MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Glupteba


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
SHA3-384 hash: bd72ccb8e5f3e8272935efbdecbff059e3b18d257d95463fe47c52a5eec3678d8594abfaf96d7916b7545621770f1157
SHA1 hash: 3ddf56275a2132a384d251247f38cc086b6db914
MD5 hash: 7b15ff87e11bd9bc7512b41635b68aeb
humanhash: nine-july-red-delaware
File name:setup_x86_x64_install.exe
Download: download sample
Signature Glupteba
Create hunting rule
File size:7'443'842 bytes
First seen:2021-09-16 14:10:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 196608:yDwyI0Mc3QVr8KLiQ7QhrN/0eKifqCxnbiJtyw07oVa:ykj0Mc3Qppihr90eKif3xstf9U
Threatray 551 similar samples on MalwareBazaar
TLSH T1D87633F7BAF85C63DAEFF875036294DE9A36B67E0458C2B213E1F9D2518106DC8E1406
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe Glupteba Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'432
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 21:00:30 UTC
Tags:
trojan evasion loader rat redline stealer vidar opendir banker dridex raccoon unwanted netsupport danabot
Link:
https://app.any.run/tasks/eff96383-367a-4b89-bbb5-fc7128ce166a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CookieStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188448/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Trojan.Jaik-9862236-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61752344a9d585e6d5371137/reports/bfa65096-fbe9-4367-992b-d2a5b288ff6b/overview
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a829550-f361-49c0-9075-b8c39e5efcaa
Result
Threat name:
RedLine Socelars Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852126
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected VMProtect packer
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 484554 Sample: setup_x86_x64_install.exe Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 83 37.0.10.214 WKD-ASIE Netherlands 2->83 85 37.0.10.244 WKD-ASIE Netherlands 2->85 87 14 other IPs or domains 2->87 111 Antivirus detection for URL or domain 2->111 113 Antivirus detection for dropped file 2->113 115 Multi AV Scanner detection for dropped file 2->115 117 15 other signatures 2->117 11 setup_x86_x64_install.exe 10 2->11         started        signatures3 process4 file5 69 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->69 dropped 14 setup_installer.exe 22 11->14         started        process6 file7 71 C:\Users\user\AppData\...\setup_install.exe, PE32 14->71 dropped 73 C:\Users\user\...\Thu11f1187a97f50d9c.exe, PE32 14->73 dropped 75 C:\Users\user\...\Thu11b9fee5fd5b3c.exe, PE32 14->75 dropped 77 17 other files (12 malicious) 14->77 dropped 17 setup_install.exe 1 14->17         started        process8 dnsIp9 79 172.67.142.91 CLOUDFLARENETUS United States 17->79 81 127.0.0.1 unknown unknown 17->81 109 Adds a directory exclusion to Windows Defender 17->109 21 cmd.exe 17->21         started        23 cmd.exe 1 17->23         started        25 cmd.exe 17->25         started        27 8 other processes 17->27 signatures10 process11 signatures12 30 Thu116d4ab7efb7.exe 21->30         started        34 Thu115049bf2e.exe 14 5 23->34         started        37 Thu11787d2b833e6.exe 25->37         started        119 Adds a directory exclusion to Windows Defender 27->119 39 Thu113e650b5e.exe 27->39         started        41 Thu118764660749a3b.exe 6 27->41         started        43 Thu11b9fee5fd5b3c.exe 2 27->43         started        45 3 other processes 27->45 process13 dnsIp14 89 208.95.112.1 TUT-ASUS United States 30->89 91 45.136.151.102 ENZUINC-US Latvia 30->91 121 Multi AV Scanner detection for dropped file 30->121 123 Machine