glupteba

Sharing

Copy URL

Twitter E-mail

General

Target

b6495a9c6a890740db6f41bf37af8427.bin
Size

27KB
Sample

231220-dq98dscgg7
MD5

f8dec2a4457c44910844eef8f8eb3f2d
SHA1

8f2da1c5dfdac21ed0734bac0a83bfd71d2361bf
SHA256

750541e3c02cdea8ed3796f5d16bf1ed748597433f6ac1d8cec02ee0392b13ec
SHA512

13f807e4391b8e7d31023c2ecc48026287381d8e9a20d145383c32ad69b346dea8a3966818f1133fa240eae957816a6db03f3cd63ad71da7adbcf57d30c87652
SSDEEP

768:XHrCwyhFMKf/vHXbO+M+KsAbGRdRsm2epLWjyKflPLdhJ+X:XHuwyhG6HXb5fGGRdzdWjys5hJ+X

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

@oleh_ps

176.123.7.190:32927

Extracted

Family

stealc

http://77.91.76.36

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

77.105.132.87:17066

Extracted

Family

redline

Botnet

666

195.20.16.103:18305

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Targets

- Target
  
  816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7.exe
- Size
  
  36KB
- MD5
  
  b6495a9c6a890740db6f41bf37af8427
- SHA1
  
  97eff597d991a62bffc0774952dd9ffb45d7b3f4
- SHA256
  
  816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7
- SHA512
  
  63fcbaa890baa84cb9fd8b7f8a016e811e0d5148d1432f10ac3f69637497e1608c4ee03ab6f16637b082ad3d81ff3fa47477c4fb00a8f951a0116477a66881c8
- SSDEEP
  
  768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3
Score

10^/10

redline smokeloader stealc zgrat 666 @oleh_ps livetraffic up3 backdoor evasion infostealer rat stealer trojan glupteba rhadamanthys discovery dropper loader spyware
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Modifies boot configuration data using bcdedit
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect ZGRat V1

Glupteba payload

RedLine

RedLine payload

Rhadamanthys

SmokeLoader

Stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2