SYMBOLCOMMON_NAMEaka. SYNONYMS
win.glupteba (Back to overview)

Glupteba

VTCollection    

Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.

References
2023-06-19Github (cocomelonc)cocomelonc
Malware AV/VM evasion - part 17: bypass UAC via fodhelper.exe. Simple C++ example.
Glupteba
2022-12-15NOZOMI Network LabsNozomi Networks Labs
Tracking Malicious Glupteba Activity Through the Blockchain
Glupteba
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-06-28KrebsOnSecurityBrian Krebs
The Link Between AWM Proxy & the Glupteba Botnet
Glupteba
2022-03-23The Hacker NewsRavie Lakshmanan
abuse mikrotik router by GLUPTEBA malware
Glupteba Proxy Glupteba
2022-03-18AvastMartin Hron
Mēris and TrickBot standing on the shoulders of giants
Glupteba Proxy Glupteba TrickBot
2022-01-19ChainanalysisChainalysis Team
Meet the Malware Families Helping Hackers Steal and Mine Millions in Cryptocurrency
Glupteba RedLine Stealer
2021-12-07GoogleGoogle
Complaint for Damages and Injunctive Relief against DMITRY STAROVIKOV and ALEXANDER FILIPPOV
Glupteba
2021-12-07GoogleGoogle Threat Analysis Group, Luca Nagy, Shane Huntley
Disrupting the Glupteba operation
Glupteba
2021-12-07GoogleHalimah DeLaine Prado, Royal Hansen
New action to combat cyber crime
Glupteba
2021-10-15Trend MicroFernando Mercês
Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-09-20Rostelecom-SolarRostelecom-Solar
How we searched for a connection between Mēris and Glupteba, and gained control over 45 thousand MikroTik devices
Glupteba
2021-09-08RiskIQJennifer Grob
Bulletproof Hosting Services: Investigating Flowspec
Azorult Glupteba
2021-07-19BitdefenderBitdefender
Debugging MosaicLoader, One Step at a Time
AsyncRAT Glupteba
2021-06-04K7 SecurityMary Muthu Francisca
Glupteba back on track spreading via EternalBlue exploits
Glupteba
2021-02-25IntezerIntezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2020-12-02DomainToolsJoe Slowik
Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign
Azorult Glupteba
2020-06-24Sophos Naked SecurityPaul Ducklin
Glupteba - the malware that gets secret messages from the Bitcoin blockchain
Glupteba
2020-06-24Sophos LabsAndrew Brandt
Glupteba malware hides in plain sight
Glupteba
2020-04-13Dissecting MalwareMarius Genheimer
The Blame Game - About False Flags and overwritten MBRs
Glupteba MBR Locker
2020-02-07Medium CSIS TechblogBenoît Ancel
InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2019-09-04Trend MicroJaromír Hořejší, Joseph C. Chen
Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
Glupteba
2018-03-22ESET ResearchFrédéric Vachon
Glupteba is no longer part of Windigo
Glupteba
2014-03-18ESET ResearchPierre-Marc Bureau
Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign
Boaxxe Glupteba
2011-03-02ESET ResearchDavid Harley
TDL4 and Glupteba: Piggyback PiggyBugs
Glupteba
Yara Rules
[TLP:WHITE] win_glupteba_auto (20230808 | Detects win.glupteba.)
rule win_glupteba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.glupteba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c8 c1e102 33c8 03c9 }
            // n = 4, score = 400
            //   33c8                 | xor                 ecx, eax
            //   c1e102               | shl                 ecx, 2
            //   33c8                 | xor                 ecx, eax
            //   03c9                 | add                 ecx, ecx

        $sequence_1 = { ff75dc ff7508 ff75e2 e8???????? 83c410 ff35???????? ff15???????? }
            // n = 7, score = 400
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff75e2               | push                dword ptr [ebp - 0x1e]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_2 = { 50 8d85fcf7ffff 50 56 e8???????? 68e8030000 8d85fcf7ffff }
            // n = 7, score = 400
            //   50                   | push                eax
            //   8d85fcf7ffff         | lea                 eax, [ebp - 0x804]
            //   50                   | push                eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   68e8030000           | push                0x3e8
            //   8d85fcf7ffff         | lea                 eax, [ebp - 0x804]