Learning detection for dropped file 30->123 125 Tries to harvest and steal browser information (history, passwords, etc) 30->125 127 Tries to detect virtualization through RDTSC time measurements 30->127 93 172.67.160.135 CLOUDFLARENETUS United States 34->93 59 C:\Users\user\AppData\Roaming\6832085.scr, PE32 34->59 dropped 61 C:\Users\user\AppData\Roaming\1823147.scr, PE32 34->61 dropped 129 Antivirus detection for dropped file 34->129 131 Drops PE files with a suspicious file extension 34->131 133 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 37->133 135 Checks if the current machine is a virtual machine (disk enumeration) 37->135 101 2 other IPs or domains 39->101 63 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 39->63 dropped 137 Creates processes via WMI 39->137 95 88.99.66.31 HETZNER-ASDE Germany 41->95 97 144.202.76.47 AS-CHOOPAUS United States 41->97 65 C:\Users\user\...\Thu11b9fee5fd5b3c.tmp, PE32 43->65 dropped 47 Thu11b9fee5fd5b3c.tmp 43->47         started        99 46.8.29.181 TEAM-HOSTASRU Russian Federation 45->99 67 C:\Users\user\AppData\...\Thu112e5981b78.tmp, PE32 45->67 dropped 139 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 45->139 file15 signatures16 process17 dnsIp18 103 142.250.203.110 GOOGLEUS United States 47->103 105 142.250.203.97 GOOGLEUS United States 47->105 107 6 other IPs or domains 47->107 51 C:\Users\user\AppData\Local\...\Setup.exe, PE32 47->51 dropped 53 C:\Users\user\AppData\...\itdownload.dll, PE32 47->53 dropped 55 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 47->55 dropped 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->57 dropped file19
Detection:
raccoon
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 14:11:06 UTC
AV detection:
31 of 44 (70.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ewp5mdfcxyyce5jkdk32vu2epg5qviu55ijzt7wywsotiemutdq._file
Verdict:
unknown
Similar samples:
3febf03463e0e65ef9d0fc4e8a38f01dd7c6dfee10258876981539b7a319a620
Glupteba
4f4c2c9bdfef8a8cfbe2c8f84bf12cc86f26f59d54c277dab39f4c5e92948708
Glupteba
56e45f6af87cf8505b1d88360f14bf00bca7be5108db4d4283fab4605fca2482
Glupteba
5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae
Glupteba
6e67e541d5801d97cb6fc3ec483b7b9dc302506c0f3a1ef0942ea3f7126e9e87
Glupteba
80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e
Glupteba
941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530
Glupteba
bf0c11eae9de14227141901dffc7bdbd1ecb9b0a2cb1e675f7d36ce5eff0679e
Glupteba
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
Glupteba
+ 541 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:ani botnet:medianew aspackv2 backdoor infostealer stealer themida trojan vmprotect
Link:
https://tria.ge/reports/210916-rg9r6adeh3/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Vidar Stealer
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
Malware Config
C2 Extraction:
https://dimonbk83.tumblr.com/
45.142.215.47:27643
91.121.67.60:62102
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
c598a971f1d8bc58362396b10df4359654354e6c7b1b56741cea2a532e9bdd94
MD5 hash:
3367116dc59fc2b806bb5ec8c36bf2b6
SHA1 hash:
f4fb01a1efff6c7969383ccf7f64e4ac8cfc2c6f
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
Parent samples :
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
SH256 hash:
67273f31f3c4fb9a72a149379b33291bf098e8f2be32a4e0a4ce247c8b6ff85c
MD5 hash:
919f41f3605f62145133f17a47d9d230
SHA1 hash:
fa9327ab5ec671980d316b83b45d6c5c89a02a46
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
da6e2470414935131c3a094758be78605ec1c1ba8ddc755d175ac73763cc307a
MD5 hash:
03cd7541a32149209ecec14115466bc3
SHA1 hash:
bff67b407cffb1d3f3afbbcee15046e968204af3
