glupteba

General

Target

03edcc6fa1a6c4087078ebd6e0b9e582.exe
Size

37KB
Sample

231126-s9dqvsac28
MD5

03edcc6fa1a6c4087078ebd6e0b9e582
SHA1

eab72c5f24db3ce69464bb439d8934fa0b8bfef5
SHA256

346186ece8ef2ec4229c3f4bbdbecc4fd3aa6fcec3ca8c34601af5b896eecd6c
SHA512

b3c6c309e5d01faca8973195bebbdb86d72da144ce41392a2e6105cdededaa1752124d5178e102ae38dab02dbabdd43c483c75e287006504c04b7eea4aa629e5
SSDEEP

768:f8FhylJE+hwr5hN7F0I0bQyvUgq65DQVi:f8qlJEQwrDNuIyvD5sV

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://194.49.94.210/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTraffic

C2

195.10.205.16:1056

Extracted

Family

redline

Botnet

LFA

C2

91.92.249.95:7124

Targets

- Target
  
  03edcc6fa1a6c4087078ebd6e0b9e582.exe
- Size
  
  37KB
- MD5
  
  03edcc6fa1a6c4087078ebd6e0b9e582
- SHA1
  
  eab72c5f24db3ce69464bb439d8934fa0b8bfef5
- SHA256
  
  346186ece8ef2ec4229c3f4bbdbecc4fd3aa6fcec3ca8c34601af5b896eecd6c
- SHA512
  
  b3c6c309e5d01faca8973195bebbdb86d72da144ce41392a2e6105cdededaa1752124d5178e102ae38dab02dbabdd43c483c75e287006504c04b7eea4aa629e5
- SSDEEP
  
  768:f8FhylJE+hwr5hN7F0I0bQyvUgq65DQVi:f8qlJEQwrDNuIyvD5sV
Score

10^/10

glupteba redline smokeloader zgrat @ytlogsbot livetraffic up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan lfa
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Modifies boot configuration data using bcdedit
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Stops running service(s)
  evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2