analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

app.exe

Full analysis: https://app.any.run/tasks/c3f5fa92-2e06-4ce3-bcdb-06a5b30c00cc
Verdict: Malicious activity
Threats:

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Analysis date: May 20, 2022, 20:14:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
glupteba
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

F5D04A736B20A0C8FC8B36AAD2407A8B

SHA1:

D57B1917C34128FB3CF108563C7083E1E8562D40

SHA256:

3B5E3AC8086A5874D2BCDD8021066F68BB3E54517335C5C58E147F9474FBD5C8

SSDEEP:

49152:CZHOluu8sxKB12DjLlD9qvDt30qTb1mXTabskeeg/hYcRPQ5mfXumtskYlXGi4im:CgkjbJ33pmu47ewfKAYJGIMhpQsDf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • app.exe (PID: 2964)
      • app.exe (PID: 3772)
    • GLUPTEBA was detected

      • app.exe (PID: 2964)
      • app.exe (PID: 3772)
      • app.exe (PID: 3720)
    • Known privilege escalation attack

      • app.exe (PID: 2964)
    • Changes the autorun value in the registry

      • app.exe (PID: 3720)
    • Modifies exclusions in Windows Defender

      • app.exe (PID: 3720)
    • Drops executable file immediately after starts

      • app.exe (PID: 3720)
  • SUSPICIOUS

    • Checks supported languages

      • app.exe (PID: 2964)
      • cmd.exe (PID: 3928)
      • app.exe (PID: 3772)
      • app.exe (PID: 3720)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 2444)
      • csrss.exe (PID: 2800)
    • Reads the computer name

      • app.exe (PID: 2964)
      • cmd.exe (PID: 3928)
      • app.exe (PID: 3772)
      • app.exe (PID: 3720)
      • csrss.exe (PID: 2800)
    • Starts CMD.EXE for commands execution

      • app.exe (PID: 2964)
      • app.exe (PID: 3720)
    • Adds / modifies Windows certificates

      • app.exe (PID: 2964)
      • app.exe (PID: 3772)
    • Changes default file association

      • app.exe (PID: 2964)
    • Reads the date of Windows installation

      • CompMgmtLauncher.exe (PID: 1504)
    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 736)
      • cmd.exe (PID: 2444)
    • Application launched itself

      • app.exe (PID: 3772)
    • Creates files in the Windows directory

      • app.exe (PID: 3720)
    • Reads Environment values

      • netsh.exe (PID: 3016)
      • netsh.exe (PID: 1960)
    • Drops a file with a compile date too recent

      • app.exe (PID: 3720)
    • Executable content was dropped or overwritten

      • app.exe (PID: 3720)
    • Starts itself from another location

      • app.exe (PID: 3720)
  • INFO

    • Reads settings of System Certificates

      • app.exe (PID: 2964)
      • app.exe (PID: 3772)
      • csrss.exe (PID: 2800)
    • Checks supported languages

      • CompMgmtLauncher.exe (PID: 1504)
      • netsh.exe (PID: 1960)
      • netsh.exe (PID: 3016)
    • Reads the computer name

      • CompMgmtLauncher.exe (PID: 1504)
      • netsh.exe (PID: 3016)
      • netsh.exe (PID: 1960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (39.5)
.exe | UPX compressed Win32 Executable (38.7)
.dll | Win32 Dynamic Link Library (generic) (9.4)
.exe | Win32 Executable (generic) (6.4)
.exe | Generic Win/DOS Executable (2.8)

EXIF

EXE

ProductVersion: 2.5.7.86
LegalCopyright: Copyright (C) 2017, vuzuse
InternalName: dikuyurih.exe
FileVersion: 2.5.7.86
CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x651bf0
UninitializedDataSize: 2109440
InitializedDataSize: 16384
CodeSize: 4513792
LinkerVersion: 9
PEType: PE32
TimeStamp: 2018:06:17 06:44:22+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 17-Jun-2018 04:44:22

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 17-Jun-2018 04:44:22
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00203000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00204000
0x0044E000
0x0044DE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.62347
.rsrc
0x00652000
0x00004000
0x00003200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.24456

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.DLL
MSIMG32.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
12
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start #GLUPTEBA app.exe cmd.exe no specs compmgmtlauncher.exe no specs compmgmtlauncher.exe no specs compmgmtlauncher.exe #GLUPTEBA app.exe #GLUPTEBA app.exe cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs csrss.exe

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Users\admin\AppData\Local\Temp\app.exe" C:\Users\admin\AppData\Local\Temp\app.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\app.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3928cmd.exe /C CompMgmtLauncherC:\Windows\system32\cmd.exeapp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3996CompMgmtLauncherC:\Windows\system32\CompMgmtLauncher.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Computer Management Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4056"C:\Windows\system32\CompMgmtLauncher.exe" C:\Windows\system32\CompMgmtLauncher.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Computer Management Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1504"C:\Windows\system32\CompMgmtLauncher.exe" C:\Windows\system32\CompMgmtLauncher.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Computer Management Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3772"C:\Users\admin\AppData\Local\Temp\app.exe" C:\Users\admin\AppData\Local\Temp\app.exe
CompMgmtLauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3720"C:\Users\admin\AppData\Local\Temp\app.exe"C:\Users\admin\AppData\Local\Temp\app.exe
app.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
736cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"C:\Windows\system32\cmd.exeapp.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1960netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yesC:\Windows\system32\netsh.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2444cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"C:\Windows\system32\cmd.exeapp.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
12 911
Read events
12 495
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3720app.exeC:\Windows\rss\csrss.exeexecutable
MD5:F5D04A736B20A0C8FC8B36AAD2407A8B
SHA256:3B5E3AC8086A5874D2BCDD8021066F68BB3E54517335C5C58E147F9474FBD5C8
2964app.exeC:\Users\admin\AppData\Local\Temp\Tar52A7.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
2964app.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
2964app.exeC:\Users\admin\AppData\Local\Temp\Cab52A6.tmpcompressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
2964app.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:9050ED2B0328CF039F8E9019FCEBF63B
SHA256:5F220C2F085EEF2F43DE684DD5A1F027C3A1C886880BC404D59710F53583F5A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2964
app.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?872e8e8bf5d892ad
US
compressed
60.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2964
app.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
2964
app.exe
63.251.106.25:443
weekdanys.com
Voxel Dot Net, Inc.
US
malicious
2800
csrss.exe
63.251.106.25:443
weekdanys.com
Voxel Dot Net, Inc.
US
malicious
3772
app.exe
63.251.106.25:443
weekdanys.com
Voxel Dot Net, Inc.
US
malicious
2800
csrss.exe
206.191.152.58:443
okonewacon.com
Voxel Dot Net, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
weekdanys.com
  • 63.251.106.25
malicious
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
okonewacon.com
  • 206.191.152.58
malicious
blackempirebuild.com
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN Glupteba CnC Observed in DNS Query
A Network Trojan was detected
ET TROJAN Glupteba CnC Domain in DNS Lookup
2800
csrss.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
A Network Trojan was detected
ET TROJAN Glupteba CnC Domain in DNS Lookup
No debug info