General

  • Target

    f5080fc8269a3c8dd919e8d1dbd2ff9d6bc562c70c6429a01482236d5f29dc41

  • Size

    3MB

  • Sample

    230202-rdatnaee7s

  • MD5

    da9f8f49854878c38e95f93006bc7c19

  • SHA1

    8ae980378bd2c42a24f2a6b4be2f0695a97860d6

  • SHA256

    f5080fc8269a3c8dd919e8d1dbd2ff9d6bc562c70c6429a01482236d5f29dc41

  • SHA512

    357ff9810a8f66ebe301daf160072a5ea11a2e579b79d0a34d1b66106facb9b7e9cd045dcf4dd41dd6302e39c31c094438c2c447911504e2d274e65963a7835f

  • SSDEEP

    98304:/ReGuQ8kHOnYvSKhKNLwCErpijireyuBRmsazK:/0GemSkKNLFnj2wBcm

Malware Config

Targets

    • Target

      f5080fc8269a3c8dd919e8d1dbd2ff9d6bc562c70c6429a01482236d5f29dc41

    • Size

      3MB

    • MD5

      da9f8f49854878c38e95f93006bc7c19

    • SHA1

      8ae980378bd2c42a24f2a6b4be2f0695a97860d6

    • SHA256

      f5080fc8269a3c8dd919e8d1dbd2ff9d6bc562c70c6429a01482236d5f29dc41

    • SHA512

      357ff9810a8f66ebe301daf160072a5ea11a2e579b79d0a34d1b66106facb9b7e9cd045dcf4dd41dd6302e39c31c094438c2c447911504e2d274e65963a7835f

    • SSDEEP

      98304:/ReGuQ8kHOnYvSKhKNLwCErpijireyuBRmsazK:/0GemSkKNLFnj2wBcm

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Command and Control

Web Service

1
T1102

Tasks