glupteba

Sharing

General

Target

NEAS.ac7c5843a1ed152a67e3c5dbbf856c93474b8711ffbaa6c232e9524f45187750.exe
Size

1.4MB
Sample

231114-msapzscb56
MD5

831e521e13169f4622145e75b53c2ac5
SHA1

80e56a6218d3c2f6b9fbed3e3ecd3889ef217daa
SHA256

ac7c5843a1ed152a67e3c5dbbf856c93474b8711ffbaa6c232e9524f45187750
SHA512

53330732aab509bc3f544d6a79440b2f2229013b3dc08575d3c434a77f80c6a472f6a5e03baa7e7403753d841a6e12d5e61e210ea978531bd4efc836a0746b3b
SSDEEP

24576:pyUqcZoJIuyhrrVeeIsLeHGaexDMETOtKFYtMpP/A3Ar/d8XFF/Z3iAaaUIR7+MP:cUBZoJIdhVedkmG/IEy6YtaP/I2A

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

redline

Botnet

pixelfresh

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

raccoon

Botnet

c78f27a0d43f29dbd112dbd9e387406b

http://31.192.237.23:80/

http://193.233.132.12:80/

Attributes

user_agent
SunShineMoonLight

xor.plain

Targets

- Target
  
  NEAS.ac7c5843a1ed152a67e3c5dbbf856c93474b8711ffbaa6c232e9524f45187750.exe
- Size
  
  1.4MB
- MD5
  
  831e521e13169f4622145e75b53c2ac5
- SHA1
  
  80e56a6218d3c2f6b9fbed3e3ecd3889ef217daa
- SHA256
  
  ac7c5843a1ed152a67e3c5dbbf856c93474b8711ffbaa6c232e9524f45187750
- SHA512
  
  53330732aab509bc3f544d6a79440b2f2229013b3dc08575d3c434a77f80c6a472f6a5e03baa7e7403753d841a6e12d5e61e210ea978531bd4efc836a0746b3b
- SSDEEP
  
  24576:pyUqcZoJIuyhrrVeeIsLeHGaexDMETOtKFYtMpP/A3Ar/d8XFF/Z3iAaaUIR7+MP:cUBZoJIdhVedkmG/IEy6YtaP/I2A
Score

10^/10

glupteba mystic raccoon redline sectoprat smokeloader c78f27a0d43f29dbd112dbd9e387406b pixelfresh taiga up3 backdoor dropper infostealer loader persistence rat stealer trojan
- Detect Mystic stealer payload
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

Score

3^/10

behavioral1

gluptebamysticraccoonredlinesectopratsmokeloaderc78f27a0d43f29dbd112dbd9e387406bpixelfreshtaigaup3backdoordropperinfostealerloaderpersistenceratstealertrojan

Score

10^/10

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect Mystic stealer payload

Glupteba payload

Mystic

Raccoon

Raccoon Stealer payload

RedLine

RedLine payload

SectopRAT

SectopRAT payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1