General

  • Target

    b3b4b03e94aad6439f82c3663ef7f080b7950427d4678f63dd9abff383f03692

  • Size

    4.1MB

  • Sample

    230327-p7wl4sfe8w

  • MD5

    1e19aa3dc82d8ca61007086e36e2fa67

  • SHA1

    7e90524c34e6083b213a1cbafe64ed4c139ef991

  • SHA256

    b3b4b03e94aad6439f82c3663ef7f080b7950427d4678f63dd9abff383f03692

  • SHA512

    7b77ebc41e16eea14e16529d405ebaaeca58db22743350ce8b5a277f9b8394de9fbbce2a0b6473ac62c5e48bbaf84595bfc09580fbfa1f9b03b08bb18f4c487a

  • SSDEEP

    98304:yLqWm8EUt/RsxsyuOliVwdHZMwkg3X+WAEpeoGZdB:jynt/Sxsyu+yc2wkUX+GURD

Malware Config

Targets

    • Target

      b3b4b03e94aad6439f82c3663ef7f080b7950427d4678f63dd9abff383f03692

    • Size

      4.1MB

    • MD5

      1e19aa3dc82d8ca61007086e36e2fa67

    • SHA1

      7e90524c34e6083b213a1cbafe64ed4c139ef991

    • SHA256

      b3b4b03e94aad6439f82c3663ef7f080b7950427d4678f63dd9abff383f03692

    • SHA512

      7b77ebc41e16eea14e16529d405ebaaeca58db22743350ce8b5a277f9b8394de9fbbce2a0b6473ac62c5e48bbaf84595bfc09580fbfa1f9b03b08bb18f4c487a

    • SSDEEP

      98304:yLqWm8EUt/RsxsyuOliVwdHZMwkg3X+WAEpeoGZdB:jynt/Sxsyu+yc2wkUX+GURD

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Modifies Windows Firewall

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Tasks