glupteba

General

Target

72fb4b278b6a9927a7d8a7801e5bb672.bin
Size

2.0MB
Sample

231228-b32qnsbga2
MD5

0affad01c7b7e3448debf05d11202d5b
SHA1

9b586adefd6c16874c1bc1cae88da85b882b7b57
SHA256

861bc492e059dd01b309812ef24197e64ce23c32dcb09af887cffab4399bde1c
SHA512

0757bd503edbf4461d1268cbb6f51f2c104a4188d07b7cd47b72d27b155c9bd2e525e3408913dc71cdcb5dc6666d0a41ff8546bc8ebe53de8446bdaba93139ad
SSDEEP

49152:zIx4ghx9nr3A3JmYHg65haG3VTj3I2+2n5oC:64ghxdIgehaGlf3Jn5oC

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

stealc

C2

http://5.42.66.58

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

777

C2

195.20.16.103:20440

Targets

- Target
  
  7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59.exe
- Size
  
  2.0MB
- MD5
  
  72fb4b278b6a9927a7d8a7801e5bb672
- SHA1
  
  7c27b347c171974bc21697165177c93717b8fc30
- SHA256
  
  7faa55e48d960f35296cfd917d2070c21a3967f5f8ace1d761ce888bda5fbc59
- SHA512
  
  49c752c3773b998e7ecce4d2acbcfe769c0e6ae0b2661e99085614982a840ad15c682344c4554478bfe6f9ed6fa9e5dc7d8cfd122db6e69b7ecd6de1398adf38
- SSDEEP
  
  49152:qL8Zj+zbbJ+ejFvwvHw+SKZDH/CQesuengxRztOQxHAfS:rj+n1+e2o9WCkNnYFtOQxH8
Score

10^/10

collection discovery persistence spyware stealer glupteba lumma redline smokeloader stealc 777 up3 backdoor dropper evasion infostealer loader trojan
- Detect Lumma Stealer payload V4
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2