glupteba

Sharing

Copy URL

Twitter E-mail

General

Target

4999896400822272.zip
Size

14.7MB
Sample

210924-wzpxxsheh7
MD5

36e895cac68782276f49144d8904f79e
SHA1

411476265cdb80d2119ae49c34c6700a36577657
SHA256

f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113
SHA512

db7e7997e7017fc083b067aa9a610be84e425a5a562829a02dd3650b0dcf42a4ced706a69d27b7e86ce503558b13f9791b107f4281b0f4845e1d83a874e24550

Malware Config

Extracted

Family

redline

Botnet

1.22

95.211.185.27:42097

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

vidar

Version

40.1

Botnet

933

https://eduarroma.tumblr.com/

Attributes

profile_id
933

Extracted

Family

redline

Botnet

NANani

87.251.71.14:89

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.top/welcome

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

test

193.56.146.78:51487

Targets

- Target
  
  6c5db6dce13ded4e0e6c7e9a526b063e.exe
- Size
  
  4.3MB
- MD5
  
  1485d115c0db789ed882e6da39b845d0
- SHA1
  
  b25ee4515f5a1a8b420e7eba38f233ee64a24755
- SHA256
  
  036e1c48be2a9fde1e94334dcb1216eec8512b38c118234c118aaa47b6ad65c7
- SHA512
  
  c8571df02ca3c8d69c49393d45a032a291c6f5c7100564e9a1337f287abd195c903bf86a20217990de38627d2a646dc7dde0e3953827afa94db270124c1f559b
Score

10^/10

glupteba metasploit backdoor dropper loader trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
behavioral1 behavioral2
- Target
  
  DusBrowserInst.exe
- Size
  
  172KB
- MD5
  
  2bf65413a6aabdbb7f18b7efebee633d
- SHA1
  
  c4eed75b2d69ca51ce87ede0a907db0ecbb4f4b7
- SHA256
  
  1db05647c15a26167a50bf7cf1d5f2d00ae89e4f18cfba2bcb4024f043c81739
- SHA512
  
  b59fcc75925273239c90520d616a9e5dddacfc36d6cefb1f464dab3ef066aebfc57adfd9e28484aadfb9ed6a9dde4d509e0eee2bc5245a795025c64fb790fb2f
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral3 behavioral4
- Target
  
  IDWCH2.exe
- Size
  
  739KB
- MD5
  
  0d5cc91890c411599e994ab4d927350b
- SHA1
  
  b64c4752537fc05bd460918fe252ef64e72d2651
- SHA256
  
  b64cc3011b334fe3fdc47852da28f1d865a1f71dd819827a035b9b3adab1a163
- SHA512
  
  56418a6586f0cc7f985e944811744fdce2ddaea5e238d02b21435768a3738ba7cccc738190b677f0eb66916a24cdcd4b63701df8a35c7a44802ba053ccdf059b
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral5 behavioral6
- Target
  
  Litever01.exe
- Size
  
  502KB
- MD5
  
  bca995c0fd475fb09fb7988cb876c795
- SHA1
  
  0f8776b9a5b3daedcc314fa283172697dee4cf8d
- SHA256
  
  659895bb642f43854043053d386b987c63db7e615d827dbc41866ac0371ab92d
- SHA512
  
  94387589151f5dc774aaf981988c8f6b568e8373158ce79b5da370594a6f67f18c5b90547da62db70a808a9756fc318eeb3cd6df9b87495bfde379a46e2699df
Score

10^/10

vidar 933 stealer
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
behavioral7 behavioral8
- Target
  
  NAN.exe
- Size
  
  608KB
- MD5
  
  db1e5d0455f39c5cf5ac0c210dd679c4
- SHA1
  
  836e95bd1285ff790e55a8602febb29d97187bd7
- SHA256
  
  578eddcbe98744e25e8836b7cdc447f62b7032bcd3d083f2eb0cfe018022243e
- SHA512
  
  3f349ba618510f3e76e893fb70f0bfd5c3885216d73ed024617b49878eed376789eb7d3e4d347bb84aec8d90dbd0706256cdfdfa3f99c3b2b62982d9bc5c3a25
Score

