glupteba | 70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d | Triage

Submit
Reports

Overview

overview

Static

static

3

dridex

windows10-2004-x64

Sharing

General

Target

70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
Size

15.7MB
Sample

231006-hfxa1abf62
MD5

3141032e3b1e4f3ee0d0a1fe68ccc6e8
SHA1

37adc7f63e2c38b2ad803c49d2782be701da9b56
SHA256

70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
SHA512

d063301b2c07d8722594dd2eec9fbcb100385bcaac9843c5f329537845888803c3a6ae68ac33983b9ea429bb15d74b43a189ef4bc359c80dbb19e46ae938f0e5
SSDEEP

393216:g8EDE090yXtcYODN8EDE090yXtcYODCef/GyF3ibKL4BCXtU/PS:gjg09jtcYyjg09jtcYyxFSbi4StU6

Score

10^/10

glupteba smokeloader up3 backdoor discovery dropper evasion loader trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d.exe

Resource

win10v2004-20230915-en

glupteba smokeloader up3 backdoor discovery dropper evasion loader trojan

windows10-2004-x64

29 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

rc4.i32

Targets

- Target
  
  70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
- Size
  
  15.7MB
- MD5
  
  3141032e3b1e4f3ee0d0a1fe68ccc6e8
- SHA1
  
  37adc7f63e2c38b2ad803c49d2782be701da9b56
- SHA256
  
  70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d
- SHA512
  
  d063301b2c07d8722594dd2eec9fbcb100385bcaac9843c5f329537845888803c3a6ae68ac33983b9ea429bb15d74b43a189ef4bc359c80dbb19e46ae938f0e5
- SSDEEP
  
  393216:g8EDE090yXtcYODN8EDE090yXtcYODCef/GyF3ibKL4BCXtU/PS:gjg09jtcYyjg09jtcYyxFSbi4StU6
Score

10^/10

glupteba smokeloader up3 backdoor discovery dropper evasion loader trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gluptebasmokeloaderup3backdoordiscoverydropperevasionloadertrojan

© 2018-2024

Terms | Privacy