glupteba

Sharing

Copy URL

Twitter E-mail

General

Target

2aef9fa3740248e6223d291a858296cd25aae894.exe
Size

1.6MB
Sample

210910-vwzsaadefj
MD5

911786333ddc2b7abffbdaf92f5610a7
SHA1

2aef9fa3740248e6223d291a858296cd25aae894
SHA256

847a38c590090d40f07ba44dd60592cd40fe1d37e5f3b65bd6c980be752faafa
SHA512

b86572e1bcdfb4d4c6e4a04da372dc373a0639c75dd8dd94bb66041265da75edb49415055ede0c75902f429a4d38cb966523d6e959ac3a63744ed601d55feea8

Malware Config

Extracted

Family

redline

Botnet

Инсталлусы5к

91.142.77.155:5469

Extracted

Family

vidar

Version

40.5

Botnet

937

https://gheorghip.tumblr.com/

Attributes

profile_id
937

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

test

45.14.49.169:22411

Extracted

Family

redline

Botnet

Norman33

195.19.92.158:28743

Extracted

Family

smokeloader

Version

2020

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/

rc4.i32

Targets

- Target
  
  2aef9fa3740248e6223d291a858296cd25aae894.exe
- Size
  
  1.6MB
- MD5
  
  911786333ddc2b7abffbdaf92f5610a7
- SHA1
  
  2aef9fa3740248e6223d291a858296cd25aae894
- SHA256
  
  847a38c590090d40f07ba44dd60592cd40fe1d37e5f3b65bd6c980be752faafa
- SHA512
  
  b86572e1bcdfb4d4c6e4a04da372dc373a0639c75dd8dd94bb66041265da75edb49415055ede0c75902f429a4d38cb966523d6e959ac3a63744ed601d55feea8
Score

10^/10

glupteba metasploit redline smokeloader tofsee vidar 937 norman33 test инсталлусы5к backdoor dropper evasion infostealer loader persistence stealer suricata themida trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Known Sinkhole Response Header
  suricata: ET MALWARE Known Sinkhole Response Header
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Glupteba Payload

MetaSploit

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Tofsee

Vidar

suricata: ET MALWARE Known Sinkhole Response Header

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Checks BIOS information in registry

Checks computer location settings

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2