glupteba

General

Target

8A666D9C523DF00AB13FC79FA9EB0C45.exe
Size

9.0MB
Sample

210908-rk73qshgfq
MD5

8a666d9c523df00ab13fc79fa9eb0c45
SHA1

583dfa5e0cce1ddb4a57406301533c497a8823cf
SHA256

c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
SHA512

c282a96e6217e30ba17872cf99faae0940d852776b8b3f8caa7fb9715ab7d85cc8c3d84cdbf952f18057e161fdad8b64ef38e53d5d2ad3d59619a731106bf264

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

upd

C2

193.56.146.78:51487

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Targets

- Target
  
  8A666D9C523DF00AB13FC79FA9EB0C45.exe
- Size
  
  9.0MB
- MD5
  
  8a666d9c523df00ab13fc79fa9eb0c45
- SHA1
  
  583dfa5e0cce1ddb4a57406301533c497a8823cf
- SHA256
  
  c9371cc485825207fe107e6600c14cfd9049c34f74c8c7332f16a20afea88164
- SHA512
  
  c282a96e6217e30ba17872cf99faae0940d852776b8b3f8caa7fb9715ab7d85cc8c3d84cdbf952f18057e161fdad8b64ef38e53d5d2ad3d59619a731106bf264
Score

10^/10

glupteba metasploit redline smokeloader socelars upd backdoor dropper evasion infostealer loader persistence spyware stealer trojan upx vidar themida
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2