glupteba

General

Target

Versium Research.rar
Size

5.4MB
Sample

210812-n6l9952p1a
MD5

04d15b7cbf0569864486cc138604d68c
SHA1

2bdb39e458ba4e7a5e0e262262c54b0ecf685956
SHA256

91f4b7ae747bfd036882e084650f608782b6054ecc8ab32f5fe91b91caf80e5d
SHA512

1d2dcf2c1a41ab14795c7485d1a825de7f6237d726e6e1d4414dccaadf6cc77df9e5ae1ee4554321ce3b0c23899612c9be7b18ce2bf5cb829a1a04e564c3ccc0

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

7new

C2

sytareliar.xyz:80

yabelesatg.xyz:80

ceneimarck.xyz:80

Targets

- Target
  
  028d53f5224f9cc8c60bd953504f1efa.exe
- Size
  
  4.4MB
- MD5
  
  90a0bd1a164b2af8a7b15f75ab07e3f1
- SHA1
  
  c8def0f5b75c51b2efa40b07ebe035566d8be1a1
- SHA256
  
  276387214b560792419a07b097ee76400519c2c902f378207d30acf851ac2213
- SHA512
  
  b0cd55af23728cbf3a63392c492aff201df688f1185eb5f577e56151c8d871d49ae392d51bdfdf0dde360d86fc919174015d6d6cabbd3c3f59cdec5ca53bf4c0
Score

10^/10

glupteba metasploit backdoor bootkit dropper loader persistence trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Suspicious use of NtCreateProcessExOtherParentProcess
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1
- Target
  
  Bot_Checker.exe
- Size
  
  56KB
- MD5
  
  391ca27e1e5cc0da88d1fcc8df1d0d85
- SHA1
  
  25bd7c5b7d88bcd01610226fccb0910b48dc1eee
- SHA256
  
  a9ee4862c1e7931ef8366b090ac1f3212e79cc17d7737f537978d9a3fb0c5ef1
- SHA512
  
  2dbb84eb664798766a669c7d407be76d5154bd7d0b99f2c2371ad0ae3e1124605df0771b228f7a3406f023fa9cbba3022afb5b48207cf1eb14d94cda7a5117f9
Score

10^/10

bootkit persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral2
- Target
  
  Uninstall.exe
- Size
  
  97KB
- MD5
  
  a8c53399726fea24e4af993e971df5af
- SHA1
  
  50b4c4d3cf172106417dc0e59eaa63bf7cd0603e
- SHA256
  
  6b13a733947bc2395695cc6f9a8b59eae88cf6467e368a810bcac0c10d6c46a6
- SHA512
  
  b2159712ecfa8f7e9a75a190e858cc791bcdcd19118a6db40041d7ffbda531343a63244d35012702dda8514191e8bf6e838ab896c9db232f2c163fc4d4cd2bf9
Score

6^/10

bootkit persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral3
- Target
  
  Versium.exe
- Size
  
  746KB
- MD5
  
  393d6260e39b68b2d60300e4f62ebc83
- SHA1
  
  16c58c5b7dee3ce4c3a40925ba4eed3c188faf46
- SHA256
  
  e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3
- SHA512
  
  d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198
Score

10^/10

bootkit discovery evasion persistence suricata
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
  suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
  suricata
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Nirsoft
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral4
- Target
  
  VersiumResearch32bit.exe
- Size
  
  504KB
- MD5
  
  8479bce60218cd871c118308ded82d39
- SHA1
  
  0388ec861b2ac5c7f4dc6eed249d92d3002fe66e
- SHA256
  
  15078be80772a449383c5f6a7631955039b82ebaf507ab67e61093b70b98dc43
- SHA512
  
  f4be47baee6baeacbe1e27174ad83700efc78ab2d02262d718c7436d2304fc16618a5911bed63ed8d2e947af3c511d17b77ddfccea9a4e6aab9f3956fcf322f8
Score

10^/10

raccoon bootkit persistence stealer
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Raccoon Stealer Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral5
- Target
  
  VersiumResearch64bit.exe
- Size
  
  252KB
- MD5
  
  ee19bc8a2b6c6fd7c30037389457a4df
- SHA1
  
  e1fca1cc33574e59dec62763ee6e7de1a5198095
- SHA256
  
  76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0
- SHA512
  
  38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001
Score

10^/10

bootkit persistence upx
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral6
- Target
  
  Versiumresearch.exe
- Size
  
  163KB
- MD5
  
  b1dbc3b027105d8032541bc0c5e71abb
- SHA1
  
  1ef1950ecb44e6bd8d0a3849868ec9a0ceaa1130
- SHA256
  
  b0eb54f46e5919460cb8d21fdcd695e3356b6311ab0547f18dc3d84a66a14bc4
- SHA512
  
  3f7fd0aa71e6fae5eeaf16cc47a1ac43cdd1f643c1e7e439eb068685558929cf3c74552ad70fbf2d6cad94cc11bb8ea9c099ef1401b868947f1a9e5e44b34f7b
Score

10^/10

redline 7new bootkit discovery infostealer persistence spyware stealer suricata
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
  suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
  suricata
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral7