glupteba

General

Target

0c0e36b959067fd86e0af98f3717d0f4
Size

6.0MB
Sample

210825-66lm441gxx
MD5

0c0e36b959067fd86e0af98f3717d0f4
SHA1

d8d9b5b6c391ca2121c588ff27db25723a12a120
SHA256

56538d4161a6b6e0e57759f73f81a76db0b7bf9f923791f56e719793ae10ece9
SHA512

d9265cefe3de237940f1b7a7b53f11d5cbac57ccae89516f21560fd12cd1c87fbe145321e788032a683fc65e5b5273310258210243fa2d0643a1f0de86fc1e62

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

916

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
916

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

allsup

C2

188.124.36.242:25802

Extracted

Family

redline

Botnet

3

C2

deyrolorme.xyz:80

xariebelal.xyz:80

anihelardd.xyz:80

Extracted

Family

redline

Botnet

sonia

C2

94.103.82.22:49018

Targets

- Target
  
  0c0e36b959067fd86e0af98f3717d0f4
- Size
  
  6.0MB
- MD5
  
  0c0e36b959067fd86e0af98f3717d0f4
- SHA1
  
  d8d9b5b6c391ca2121c588ff27db25723a12a120
- SHA256
  
  56538d4161a6b6e0e57759f73f81a76db0b7bf9f923791f56e719793ae10ece9
- SHA512
  
  d9265cefe3de237940f1b7a7b53f11d5cbac57ccae89516f21560fd12cd1c87fbe145321e788032a683fc65e5b5273310258210243fa2d0643a1f0de86fc1e62
Score

10^/10

glupteba metasploit redline vidar 3 916 allsup sonia backdoor discovery dropper infostealer loader persistence spyware stealer suricata trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2