10^/10

redline nanani infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of SetThreadContext
behavioral9 behavioral10
- Target
  
  anyname.exe
- Size
  
  100KB
- MD5
  
  2cd68cb7fd85144362d03a0b260f338f
- SHA1
  
  6e106cc5246ed9fe053ef748b28022183e520ad9
- SHA256
  
  f67d7d488b447f8a6356bff9d49add653ef5c49e6dc74982005028d01609c24a
- SHA512
  
  4ac9508d59f9f32d5b883b78b2b4cc80a7364731d96f01f53d816055fe7e1f8505790796ca4696c6810de89331a346e2b5eedd071c50b56c10489bcc9b72693c
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  app.exe
- Size
  
  4.3MB
- MD5
  
  d3f680a40104a2bf44d1e55ab22cc283
- SHA1
  
  3e44293bd666ee6842f27001e561442203479698
- SHA256
  
  a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86
- SHA512
  
  478c308a40b3da9697ef9925e3d8c375bdc9a51d17d401fdf947f1e9ec7b4b5b59d5aa6e5ab0857825f5dbcb398a1cfffe33f972b6841d2916329f2e2358510b
Score

10^/10

glupteba metasploit backdoor dropper loader trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
behavioral13 behavioral14
- Target
  
  askinstall50.exe
- Size
  
  1.4MB
- MD5
  
  68bc0c244bb2d261a9a7d007bb6e06d7
- SHA1
  
  4226d51ebf9d925de953e0a5a6b3784eabfc47b6
- SHA256
  
  fd53ca7be25f932d930f68ab7818359762dde5d3608271e7a27e815f5b30e9e4
- SHA512
  
  f52a04cd2a5d0f9f30be1b6827e95f5afe5f34d0453a78b000dd71d7d8e20467ef6f541a91858833704df6b1560cb5701eab08e5df0a86870b946b052cd6d9da
Score

10^/10

socelars discovery spyware stealer
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral15 behavioral16
- Target
  
  farlab_setup.exe
- Size
  
  1.7MB
- MD5
  
  a7703240793e447ec11f535e808d2096
- SHA1
  
  913af985f540dab68be0cdf999f6d7cb52d5be96
- SHA256
  
  6a17ebf5da6aa3a1f4813e5f46fdd5d19d026bcfac91f232359f98e43df3c38f
- SHA512
  
  57bdcdfcfa11f6b5bf4149be0fee0444fcf67ccececf1009b166b17b7dce30da1a472f1890736186f4ef76e02ed23cc0dd2a41dc9bff94218a059832d4b5c69e
Score

10^/10

vidar discovery evasion persistence spyware stealer
- Modifies firewall policy service
  evasion
- Registers COM server for autorun
  persistence
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  inst002.exe
- Size
  
  265KB
- MD5
  
  f38f3aab5af6435226dcca8751f61e6c
- SHA1
  
  e555e536dca72784f73422a216aa35206441444a
- SHA256
  
  94590b6681e3f9255a27b41a356d0334460ed596daab947258110a4ab94708db
- SHA512
  
  0402a9d77388348aa055ab58a3211222ffdbe043e73052e075d861d1d0888437cfdeb2c2d7676b23e539b573bd4a4180d4e5f8af840693823979997f99c76c09
Score

1^/10
behavioral19 behavioral20
- Target
  
  jamesnew.exe
- Size
  
  846KB
- MD5
  
  ea180cb17e71d8e32481aa37cb796cc1
- SHA1
  
  351b1c6cdbdcd21215e6cb9fc7b76887ddfe7a2a
- SHA256
  
  8a75fd219504039ceb7841811d75416ca52eb26a9667bbdf621055dad62e8b1a
- SHA512
  
  7bfe33816e5d6373cdbae1b8fffb620e76defabd1302b8c98650980ac0292b3135cee52d7316b8fe895812e56b2a7cfa2aa983d7e746f4673c37f1b585636cbc
Score