        $sequence_3 = { 59 7e17 83c0fc 33c9 85c0 7e0e }
            // n = 6, score = 400
            //   59                   | pop                 ecx
            //   7e17                 | jle                 0x19
            //   83c0fc               | add                 eax, -4
            //   33c9                 | xor                 ecx, ecx
            //   85c0                 | test                eax, eax
            //   7e0e                 | jle                 0x10

        $sequence_4 = { 334e04 8b75d0 33cf 8b7ddc c1ef08 c1ee10 }
            // n = 6, score = 400
            //   334e04               | xor                 ecx, dword ptr [esi + 4]
            //   8b75d0               | mov                 esi, dword ptr [ebp - 0x30]
            //   33cf                 | xor                 ecx, edi
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   c1ef08               | shr                 edi, 8
            //   c1ee10               | shr                 esi, 0x10

        $sequence_5 = { 85c0 0f8435010000 807df473 7550 0fb745f7 50 }
            // n = 6, score = 400
            //   85c0                 | test                eax, eax
            //   0f8435010000         | je                  0x13b
            //   807df473             | cmp                 byte ptr [ebp - 0xc], 0x73
            //   7550                 | jne                 0x52
            //   0fb745f7             | movzx               eax, word ptr [ebp - 9]
            //   50                   | push                eax

        $sequence_6 = { 0f8f9c010000 894df8 ff7518 53 53 e8???????? }
            // n = 6, score = 400
            //   0f8f9c010000         | jg                  0x1a2
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_7 = { 46 8975f8 83f810 7cd9 8d48f0 f7d9 1bc9 }
            // n = 7, score = 400
            //   46                   | inc                 esi
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   83f810               | cmp                 eax, 0x10
            //   7cd9                 | jl                  0xffffffdb
            //   8d48f0               | lea                 ecx, [eax - 0x10]
            //   f7d9                 | neg                 ecx
            //   1bc9                 | sbb                 ecx, ecx

        $sequence_8 = { 0101 03d3 8b4620 8bcb }
            // n = 4, score = 100
            //   0101                 | add                 dword ptr [ecx], eax
            //   03d3                 | add                 edx, ebx
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   8bcb                 | mov                 ecx, ebx

        $sequence_9 = { 00cd 3e46 005e3e 46 }
            // n = 4, score = 100
            //   00cd                 | add                 ch, cl
            //   3e46                 | inc                 esi
            //   005e3e               | add                 byte ptr [esi + 0x3e], bl
            //   46                   | inc                 esi

        $sequence_10 = { 0107 eb4d 8b02 89442418 }
            // n = 4, score = 100
            //   0107                 | add                 dword ptr [edi], eax
            //   eb4d                 | jmp                 0x4f
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_11 = { 00f1 3d46005e3e 46 00cd }
            // n = 4, score = 100
            //   00f1                 | add                 cl, dh
            //   3d46005e3e           | cmp                 eax, 0x3e5e0046
            //   46                   | inc                 esi
            //   00cd                 | add                 ch, cl

        $sequence_12 = { 0012 3f 46 008bff558bec }
            // n = 4, score = 100
            //   0012                 | add                 byte ptr [edx], dl
            //   3f                   | aas                 
            //   46                   | inc                 esi
            //   008bff558bec         | add                 byte ptr [ebx - 0x1374aa01], cl

        $sequence_13 = { 0106 830702 392e 75a0 }
            // n = 4, score = 100
            //   0106                 | add                 dword ptr [esi], eax
            //   830702               | add                 dword ptr [edi], 2
            //   392e                 | cmp                 dword ptr [esi], ebp
            //   75a0                 | jne                 0xffffffa2

        $sequence_14 = { 005e3e 46 00ff 3e46 }
            // n = 4, score = 100
            //   005e3e               | add                 byte ptr [esi + 0x3e], bl
            //   46                   | inc                 esi
            //   00ff                 | add                 bh, bh
            //   3e46                 | inc                 esi

        $sequence_15 = { 00ff 3e46 0012 3f }
            // n = 4, score = 100
            //   00ff                 | add                 bh, bh
            //   3e46                 | inc                 esi
            //   0012                 | add                 byte ptr [edx], dl
            //   3f                   | aas                 

    condition:
        7 of them and filesize < 1417216
}
Download all Yara Rules