glupteba

General

Target

SecuriteInfo.com.Generic.mg.cf35edde149e46ee.15941
Size

237KB
Sample

210214-cmpy2badre
MD5

cf35edde149e46ee5dcafa4151dd4a81
SHA1

bd920d23e20dd55fce50c1a4cb6294a65d3fd5d9
SHA256

576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09
SHA512

600e506edcb5b3423f5cd8a7a13138737bab4f639b6d8836093ca069934ac2292b66b3f519de99a8411b7f4a550fb9fe2b6059279cee1dff13f22b2190958dba

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

17694a35d42ac97e2cd3ebd196db01b372cce1b0

Attributes

url4cnc
https://telete.in/o23felk0s

rc4.plain

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Targets

- Target
  
  SecuriteInfo.com.Generic.mg.cf35edde149e46ee.15941
- Size
  
  237KB
- MD5
  
  cf35edde149e46ee5dcafa4151dd4a81
- SHA1
  
  bd920d23e20dd55fce50c1a4cb6294a65d3fd5d9
- SHA256
  
  576c0f0c427bc26f4f32211bb46a7430085cc5dda994f3c1829921d41236cb09
- SHA512
  
  600e506edcb5b3423f5cd8a7a13138737bab4f639b6d8836093ca069934ac2292b66b3f519de99a8411b7f4a550fb9fe2b6059279cee1dff13f22b2190958dba
Score

10^/10

glupteba metasploit raccoon redline smokeloader vidar 17694a35d42ac97e2cd3ebd196db01b372cce1b0 9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab backdoor discovery dropper evasion infostealer loader persistence stealer themida trojan upx
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Modifies boot configuration data using bcdedit
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Windows security modification
  evasion trojan
- themida
  Detects Themida, Advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2