHA3-384 hash: 1b81f02270dc0f5b94e8d7d4bcabd55fec40cd89ff8429c0b8f27ef6be1157bc7dd2c7a33ebadd16e17880f71a7ab4f2
SHA1 hash: 04b27dc5244505dec9f68f7f0927dc5b0091f0f9
MD5 hash: 9d7d25af39191d8040bb5941ae540802
humanhash: ink-uncle-california-fix
File name:9d7d25af39191d8040bb5941ae540802
Download: download sample
Signature Glupteba
Create hunting rule
File size:4'939'776 bytes
First seen:2022-10-04 11:10:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0e9c847d831a8ac3efa55818acb90d72 (4 x Glupteba, 1 x CryptOne)
ssdeep 98304:62hMpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:6bbFmS3VjVEOeTtJHbdnrz7
Threatray 5 similar samples on MalwareBazaar
TLSH T19D36DF2A7B0981B6CA7173F599AB65DE9430DC30906540F8EE832B48F536E7743BA347
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter zbetcheckin
Tags:32 exe Glupteba

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316455/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Running batch commands
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41055/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/633c14c749c58ce767c5f583/reports/9408f4f7-765f-4301-b525-f4ade767b2eb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5ffc64b-5b4b-4a0c-9b92-e58884e2e659
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1083817
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5otgjonz4veoczfnw43b2ofoezav7r6dg6viue7mb6uyhk3lenra._file
Verdict:
malicious
Similar samples:
2e6e8729d76dc13a750db437a1677e60d579f785714e7c5bbff65085be0f08bf
Glupteba
5f2f29011be6cf5de2a601ddd3ea58224a73f663725f81a87a8659b520000e36
Glupteba
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
Glupteba
7b1e00c9b305c4355432682a1d67a2bc1fc35bd4dccf53419d01a7986d8053e7
Glupteba
883e12a7cd81c09838284e4dbda9caa9d8df6ac57234e14ee0ee02bb2fcc2329
Glupteba
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221004-m99kmsbabq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Gathering data
Unpacked files
SH256 hash:
69d043f055680cbd141f3b1f02d9f893d0984596f1702b85aa960f8980bc6b6e
MD5 hash:
9b48c7427e6d09b88e0f40453f1b5e7b
SHA1 hash:
f40bcd1863f21f6fe9ec914ff432d84492860aa0
Link:
https://www.unpac.me/results/55b9f681-fb1e-41bf-ad97-a4694e712af8/
SH256 hash:
eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362
MD5 hash:
9d7d25af39191d8040bb5941ae540802
SHA1 hash:
04b27dc5244505dec9f68f7f0927dc5b0091f0f9
Link:
https://www.unpac.me/results/55b9f681-fb1e-41bf-ad97-a4694e712af8/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eba664b9b9e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:Glupteba
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Glupteba

Executable exe eba664b9b9e548e164adb7361d38ae26415fc7c337aa8a13ec0fa983ab6b2362

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2350084/
Cape
Cape
https://www.capesandbox.com/analysis/316455/

Comments


Avatar
zbet commented on 2022-10-04 11:10:44 UTC

url : hxxp://179.43.163.115/intersock.exe