General

  • Target

    6e7d14091a04717d4e79f5d220f21349c30817a2bed9661e7b8d2ec7b8eb141f

  • Size

    4.2MB

  • Sample

    230202-zhkhnaag2v

  • MD5

    d744d69f4252bd8ffeb21451981b9111

  • SHA1

    ced8439cc2f6082df88d12d841bc6a934f76ab10

  • SHA256

    6e7d14091a04717d4e79f5d220f21349c30817a2bed9661e7b8d2ec7b8eb141f

  • SHA512

    0fca375352d75872b4109683b899201e7e1b96599dc08e85a10e635deeb29c710112f6e6e7e0f032bb278a34a04a7b118f1504e761c367000190b2ab0c782e1d

  • SSDEEP

    98304:6telLDUkO9sPk0KAhDY6LKk1S/Ej2gjwm5RFlex:++/UkRPTXLK4Rj2gkm5Ix

Malware Config

Targets

    • Target

      6e7d14091a04717d4e79f5d220f21349c30817a2bed9661e7b8d2ec7b8eb141f

    • Size

      4.2MB

    • MD5

      d744d69f4252bd8ffeb21451981b9111

    • SHA1

      ced8439cc2f6082df88d12d841bc6a934f76ab10

    • SHA256

      6e7d14091a04717d4e79f5d220f21349c30817a2bed9661e7b8d2ec7b8eb141f

    • SHA512

      0fca375352d75872b4109683b899201e7e1b96599dc08e85a10e635deeb29c710112f6e6e7e0f032bb278a34a04a7b118f1504e761c367000190b2ab0c782e1d

    • SSDEEP

      98304:6telLDUkO9sPk0KAhDY6LKk1S/Ej2gjwm5RFlex:++/UkRPTXLK4Rj2gkm5Ix

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Command and Control

Web Service

1
T1102

Tasks