glupteba | 0c49acea30ef1e8e5c7a4651dc51a1cee4bfb4de2ba2d833cf41586eb08706f7 | Triage

Submit
Reports

Overview

overview

Static

static

1

0c49acea30...f7.exe

windows7-x64

0c49acea30...f7.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

0c49acea30ef1e8e5c7a4651dc51a1cee4bfb4de2ba2d833cf41586eb08706f7
Size

4.1MB
Sample

231012-2dd67afd67
MD5

9154415bb17ffdad1206baa8e74175d0
SHA1

defc485bb0e810573984d85060dc64c3a0277843
SHA256

0c49acea30ef1e8e5c7a4651dc51a1cee4bfb4de2ba2d833cf41586eb08706f7
SHA512

a72a429b7b02c1ed33066fecf8053912dbffb17fe45f62f7f973ec3ee49d4ef77d49075e792688fbd777801b8c7954d7e550a13206236009587171116cb276cc
SSDEEP

49152:gpgiHuyxQslsD9CisyHIyO8dEImeViVKJQFQwTZLnAdnC/k/R2tQTfQDOuEqyixd:mcsCw1N4d6aOK6cL/IPfpFLcPHFH32N

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit

Static task

static1

Behavioral task

behavioral1

Sample

0c49acea30ef1e8e5c7a4651dc51a1cee4bfb4de2ba2d833cf41586eb08706f7.exe

Resource

win7-20230831-en

glupteba dropper evasion loader

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

0c49acea30ef1e8e5c7a4651dc51a1cee4bfb4de2ba2d833cf41586eb08706f7.exe

Resource

win10v2004-20230915-en

glupteba discovery dropper evasion loader persistence rootkit

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  0c49acea30ef1e8e5c7a4651dc51a1cee4bfb4de2ba2d833cf41586eb08706f7
- Size
  
  4.1MB
- MD5
  
  9154415bb17ffdad1206baa8e74175d0
- SHA1
  
  defc485bb0e810573984d85060dc64c3a0277843
- SHA256
  
  0c49acea30ef1e8e5c7a4651dc51a1cee4bfb4de2ba2d833cf41586eb08706f7
- SHA512
  
  a72a429b7b02c1ed33066fecf8053912dbffb17fe45f62f7f973ec3ee49d4ef77d49075e792688fbd777801b8c7954d7e550a13206236009587171116cb276cc
- SSDEEP
  
  49152:gpgiHuyxQslsD9CisyHIyO8dEImeViVKJQFQwTZLnAdnC/k/R2tQTfQDOuEqyixd:mcsCw1N4d6aOK6cL/IPfpFLcPHFH32N
Score

10^/10

glupteba dropper evasion loader discovery persistence rootkit
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gluptebadropperevasionloader

behavioral2

gluptebadiscoverydropperevasionloaderpersistencerootkit

© 2018-2025

Terms | Privacy