General

  • Target

    732c684d288250249dc10c26e66e6a5150c6c1a54090e8eb2c04caffff427b14

  • Size

    3MB

  • Sample

    221002-ngwnrache2

  • MD5

    605b705448968cad5f57db95efa9de50

  • SHA1

    246f47b27f7ee5ae786e83effb65957a6258120c

  • SHA256

    732c684d288250249dc10c26e66e6a5150c6c1a54090e8eb2c04caffff427b14

  • SHA512

    fca2b722cdd28d478c5ef597bcae7dfddff7adb47722f146f6801d0d6929abd0503496bce576229eeddfd28daaf28f410f89c0c5a6bac27f45534fd34329d6e2

Malware Config

Targets

    • Target

      732c684d288250249dc10c26e66e6a5150c6c1a54090e8eb2c04caffff427b14

    • Size

      3MB

    • MD5

      605b705448968cad5f57db95efa9de50

    • SHA1

      246f47b27f7ee5ae786e83effb65957a6258120c

    • SHA256

      732c684d288250249dc10c26e66e6a5150c6c1a54090e8eb2c04caffff427b14

    • SHA512

      fca2b722cdd28d478c5ef597bcae7dfddff7adb47722f146f6801d0d6929abd0503496bce576229eeddfd28daaf28f410f89c0c5a6bac27f45534fd34329d6e2

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation