General
-
Target
f36fc8e0bb8eab645cf6b4876e588dc427575a4fb25db629598b29f1d9328756.zip
-
Size
188KB
-
Sample
231119-1pnz4acg81
-
MD5
08f0c11d717d84b2a207144d3f70c91d
-
SHA1
5d141b29b9474e5d0c31ab32712baad34906875e
-
SHA256
c60b93b23b27e726bcdbc8cbf3915d3cbb312843eea8ad2175020389a4944e74
-
SHA512
b48ff6b51173a0ac8e04b43e2e0b9b8e46d5f3a9beecd9717ee32fb5d787a98f73e7cb4e1f36a78c56d9e87df036998ab7bbb14002c5e591d2c43890581dedd9
-
SSDEEP
3072:U4tlK6Rk9jubf16w39sAyZwabw3tw/5D3Cxj2UL+n4Hpo3LO8WyV4CUgSAF0v+J+:U6KPjubt6yyRZwabv54j2Y+4mLO8RUjZ
Malware Config
Targets
-
-
Target
f36fc8e0bb8eab645cf6b4876e588dc427575a4fb25db629598b29f1d9328756.exe
-
Size
231KB
-
MD5
238ef24a5847077daa2bb119b43a1a76
-
SHA1
c9ad623744aea9196c90cb7b31408b20916d7b89
-
SHA256
f36fc8e0bb8eab645cf6b4876e588dc427575a4fb25db629598b29f1d9328756
-
SHA512
6b2ec5c4c8816c711e2cfee85ea929ebb6771e0448be24256022a31cade8535345a4650084411b0f939d05e55e7fb7a781c525a2e205c9bca8b66bdf23f70539
-
SSDEEP
6144:58n+yOLNc4zZSvbH/44PtYNaBBeVJR8uCxA5axHU:2nPOpSvD/X+pJR8uRD
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Windows security bypass
-
Modifies boot configuration data using bcdedit
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Manipulates WinMon driver.
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify Tools
4Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1