glupteba

General

Target

39888d8c3490d982398d136e9e0a4581.bin
Size

11.5MB
Sample

231010-bsnfasbg68
MD5

3f59a58884f81a66367f01e11b111850
SHA1

945c9cc26bd9543541e54a9600dc4297b9d02ad5
SHA256

dc7e996aa04d079773ec896adb84f82c5d92a42c65eb05a42bc98d13407d09d7
SHA512

5b68ab4ad0e60c1368b4a3e154666a648f5281a3c4e4a6af0668b54a6c362ef4be4c71d8b8fec4f9ce19df50263d7708d1539101377898e0c123538175b7f91e
SSDEEP

196608:oR3h61qAGOWAeNJx+LWHAj46l1UHSO8cpn4F8Bh8fUOoxlO8+Tt5eEnaA2pUz1TD:oRx6YJNJALWHil1KSO8cp4F8PQaxlOrr

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

stealc

C2

http://5.42.65.39

Attributes

url_path
/bed95ea4798a5204.php

rc4.plain

Targets

- Target
  
  b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60.exe
- Size
  
  13.4MB
- MD5
  
  39888d8c3490d982398d136e9e0a4581
- SHA1
  
  737a7f7e308cb3a2152f296cc3a7d44d14a675d7
- SHA256
  
  b115ad95814af3c46b71fd230d3b2a224c8a8f356b27e0367b0f98d4948b2b60
- SHA512
  
  0e463ccd5e9e98a62426a0eba604fc0664de7b5fc87ad04fef8041c983c4b1d53e024be69c9c8a22354f9b6dae7cfcfa7f2e8e7be6d192240842c09b0ffccf14
- SSDEEP
  
  196608:JOmSIaIgCXUXYGU2MYWZ3mpejjiAN8Y/IuHB+q9LOKd/VT7cRRbYc:Jl7JgCkX1SZ3pniI9hZLOKd/Wz
Score

10^/10

glupteba smokeloader stealc up3 backdoor discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Manipulates WinMon driver.
  Roottkits write to WinMon to hide PIDs from being detected.
  rootkit evasion
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2