Overview

overview

10

Static

static

1

0x00030000...43.exe

windows7-x64

10

0x00030000...43.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    0x0003000000000739143.exe

  • Size

    4.2MB

  • Sample

    230518-qyqj6sba92

  • MD5

    444af2d14274155df027a61cb304b88f

  • SHA1

    6f112b5a39e44c01ee93e577ea95fffb3b04ad5b

  • SHA256

    2623d7e4c87307b1f05e9343ebc4e5c1550e4341da1781bd82d8995ef93e7715

  • SHA512

    4b2a5d6b73b934536648e8374fe791e9bf21b8762208bd9132916d5dc2b94f20c5f9c1dfe228a363570ba1e6be2b720767b1d8ec504ea1f83ae56db51e9308af

  • SSDEEP

    98304:ALXGtqfij39yYWBhjCRP95mmLIbiPmNRcnn/vSlfeunv3:SMZjEY4hORFLI2PYcnYfbP

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Targets

    • Target

      0x0003000000000739143.exe

    • Size

      4.2MB

    • MD5

      444af2d14274155df027a61cb304b88f

    • SHA1

      6f112b5a39e44c01ee93e577ea95fffb3b04ad5b

    • SHA256

      2623d7e4c87307b1f05e9343ebc4e5c1550e4341da1781bd82d8995ef93e7715

    • SHA512

      4b2a5d6b73b934536648e8374fe791e9bf21b8762208bd9132916d5dc2b94f20c5f9c1dfe228a363570ba1e6be2b720767b1d8ec504ea1f83ae56db51e9308af

    • SSDEEP

      98304:ALXGtqfij39yYWBhjCRP95mmLIbiPmNRcnn/vSlfeunv3:SMZjEY4hORFLI2PYcnYfbP

    Score
    10/10
    gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Windows security bypass

      evasiontrojan

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

      rootkitevasion

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks