General

  • Target

    b2dca0ec6e31924ca9f64477a2e9a2bdd01df5a46b064b76e6f40b9cdb8e742b

  • Size

    4.1MB

  • Sample

    230607-3kf5sshg4s

  • MD5

    c2f75f5038626ca5c2b244cc27a5ae57

  • SHA1

    9e31b6cf4efb8cd49fd696de81c4d5e6b27a3705

  • SHA256

    b2dca0ec6e31924ca9f64477a2e9a2bdd01df5a46b064b76e6f40b9cdb8e742b

  • SHA512

    b1268f12cf3c87086982b035429bc65753ac0a0f4a089d9e007a1c7f15246aa0acbd8df0c82b6a852fe4c27642d8a861350c741270aa8019bb859262c10e449c

  • SSDEEP

    98304:/BN1RAFSgRiVCpISJpdcmes/cLo8j85qRy/lobOo38dN:FWKCpI4pdFo5Hy/loNsH

Malware Config

Targets

    • Target

      b2dca0ec6e31924ca9f64477a2e9a2bdd01df5a46b064b76e6f40b9cdb8e742b

    • Size

      4.1MB

    • MD5

      c2f75f5038626ca5c2b244cc27a5ae57

    • SHA1

      9e31b6cf4efb8cd49fd696de81c4d5e6b27a3705

    • SHA256

      b2dca0ec6e31924ca9f64477a2e9a2bdd01df5a46b064b76e6f40b9cdb8e742b

    • SHA512

      b1268f12cf3c87086982b035429bc65753ac0a0f4a089d9e007a1c7f15246aa0acbd8df0c82b6a852fe4c27642d8a861350c741270aa8019bb859262c10e449c

    • SSDEEP

      98304:/BN1RAFSgRiVCpISJpdcmes/cLo8j85qRy/lobOo38dN:FWKCpI4pdFo5Hy/loNsH

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Tasks