glupteba

General

Target

0bf52ae2496ca04e7f47c2a673ba48ba.exe
Size

1.7MB
Sample

231212-ba8nhsddh3
MD5

0bf52ae2496ca04e7f47c2a673ba48ba
SHA1

579234114a4808fdfcd9e7217274c7254f69483b
SHA256

230c51252d44500fb3c6e6481136a1b06730602bf8daf8162c3decc95cff2355
SHA512

2a6735538e5f1a6cbae8f13d0d8be2556d2c49c607eb9aed3d13e42704da0f45842ff5b71f60b8914d62e9f8bdc9caa0d58c1b3870a46f06dc039242f4ccbfd5
SSDEEP

24576:Qyg8uQ2MKw0pKV3d5kUsTUJW/Z0pspikh3AukWLF0/h+MKOFzDD8n9bYcOd8dRSZ:XlcMKwSQgUgUJt6GutFqh+9y8YVaS

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:17066

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Targets

- Target
  
  0bf52ae2496ca04e7f47c2a673ba48ba.exe
- Size
  
  1.7MB
- MD5
  
  0bf52ae2496ca04e7f47c2a673ba48ba
- SHA1
  
  579234114a4808fdfcd9e7217274c7254f69483b
- SHA256
  
  230c51252d44500fb3c6e6481136a1b06730602bf8daf8162c3decc95cff2355
- SHA512
  
  2a6735538e5f1a6cbae8f13d0d8be2556d2c49c607eb9aed3d13e42704da0f45842ff5b71f60b8914d62e9f8bdc9caa0d58c1b3870a46f06dc039242f4ccbfd5
- SSDEEP
  
  24576:Qyg8uQ2MKw0pKV3d5kUsTUJW/Z0pspikh3AukWLF0/h+MKOFzDD8n9bYcOd8dRSZ:XlcMKwSQgUgUJt6GutFqh+9y8YVaS
Score

10^/10

glupteba privateloader redline risepro smokeloader zgrat @oleh_ps livetraffic up3 backdoor collection discovery dropper infostealer loader persistence rat spyware stealer trojan
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2