glupteba | ea27a3740393996408a81d2d9154a9372056a07c32550c85ca368360b929289d | Triage

Submit
Reports

Overview

overview

Static

static

1

dridex

windows10-2004-x64

Sharing

General

Target

ea27a3740393996408a81d2d9154a9372056a07c32550c85ca368360b929289d
Size

4.1MB
Sample

230330-phhnysea51
MD5

32bc022dd96550dad9911dcd721dd857
SHA1

0836d559cefc80504154765c360a642a1dd53524
SHA256

ea27a3740393996408a81d2d9154a9372056a07c32550c85ca368360b929289d
SHA512

8c978948fd5d0cae5ec4423f978d8dfab64d8fb13ac08cfd2aa724d50b11c0aa3be0114e6b69a183d5edf29a16d9954a3d5f40d204c2f9886afedd3460ae266f
SSDEEP

98304:T1YApqKkmgwsI3/2WayzCIro1jbBJ+AR+ksNs5478:T1YYamvsI3/lPz7rijlAu54w

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit

Static task

static1

Behavioral task

behavioral1

Sample

ea27a3740393996408a81d2d9154a9372056a07c32550c85ca368360b929289d.exe

Resource

win10v2004-20230220-en

glupteba discovery dropper evasion loader persistence rootkit

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  ea27a3740393996408a81d2d9154a9372056a07c32550c85ca368360b929289d
- Size
  
  4.1MB
- MD5
  
  32bc022dd96550dad9911dcd721dd857
- SHA1
  
  0836d559cefc80504154765c360a642a1dd53524
- SHA256
  
  ea27a3740393996408a81d2d9154a9372056a07c32550c85ca368360b929289d
- SHA512
  
  8c978948fd5d0cae5ec4423f978d8dfab64d8fb13ac08cfd2aa724d50b11c0aa3be0114e6b69a183d5edf29a16d9954a3d5f40d204c2f9886afedd3460ae266f
- SSDEEP
  
  98304:T1YApqKkmgwsI3/2WayzCIro1jbBJ+AR+ksNs5478:T1YYamvsI3/lPz7rijlAu54w
Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

gluptebadiscoverydropperevasionloaderpersistencerootkit

© 2018-2024

Terms | Privacy