File name:	4c4e0c61380662adc756d147f9c51ead1d3a6913f49510eae2766270b778f427rl
Full analysis:	https://app.any.run/tasks/04efd6cb-19ea-47bc-b66b-a6d985b15fe3
Verdict:	Malicious activity
Threats:	Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. The main function of Smoke Loader is dropping other, more destructive malware on infected machines. However, unlike many competing loaders, this one can be extended via plugins to feature destructive, malicious info-stealing functions. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 19:34:13
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	uac trojan glupteba auto-reg auto-sch discord loader antivm golang smoke smokeloader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:	3BFFFFDA1E470FEDE020D005D03929DA
SHA1:	42BFFDD24AA6E60B3B0807FF2AA5D321C9E3D9C6
SHA256:	4C4E0C61380662ADC756D147F9C51EAD1D3A6913F49510EAE2766270B778F427
SSDEEP:	98304:XSiyHoNtG1y8ubc3n+pBge1LZBjg2Rn+HTbGrQgo6w6uZmCExT5oAKxkoFxwCqFR:uolf9x

.exe	\|	Win64 Executable (generic) (61.6)
.dll	\|	Win32 Dynamic Link Library (generic) (14.6)
.exe	\|	Win32 Executable (generic) (10)
.exe	\|	Win16/32 Executable Delphi generic (4.6)
.exe	\|	Generic Win/DOS Executable (4.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	6
CodeSize:	2048
InitializedDataSize:	5443584
UninitializedDataSize:	-
EntryPoint:	0x14ad
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconLayouts
Value: 00000000000000000000000000000000030001000100010015000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C000000190000000000000065006C0065006300740072006F006E006900630061006E006F0074006800650072002E007200740066003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000001100000000000000630061006D0065006D0069006C00650073002E0070006E0067003E00200020000000190000000000000064006900730065006100730065006100630063006F0075006E00740069006E0067002E0070006E0067003E002000200000001300000000000000650073007400610074006500770068006500720065002E007200740066003E002000200000000E0000000000000067006F00650073006F0072002E0070006E0067003E002000200000001400000000000000680069006100730073006500730073006D0065006E0074002E0070006E0067003E00200020000000140000000000000069007400730065006C0066007500700064006100740065002E007200740066003E002000200000000F000000000000006C006F00730074007300610079002E007200740066003E0020002000000017000000000000007000720069007600610074006500630075007200720065006E00630079002E006A00700067003E002000200000001300000000000000720075006E006E0069006E00670074006F00750072002E0070006E0067003E002000200000001700000000000000730065007300730069006F006E0069006E007400650072006500730074002E007200740066003E0020002000000011000000000000007700650065006B0079006F0075006E0067002E007200740066003E002000200000001600000000000000770065006900670068007400700072006500730073007500720065002E007200740066003E002000200000004A00000000000000340063003400650030006300360031003300380030003600360032006100640063003700350036006400310034003700660039006300350031006500610064003100640033006100360039003100330066003400390035003100300065006100650032003700360036003200370030006200370037003800660034003200370072006C002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001500000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000040400000803F1300000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000401400
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconNameVersion
Value: 1
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:	write	Name:	LastUpdate
Value: 4009576800000000
(PID) Process:	(1356) 31839b57a4f11171d6abc8bbc4451ee4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:	write	Name:	OSCaption
Value: Microsoft Windows 10 Pro
(PID) Process:	(1356) 31839b57a4f11171d6abc8bbc4451ee4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:	write	Name:	OSArchitecture
Value: 64-bit
(PID) Process:	(1356) 31839b57a4f11171d6abc8bbc4451ee4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:	write	Name:	IsAdmin
Value: 1
(PID) Process:	(1356) 31839b57a4f11171d6abc8bbc4451ee4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:	write	Name:	Servers
Value: https://cdneurops.health
(PID) Process:	(1356) 31839b57a4f11171d6abc8bbc4451ee4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:	write	Name:	UUID
Value:
(PID) Process:	(1356) 31839b57a4f11171d6abc8bbc4451ee4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:	write	Name:	FirstInstallDate
Value: 4809576800000000
(PID) Process:	(1356) 31839b57a4f11171d6abc8bbc4451ee4.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\fde20f96
Operation:	write	Name:	ServiceVersion
Value:

PID	Process	Filename		Type
6684	4c4e0c61380662adc756d147f9c51ead1d3a6913f49510eae2766270b778f427rl.exe	C:\Users\admin\AppData\Local\Temp\aafg31.exe		executable
		MD5:7D1513A2E30FBDD54BAEDF5FCB0E143D	SHA256:07EC937D9091DE355C0B2C788A70E8897CE75EBC162E78D92C94DE5147D5022D
6684	4c4e0c61380662adc756d147f9c51ead1d3a6913f49510eae2766270b778f427rl.exe	C:\Users\admin\AppData\Local\Temp\toolspub2.exe		executable
		MD5:A137245D8BC8109C4BC3DF6E2B37D327	SHA256:F342950EA78A3910911DF852DE530912090ACEA09B895E299D4BA0132EE146EE
3100	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_plhoc43p.35a.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6368	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive		binary
		MD5:D1AFE9BF552E0CD437D6D1113D42FD73	SHA256:5B2B5E8CC8F3A695907C2599759FEE9DEDF25A10E5CDC882605914D8F8F090AA
6368	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5gtgr5sy.qqz.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6368	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nugm3mwf.f05.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3100	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_vpb0khob.1p3.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6368	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qgpcd122.tjm.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3100	powershell.exe	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive		binary
		MD5:4F68088BFA6AF8500029046EA0948C70	SHA256:B85979BCF44A20CB9023AC8029C20B7B0E417E66405E51ED2FD59D86AAB373E9
3580	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_rlrq1kzy.hzu.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4844	RUXIMICS.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4844	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	400	40.126.32.72:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	200	40.126.32.72:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	20.190.160.130:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4844	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4844	RUXIMICS.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4844	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
z.nnnaajjjgc.com	—	malicious
client.wns.windows.com	172.211.123.249 172.211.123.248	whitelisted
login.live.com	40.126.32.74 40.126.32.133 20.190.160.20 40.126.32.72 20.190.160.17 20.190.160.132 20.190.160.2 20.190.160.65	whitelisted
nexusrules.officeapps.live.com	52.111.229.19	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
4372	csrss.exe	Misc activity	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
4372	csrss.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Glupteba CnC Domain (cdneurops .health in TLS SNI)
4772	explorer.exe	A Network Trojan was detected	LOADER [ANY.RUN] Smokeloader HTTP Header
4772	explorer.exe	A Network Trojan was detected	LOADER [ANY.RUN] Smokeloader HTTP Header

General Info

4c4e0c61380662adc756d147f9c51ead1d3a6913f49510eae2766270b778f427rl

3BFFFFDA1E470FEDE020D005D03929DA

42BFFDD24AA6E60B3B0807FF2AA5D321C9E3D9C6

4C4E0C61380662ADC756D147F9C51EAD1D3A6913F49510EAE2766270B778F427

98304:XSiyHoNtG1y8ubc3n+pBge1LZBjg2Rn+HTbGrQgo6w6uZmCExT5oAKxkoFxwCqFR:uolf9x

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Bypass User Account Control (Modify registry)

Bypass User Account Control (fodhelper)

Modifies exclusions in Windows Defender

Changes the autorun value in the registry

Glupteba is detected

Connects to the CnC server

GLUPTEBA has been detected (SURICATA)

Application was injected by another process

Runs injected code in another process

SMOKE has been detected (SURICATA)

SMOKE mutex has been found

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

The process hides Powershell's copyright startup banner

Changes default file association

Starts CMD.EXE for commands execution

Application launched itself

Uses NETSH.EXE to add a firewall rule or allowed programs

The process creates files with name similar to system file names

Starts itself from another location

There is functionality for VM detection Parallels (YARA)

There is functionality for VM detection VirtualPC (YARA)

There is functionality for VM detection VirtualBox (YARA)

There is functionality for VM detection VMWare (YARA)

Deletes scheduled task without confirmation

Creates a software uninstall entry

Creates files in the driver directory

Windows service management via SC.EXE

Drops a system driver (possible attempt to evade defenses)

Contacting a server suspected of hosting an CnC

Executes application which crashes

Xmrig is detected

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Checks proxy server information

Create files in a temporary directory

Drops encrypted JS script (Microsoft Script Encoder)

Checks current location (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Reads security settings of Internet Explorer

Launching a file from a Registry key

Manual execution by a user

Detects GO elliptic curve encryption (YARA)

Application based on Golang

Uses Task Scheduler to autorun other applications (AUTOMATE)

The sample compiled with english language support

Reads the software policy settings

Creates files or folders in the user directory

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules