glupteba

General

Target

dc35945061660059eb8a5fa442105efd0b410233f4f8fd87b10c9b01fe8397d5
Size

7.7MB
Sample

220314-bq7q6abee5
MD5

c5b15285cfb569e6ffd860f406487679
SHA1

08fd8ef4d2155eee594e5f6d9d6e2388d337fc86
SHA256

dc35945061660059eb8a5fa442105efd0b410233f4f8fd87b10c9b01fe8397d5
SHA512

bb90a852305eef0801ba23ac7b4b7a324737ef624e5427a7c8a91a9873cc8be6808de384da2b9e5c71a62fd30c80c4d0d340c931b19d641c2bdd0f6b7b0d0a26

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

redline

Botnet

UDP

C2

45.9.20.20:13441

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

ruzki000

C2

86.107.197.196:63065

Attributes

auth_value
80fac7f67bd38aa709bbeef7a44ccb47

Targets

- Target
  
  dc35945061660059eb8a5fa442105efd0b410233f4f8fd87b10c9b01fe8397d5
- Size
  
  7.7MB
- MD5
  
  c5b15285cfb569e6ffd860f406487679
- SHA1
  
  08fd8ef4d2155eee594e5f6d9d6e2388d337fc86
- SHA256
  
  dc35945061660059eb8a5fa442105efd0b410233f4f8fd87b10c9b01fe8397d5
- SHA512
  
  bb90a852305eef0801ba23ac7b4b7a324737ef624e5427a7c8a91a9873cc8be6808de384da2b9e5c71a62fd30c80c4d0d340c931b19d641c2bdd0f6b7b0d0a26
Score

10^/10

glupteba metasploit onlylogger redline smokeloader socelars udp backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan upx ruzki000
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- OnlyLogger Payload
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Modifies boot configuration data using bcdedit
behavioral1 behavioral2