3^/10
behavioral21 behavioral22
- Target
  
  justdezine.exe
- Size
  
  136KB
- MD5
  
  7bd33952ce41285449099ae0bcd48d81
- SHA1
  
  1d6224283dd85c51a22445a69b1f2771724a7733
- SHA256
  
  6d5ac5464acd393224513115ebee2eeca5efca62b2a0e92f50c5186a8f740581
- SHA512
  
  bbe8a7d76db63b498b0ff8736ab010c12506b8f27b17eaeb13a77d0972e6512a54dccbf5c050642ffe7665647439c5fd1424312677b351d7fe893a7956728c05
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Deletes itself
behavioral23 behavioral24
- Target
  
  md3_3kvm.exe
- Size
  
  924KB
- MD5
  
  53b01ccd65893036e6e73376605da1e2
- SHA1
  
  12c7162ea3ce90ec064ce61251897c8bec3fd115
- SHA256
  
  de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7
- SHA512
  
  e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067
Score

7^/10

spyware stealer evasion trojan
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
behavioral25 behavioral26
- Target
  
  mixseven.exe
- Size
  
  213KB
- MD5
  
  984f9ec5ff106e4c08bb076ef63f3ec2
- SHA1
  
  119152d00b0b883cefae6519bbe4be43c6e1aafd
- SHA256
  
  438676e5d2d9fd41a35b18eee5db8917e7f960f0d50917513f4fb92b95d29995
- SHA512
  
  641cdf64b6ba39fb01c0bbe86aa878026e9f61280a83d449d67656dfa89100957f9e5b2b575b7ec460a0eeb4d2a8ef8da0781de58d3c518be2a2ae97ce1acd6a
Score

10^/10

evasion themida trojan
- Suspicious use of NtCreateProcessExOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27 behavioral28
- Target
  
  redcloud.exe
- Size
  
  173KB
- MD5
  
  16bf4653dfc06b85e7d34cb5cfe62717
- SHA1
  
  35ca16cdb661f6978815efc8c8a2ae0fbddcb733
- SHA256
  
  6038860aefedc84fdafe7d693ea6fa63147be5e3a43dd96e20adf377811c5d30
- SHA512
  
  0717f23056515b18f627496c309c22bfc76da5b61f2730a320fa8584ad0fb5ed47a8695ad255bc8635cdd379d2313cb141466e86ae0b639c33772fe2177fa35f
Score

1^/10
behavioral29 behavioral30
- Target
  
  udptest.exe
- Size
  
  240KB
- MD5
  
  265717bdcb626127fdb7e62b018e963c
- SHA1
  
  d9d70e33380e33caa8c48b6a4ba7a4fe08ecafe5
- SHA256
  
  e102abb40eb0795f838749e262c4e94af6df4213832b1d055b727cbc50f3a8ee
- SHA512
  
  f9c3656bb1e9848620990ca2ee8c163f32c2259774cf21ff78979ba1318daabb672ba1a67924b90d55cce8b579830bf31db32e2da83a09b51916c60ca157f362
Score

10^/10

redline test infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Glupteba Payload

MetaSploit

Legitimate hosting services abused for malware hosting/C2

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtCreateProcessExOtherParentProcess

Vidar

Vidar Stealer

RedLine

RedLine Payload

Suspicious use of SetThreadContext

Process spawned unexpected child process

Loads dropped DLL

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Glupteba

Glupteba Payload

MetaSploit

Socelars

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Modifies firewall policy service

Registers COM server for autorun

Vidar

Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Modifies Installed Components in the registry

Loads dropped DLL

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

SmokeLoader

Deletes itself

Reads user/profile data of web browsers

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateProcessExOtherParentProcess

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

RedLine

RedLine Payload

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11