General

  • Target

    5b55976b1a94f88bfbf78f342ee1be551f87561a42ece8568dab7e7e61a169bd

  • Size

    4.1MB

  • Sample

    230328-16gmcadf42

  • MD5

    582554fb55500ddea2abb1708ae7eee8

  • SHA1

    3139b3bc901a418bc18b2ebc7253123ecc357240

  • SHA256

    5b55976b1a94f88bfbf78f342ee1be551f87561a42ece8568dab7e7e61a169bd

  • SHA512

    25419ea681cbc3efc45ed485b99700096071466e2f7fdd647986ef2669dc740d8e02daec1467557c40a9a7aca97714d1dd1a8e3c780343f351af80c51ed928a1

  • SSDEEP

    98304:oUdwLCQU4shpicxy6jtxBRMATIHJvkKrcghVt:oUudU4micxy6XvCv/Vt

Malware Config

Targets

    • Target

      5b55976b1a94f88bfbf78f342ee1be551f87561a42ece8568dab7e7e61a169bd

    • Size

      4.1MB

    • MD5

      582554fb55500ddea2abb1708ae7eee8

    • SHA1

      3139b3bc901a418bc18b2ebc7253123ecc357240

    • SHA256

      5b55976b1a94f88bfbf78f342ee1be551f87561a42ece8568dab7e7e61a169bd

    • SHA512

      25419ea681cbc3efc45ed485b99700096071466e2f7fdd647986ef2669dc740d8e02daec1467557c40a9a7aca97714d1dd1a8e3c780343f351af80c51ed928a1

    • SSDEEP

      98304:oUdwLCQU4shpicxy6jtxBRMATIHJvkKrcghVt:oUudU4micxy6XvCv/Vt

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Modifies Windows Firewall

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Tasks