General

  • Target

    cfcee9378aacb84c082b3e8e6f249baa66f9758ecd0709e8d1a5b618396a1d5e

  • Size

    3.7MB

  • Sample

    220524-qxfctacgg7

  • MD5

    720a612077a422109df3c8945e088308

  • SHA1

    14ae2f30c62b716dc97c58d3dfc7954143f950d7

  • SHA256

    cfcee9378aacb84c082b3e8e6f249baa66f9758ecd0709e8d1a5b618396a1d5e

  • SHA512

    83e6e64774e7d878d6badabc7222861c45fe0651368475211d4a392091874a5d3d40bcc0532b2e7c99e28e48f64a3dd1d5393603574e3d318c9a55099219088b

Malware Config

Targets

    • Target

      cfcee9378aacb84c082b3e8e6f249baa66f9758ecd0709e8d1a5b618396a1d5e

    • Size

      3.7MB

    • MD5

      720a612077a422109df3c8945e088308

    • SHA1

      14ae2f30c62b716dc97c58d3dfc7954143f950d7

    • SHA256

      cfcee9378aacb84c082b3e8e6f249baa66f9758ecd0709e8d1a5b618396a1d5e

    • SHA512

      83e6e64774e7d878d6badabc7222861c45fe0651368475211d4a392091874a5d3d40bcc0532b2e7c99e28e48f64a3dd1d5393603574e3d318c9a55099219088b

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE Glupteba CnC Domain in DNS Lookup

      suricata: ET MALWARE Glupteba CnC Domain in DNS Lookup

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Tasks