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
e9fd86804d20e3a8ae0009e77785d223839b014721437c4ef5ab9625930f8a88
MD5 hash:
c9fff306161f9c0edb488b6e03b82631
SHA1 hash:
917148ebdb2a3fe88df516689ff0768336802007
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
04b8148abe3ff102a53f7b834c3c7472152d69f5c59190a003e791bbd78d0928
MD5 hash:
8439bf284b245030e82d2f792dfe8f35
SHA1 hash:
7ec822481625879ac9643f5867d340531e692a63
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
4faef6284d19d4f5e292ac2a9cd227c5061cfc913400e4e95d6ea01c078fd4eb
MD5 hash:
f34bdf50eb96d47ed225218b8bd2bcb4
SHA1 hash:
7147841f91fdda11423b481f99cc15420997db06
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
52701e2808de643baf6789222e4c2422cca70733222cd2e6d0b9f36a4f6eeabc
MD5 hash:
71a718d5f6f6a69ce1e844fec2a06f53
SHA1 hash:
5e3d339c99bb37e485eeadb71c9aa72a8e06fdab
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
25743b4ff2ab04c2c99e7ce5e7b1300a2b9398cd7d637709f83823dcb2f24eea
MD5 hash:
93133e63f2a86185a0e36d7b7be20256
SHA1 hash:
56a38082d4ec9e24e63dcad9e43e77f06d8561ac
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
e2b5936aa49d61c023e171ce099bc9d267a235c12a1f19cac9e4176fc453cace
MD5 hash:
f3594b86713f69b5614068e342a389e4
SHA1 hash:
1cde0c59ee2ea7e7b80463c280e7e9d96d966016
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
44e0643128cf12ca0619d774ac391aa1f65c7f62d9dd579d6551221552567cc6
MD5 hash:
ca2f2a8732e3388fd2f05e14d3094591
SHA1 hash:
073c76d8f720634fe1569a508cfcb3f336b96c22
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
1c25cf63ef5ab14f293ea29c88f1aa4be0423de32c588d18e8bc1d2e3b940144
MD5 hash:
0e0a60c252f2ca0b5621d61fe9ffdf43
SHA1 hash:
b191d77d9af5213360960496516a8355c52dcfe5
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
d1417ebebd174d666a6abc9481d65b39fc2d88559f7fd92ebb7e2f1ae93787db
MD5 hash:
70220a3ce6ffd34101b3770342505f2c
SHA1 hash:
b55c421634d8eeaec5c6193f34c04625d21a9ae9
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
ec32b38e5ad5c285c1d6d8237341a99772709e8e4ea23db953d63ab8f078379c
MD5 hash:
ccf4a60623b784b084855d0468d76eab
SHA1 hash:
9419cc65a1bb70e8780f6da7cedd169eb333db88
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
8e7a4fce0262549ceaf77c47afebd1a4b67b3bb4b33e3a380f6104c695cb71f6
MD5 hash:
15a25b9bc503bc65c0f76c15854537d8
SHA1 hash:
084179140570874040dc41e52b69ea139b51199e
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
2acd4cd66cbc8f0116817350a80e7614c2a9c59e524c4956a93eb553e74f5ed8
MD5 hash:
20950d47ef36acf9a7bcdf42fd6dce72
SHA1 hash:
93c69ad432cf0d1f1a5b42988ff1fee78732121b
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
8f4d02d3f8220a774bfab9c33bec95b1b539c0212f70159fc470f43759dd302a
MD5 hash:
beb8f5190a21969ff748fa14c83c5b82
SHA1 hash:
d960cc6545c23c8c510b27836d7884ae59c6422b
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
546bc6a7802b98c188fb9a92ef20f89aaf597e205b4101c396cbe26d8779a768
MD5 hash:
d4a5c3f449aa7bd18a632731b2682255
SHA1 hash:
158a0a1a98867fa0194433f60aa6a9c13097f214
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
35d78455501b41a5351a9496a502c8f72978676a0989c9c23c2ea0752a3ebd25
MD5 hash:
222abe999254533d009b74251d81e587
SHA1 hash:
c4685d7857b9e870c53e6f044d71410c50b02dd3
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
SH256 hash:
f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7
MD5 hash:
7b15ff87e11bd9bc7512b41635b68aeb
SHA1 hash:
3ddf56275a2132a384d251247f38cc086b6db914
Link:
https://www.unpac.me/results/d8014aa5-0a42-445b-bf6b-b988f65302d4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f92cfeb06515/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188448/

Comments