glupteba

General

Target

09705499.exe
Size

4.2MB
Sample

230529-kc7zfaag26
MD5

44b7636d61531c114417405f90268a45
SHA1

8d3c2ff47c4e8ab61da308cfe5bd3867949a9879
SHA256

22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b
SHA512

f2cca4082a013a26ccf344dba35e29015d19c4c76898a0bd898d1fab86dbc78f324ac7895a6a1a047cdd9a4ea5b0905c9df1a2a47a218a1cd950475af47f4695
SSDEEP

98304:wmpX8O9HedpDBHdWTegeTnadviKpY0fMqD+731uK:TFHGpNjTadv4cIwK

Score

10^/10

Malware Config

Targets

- Target
  
  09705499.exe
- Size
  
  4.2MB
- MD5
  
  44b7636d61531c114417405f90268a45
- SHA1
  
  8d3c2ff47c4e8ab61da308cfe5bd3867949a9879
- SHA256
  
  22212563c82d627560b8a141299031992fde210f22c6be2471d3497bf8cff13b
- SHA512
  
  f2cca4082a013a26ccf344dba35e29015d19c4c76898a0bd898d1fab86dbc78f324ac7895a6a1a047cdd9a4ea5b0905c9df1a2a47a218a1cd950475af47f4695
- SSDEEP
  
  98304:wmpX8O9HedpDBHdWTegeTnadviKpY0fMqD+731uK:TFHGpNjTadv4cIwK
Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Windows security bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Manipulates WinMon driver.
  Roottkits write to WinMon to hide PIDs from being detected.
  rootkit evasion
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
behavioral1 behavioral2