Extracted

• • Target

    1E8F7E97829A667EA6E11F1BE8AED9C5.exe

  • Size

    5.5MB

  • MD5

    1e8f7e97829a667ea6e11f1be8aed9c5

  • SHA1

    527f7fe8e5ff4a39fb33ef27b0e5d5569a84c071

  • SHA256

    5fce415ea8596e0aa332b961dd62c1e39ddfbe593d577b91ff32aba9d9767cdd

  • SHA512

    f2e6709de8b62b0448ba34a265607045bf1ac3a38be4edccfbabb9fb111431112f373127746ac023c4534ed00a4cca618ecc9d35beacb49ecaceba92fb3fc22b

  Score

  10^/10

  gluptebametasploitplugxbackdoordiscoverydropperloadertrojanupx

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba Payload

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2