General

  • Target

    88ca5429f665c844b2b0f7f5ea14feae7934d2f9e8040f86418085fb4af429a6

  • Size

    4.1MB

  • Sample

    230201-qt543agf39

  • MD5

    917ac10f7baa41838c8f2af94496efba

  • SHA1

    35a35dbeb38dfd54204cdba3b504bd437acf0e8e

  • SHA256

    88ca5429f665c844b2b0f7f5ea14feae7934d2f9e8040f86418085fb4af429a6

  • SHA512

    9ab86a3f1bf0cacca4bb86e0185c148edee2cfd8fbb16724a5a1829614e3b473d041153feb25a05c87d84b2027d2b21db287fd233361881239a0362d569da6b2

  • SSDEEP

    98304:H6fyeZOkSsXCJDxp7vbPmU2t0bQU77LS5iWoBjdXw1FywH41vk:H6f3ZOkSsSJbX2t0b177m5v4jG1FTR

Malware Config

Targets

    • Target

      88ca5429f665c844b2b0f7f5ea14feae7934d2f9e8040f86418085fb4af429a6

    • Size

      4.1MB

    • MD5

      917ac10f7baa41838c8f2af94496efba

    • SHA1

      35a35dbeb38dfd54204cdba3b504bd437acf0e8e

    • SHA256

      88ca5429f665c844b2b0f7f5ea14feae7934d2f9e8040f86418085fb4af429a6

    • SHA512

      9ab86a3f1bf0cacca4bb86e0185c148edee2cfd8fbb16724a5a1829614e3b473d041153feb25a05c87d84b2027d2b21db287fd233361881239a0362d569da6b2

    • SSDEEP

      98304:H6fyeZOkSsXCJDxp7vbPmU2t0bQU77LS5iWoBjdXw1FywH41vk:H6f3ZOkSsSJbX2t0b177m5v4jG1FTR

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Command and Control

Web Service

1
T1102

Tasks