glupteba | 10ee2e6dbb6afa32bd1ea6956395ecad41a2a26ecc17d2d39ad9451c5ad01982 | Triage

Submit
Reports

Overview

overview

Static

static

1

dridex

windows10-2004-x64

Sharing

General

Target

10ee2e6dbb6afa32bd1ea6956395ecad41a2a26ecc17d2d39ad9451c5ad01982
Size

4.1MB
Sample

230327-lz664acg88
MD5

9be8002a4b72a9f9339a12fed7c83621
SHA1

0821c9430e9ddab1efa3bf40a41a686cdfa261a9
SHA256

10ee2e6dbb6afa32bd1ea6956395ecad41a2a26ecc17d2d39ad9451c5ad01982
SHA512

2122b6d293749810f13af7980b8f8fd1e15eb860e553463c188c24f3633cfca37c4f59f48638589f1b942916e6974d8b6bff0e2c1e12b07ee93a8c7cbf05a8e3
SSDEEP

98304:ijPo+YNF394bm9hqWalSTOCj6yFACIaXDNUrgkS3ge:Ip0FKbmLqnlxCj6y9DNU0k0ge

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit upx

Static task

static1

Behavioral task

behavioral1

Sample

10ee2e6dbb6afa32bd1ea6956395ecad41a2a26ecc17d2d39ad9451c5ad01982.exe

Resource

win10v2004-20230220-en

glupteba discovery dropper evasion loader persistence rootkit upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  10ee2e6dbb6afa32bd1ea6956395ecad41a2a26ecc17d2d39ad9451c5ad01982
- Size
  
  4.1MB
- MD5
  
  9be8002a4b72a9f9339a12fed7c83621
- SHA1
  
  0821c9430e9ddab1efa3bf40a41a686cdfa261a9
- SHA256
  
  10ee2e6dbb6afa32bd1ea6956395ecad41a2a26ecc17d2d39ad9451c5ad01982
- SHA512
  
  2122b6d293749810f13af7980b8f8fd1e15eb860e553463c188c24f3633cfca37c4f59f48638589f1b942916e6974d8b6bff0e2c1e12b07ee93a8c7cbf05a8e3
- SSDEEP
  
  98304:ijPo+YNF394bm9hqWalSTOCj6yFACIaXDNUrgkS3ge:Ip0FKbmLqnlxCj6y9DNU0k0ge
Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit upx
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

gluptebadiscoverydropperevasionloaderpersistencerootkitupx

© 2018-2024

Terms | Privacy