General

  • Target

    a41bc2ebb61e47ddf74f2d32d6f86e2b.exe

  • Size

    4.4MB

  • Sample

    240107-x1drqadbf8

  • MD5

    a41bc2ebb61e47ddf74f2d32d6f86e2b

  • SHA1

    9b14730d7b113ef59c788470aa69899026c65b8c

  • SHA256

    127936f8030690b03a5130d3d58d65536034746a1227184d8a6501877ea506c7

  • SHA512

    eb9298a435eef4590c63646aa692aafd30f38e28872767d743ee0153bfb5b367ef36095ae74a9313df1251d35f7395c20c7c17d2edf845ef20c0e95827b04a5d

  • SSDEEP

    98304:ezWF/eAlWlG1/AwuyT5vKD+x88TRfdCMtrNhBvsG7LRwjxos1BdmWt:ekQc1YI5yD+qwf44t7LRZs1BM

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      a41bc2ebb61e47ddf74f2d32d6f86e2b.exe

    • Size

      4.4MB

    • MD5

      a41bc2ebb61e47ddf74f2d32d6f86e2b

    • SHA1

      9b14730d7b113ef59c788470aa69899026c65b8c

    • SHA256

      127936f8030690b03a5130d3d58d65536034746a1227184d8a6501877ea506c7

    • SHA512

      eb9298a435eef4590c63646aa692aafd30f38e28872767d743ee0153bfb5b367ef36095ae74a9313df1251d35f7395c20c7c17d2edf845ef20c0e95827b04a5d

    • SSDEEP

      98304:ezWF/eAlWlG1/AwuyT5vKD+x88TRfdCMtrNhBvsG7LRwjxos1BdmWt:ekQc1YI5yD+qwf44t7LRZs1BM

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks