General
-
Target
file.exe
-
Size
456KB
-
Sample
231201-wrfpaaef45
-
MD5
a8145015691ccb73460a69fa0a8b0304
-
SHA1
d1f61cd7ccf682868720dacfc91f50ce4e70412b
-
SHA256
eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2
-
SHA512
246c43e235fa7c5b4ec9575dd68448db19b28532f5bb51b3baa9b3637a990f25c3677b54fc40d47bd0ced5e97fb10dbe0a04e0df5516f9ca24a5bf47fb2a78f1
-
SSDEEP
6144:I1/tBaOZZfURQrLmwCn/2L04fiOFnZitWpqdc6WwjLC6a2HEZ+rG7tUW:mtbRURQ+wC+9KtWpqSNg+6RrqtUW
Static task
static1
Malware Config
Extracted
vidar
6.7
b38cb04787049a109b9655c2379f5b97
https://t.me/s4p0g
https://steamcommunity.com/profiles/76561199575355834
-
profile_id_v2
b38cb04787049a109b9655c2379f5b97
Targets
-
-
Target
file.exe
-
Size
456KB
-
MD5
a8145015691ccb73460a69fa0a8b0304
-
SHA1
d1f61cd7ccf682868720dacfc91f50ce4e70412b
-
SHA256
eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2
-
SHA512
246c43e235fa7c5b4ec9575dd68448db19b28532f5bb51b3baa9b3637a990f25c3677b54fc40d47bd0ced5e97fb10dbe0a04e0df5516f9ca24a5bf47fb2a78f1
-
SSDEEP
6144:I1/tBaOZZfURQrLmwCn/2L04fiOFnZitWpqdc6WwjLC6a2HEZ+rG7tUW:mtbRURQ+wC+9KtWpqSNg+6RrqtUW
-
Glupteba payload
-
Modifies boot configuration data using bcdedit
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1