Extracted

• • Target

    da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe

  • Size

    4.0MB

  • MD5

    e3255b216748070e4bc397405fdf6fad

  • SHA1

    aac9ba5c1a98faa2f03a20cc39b6afdb72f3a2d4

  • SHA256

    da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6

  • SHA512

    949edc571c1a944b1ce872611842ee5f9a27cda3d349207b48a57f318d31643bc514bec62cb81e0365ce58c10a4fb2b0ea26e745b013760be2d8b28768f38a2d

  • SSDEEP

    49152:/FL8Xf6qIED5X0MJEJsaoSo5dqqlg+egF0ty6H4NhGKjmuU5JN:69n4ojqV00Z

  Score

  10^/10

  gluptebastealcdiscoverydropperevasionloaderstealerupxpersistencespyware

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Detect binaries embedding considerable number of MFA browser extension IDs.

  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

  • Detects Windows executables referencing non-Windows User-Agents

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables (downlaoders) containing URLs to raw contents of a paste

  • Detects executables Discord URL observed in first stage droppers

  • Detects executables containing URLs to raw contents of a Github gist

  • Detects executables containing artifacts associated with disabling Widnows Defender

  • Detects executables packed with VMProtect.

  • Detects executables referencing many varying, potentially fake Windows User-Agents

  • UPX dump on OEP (original entry point)

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Modifies boot configuration data using bcdedit

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2