glupteba

General

Target

424220d1f8bf0004aacdf1e96d90cfe1ef08f9b682f958d65d8b2a5e8346bfb4
Size

7.7MB
Sample

220310-216jyscfd2
MD5

02532e9a91086a64d2162a0e3cdd1965
SHA1

e869095230eeb02447c84271582f1d2bafd7f34e
SHA256

424220d1f8bf0004aacdf1e96d90cfe1ef08f9b682f958d65d8b2a5e8346bfb4
SHA512

441e52751229d9136a039e872e0a62489928c6ac4be09d4e1006ce8f66014506c32642cc51680c5846dbede777f0fd7513ee3c644e709c4c090241aa5f8f5f17

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

UPD

C2

193.56.146.78:54955

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Targets

- Target
  
  424220d1f8bf0004aacdf1e96d90cfe1ef08f9b682f958d65d8b2a5e8346bfb4
- Size
  
  7.7MB
- MD5
  
  02532e9a91086a64d2162a0e3cdd1965
- SHA1
  
  e869095230eeb02447c84271582f1d2bafd7f34e
- SHA256
  
  424220d1f8bf0004aacdf1e96d90cfe1ef08f9b682f958d65d8b2a5e8346bfb4
- SHA512
  
  441e52751229d9136a039e872e0a62489928c6ac4be09d4e1006ce8f66014506c32642cc51680c5846dbede777f0fd7513ee3c644e709c4c090241aa5f8f5f17
Score

10^/10

glupteba metasploit redline smokeloader socelars upd backdoor dropper evasion infostealer loader persistence spyware stealer trojan upx
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2