glupteba

General

Target

68d5ae14c19e01a7117bdb7ff4f8f64974f869b08e473c46b9976bd3b6f6ba86
Size

1.4MB
Sample

231112-eza1bsde33
MD5

2858bd115d13c60d3742df32a62062fa
SHA1

e3ff5f1fc93188107219fbb9d58153233985aecf
SHA256

68d5ae14c19e01a7117bdb7ff4f8f64974f869b08e473c46b9976bd3b6f6ba86
SHA512

feac98760e889ce35fa4a4aa5504d7c865f9ff4bf9f5d814e088bc2a17951d0d507463eaa2f6297b1a30e36a80c12ac44f796b5aeb25519e6448da6524d0d768
SSDEEP

24576:xyHFavH4XYUph1enIsTI6GCcKDfQlTWvZeXBIgfbfQ/F98CATdv:kaeHeIOrG6DQl2eXBIwkX

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

stealc

C2

http://77.91.68.247

Attributes

url_path
/c36258786fdc16da.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Targets

- Target
  
  68d5ae14c19e01a7117bdb7ff4f8f64974f869b08e473c46b9976bd3b6f6ba86
- Size
  
  1.4MB
- MD5
  
  2858bd115d13c60d3742df32a62062fa
- SHA1
  
  e3ff5f1fc93188107219fbb9d58153233985aecf
- SHA256
  
  68d5ae14c19e01a7117bdb7ff4f8f64974f869b08e473c46b9976bd3b6f6ba86
- SHA512
  
  feac98760e889ce35fa4a4aa5504d7c865f9ff4bf9f5d814e088bc2a17951d0d507463eaa2f6297b1a30e36a80c12ac44f796b5aeb25519e6448da6524d0d768
- SSDEEP
  
  24576:xyHFavH4XYUph1enIsTI6GCcKDfQlTWvZeXBIgfbfQ/F98CATdv:kaeHeIOrG6DQl2eXBIwkX
Score

10^/10

glupteba mystic redline smokeloader stealc zgrat taiga up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
- Detect Mystic stealer payload
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1