General

  • Target

    eee544ff3042ebe04bd12cd25fa5dfe417aa35fbe43017ee1eefbb62dee2df29

  • Size

    5MB

  • Sample

    210227-y9lgqzwjdj

  • MD5

    74ed75664043ee127063cbe797d95ec4

  • SHA1

    92a2a2937b281c0ada62a5a36690000399bcf6d4

  • SHA256

    eee544ff3042ebe04bd12cd25fa5dfe417aa35fbe43017ee1eefbb62dee2df29

  • SHA512

    7139309a9c5011d8a5efdfe21a31086f98f9cfd92593f1321912d8d9b70d00f1b67f8a5a038f44322c27d5c9d316d4d7b83f43b4670ee7fd849b4c76ccd0ad12

Malware Config

Targets

    • Target

      eee544ff3042ebe04bd12cd25fa5dfe417aa35fbe43017ee1eefbb62dee2df29

    • Size

      5MB

    • MD5

      74ed75664043ee127063cbe797d95ec4

    • SHA1

      92a2a2937b281c0ada62a5a36690000399bcf6d4

    • SHA256

      eee544ff3042ebe04bd12cd25fa5dfe417aa35fbe43017ee1eefbb62dee2df29

    • SHA512

      7139309a9c5011d8a5efdfe21a31086f98f9cfd92593f1321912d8d9b70d00f1b67f8a5a038f44322c27d5c9d316d4d7b83f43b4670ee7fd849b4c76ccd0ad12

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Tasks