Extracted

Extracted

• • Target

    3cf0b82b4b91ac001ede7dfe7736f42e2a5e1bd9cc6da34393ec9e18ec81a9fe

  • Size

    45KB

  • MD5

    e533f92146fcacb8caca823882b8d304

  • SHA1

    fcb2b79d08e2fb7a58142faf7db2a36f142b309d

  • SHA256

    3cf0b82b4b91ac001ede7dfe7736f42e2a5e1bd9cc6da34393ec9e18ec81a9fe

  • SHA512

    334b90d543b5835f88d3891c03fe78ac91c2569e47bfb11fbae58b9544fa569f411e4a2d8b57049a97f79afd51312eed57dd95c74b680331882ca77a46888c69

  • SSDEEP

    768:ygDUz4vSd32TINlRjiniKEc3dJ3Bwj+3p5SNUMNTEFiRQ:zUz4Kd320N+nir2FMN9NeiS

  Score

  10^/10

  gluptebasocks5systemzstealcbotnetdiscoverydropperevasionloaderpersistencerootkitspywarestealertrojanupx

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • Socks5Systemz

    Socks5Systemz is a botnet written in C++.

    botnetsocks5systemz

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Contacts a large (4085) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Windows security modification

    evasiontrojan

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver.

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2