Overview

overview

10

Static

static

1

01450799.exe

windows7-x64

10

01450799.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    01450799.exe

  • Size

    4.2MB

  • Sample

    230603-ppyzhshb3v

  • MD5

    c121eb14e1ade276efd7fa65c5c4e28b

  • SHA1

    859ebf42e9dd47453a5a2b7874e3eae3161dd738

  • SHA256

    95fd9d6c36e92fc539aba30fbf4f2555341dc84cd98f8951d2a777b13e96c98a

  • SHA512

    ac06122f04040a07f738885cedea5f273341f39fc6810c188bb45123e059f5ab2528caf1c9adae6399c2b3f0091c278600505cdc4a0ba0f90b9a43647d91db63

  • SSDEEP

    98304:RuskzL2X0jTOifcmu/ocbxDHRWeRdYZdpZLVYMdFkw8yt6GHHA+u:RuskzVjTOifFu/o0xDxW4UpxVYwxHHlu

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Targets

    • Target

      01450799.exe

    • Size

      4.2MB

    • MD5

      c121eb14e1ade276efd7fa65c5c4e28b

    • SHA1

      859ebf42e9dd47453a5a2b7874e3eae3161dd738

    • SHA256

      95fd9d6c36e92fc539aba30fbf4f2555341dc84cd98f8951d2a777b13e96c98a

    • SHA512

      ac06122f04040a07f738885cedea5f273341f39fc6810c188bb45123e059f5ab2528caf1c9adae6399c2b3f0091c278600505cdc4a0ba0f90b9a43647d91db63

    • SSDEEP

      98304:RuskzL2X0jTOifcmu/ocbxDHRWeRdYZdpZLVYMdFkw8yt6GHHA+u:RuskzVjTOifFu/o0xDxW4UpxVYwxHHlu

    Score
    10/10
    gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Windows security bypass

      evasiontrojan

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

      rootkitevasion

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks