glupteba

General

Target

ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc
Size

1.2MB
Sample

231113-z1rdxsfe69
MD5

595af3edb05a483f7ba68ecbc9482009
SHA1

32570d9e657664e354a49d95745f4fd377b9756f
SHA256

ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc
SHA512

85fa4dac2260da9a29ab73d2170e56150b9ff3fd09bbc82c79c07460d9186f1b3088e207c8281594f6dc9c5016c94d8097121314a22c68030154ff6b33778c6c
SSDEEP

24576:8yoMYdDaFarOp8xRXcEmK8mzat6B2ch1oZHvsgHOhvpA9LKdWe0h+vE:ron5aFa28xRxP1+i2c+zOhSQtJ

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

pixelfresh

C2

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Targets

- Target
  
  ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc
- Size
  
  1.2MB
- MD5
  
  595af3edb05a483f7ba68ecbc9482009
- SHA1
  
  32570d9e657664e354a49d95745f4fd377b9756f
- SHA256
  
  ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc
- SHA512
  
  85fa4dac2260da9a29ab73d2170e56150b9ff3fd09bbc82c79c07460d9186f1b3088e207c8281594f6dc9c5016c94d8097121314a22c68030154ff6b33778c6c
- SSDEEP
  
  24576:8yoMYdDaFarOp8xRXcEmK8mzat6B2ch1oZHvsgHOhvpA9LKdWe0h+vE:ron5aFa28xRxP1+i2c+zOhSQtJ
Score

10^/10

glupteba mystic redline sectoprat smokeloader @ytlogsbot pixelfresh taiga up3 backdoor dropper evasion infostealer loader persistence rat spyware stealer trojan upx
- Detect Mystic stealer payload
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1