Resubmissions

04/04/2024, 17:30

240404-v3bzssdf4w 10

04/04/2024, 15:38

240404-s29tbsbe3x 10

General

  • Target

    3a7259cb6547266d44b1e380bfea5c4bc07c7a2523ad6cd7ce66139fa16b7122

  • Size

    4.1MB

  • Sample

    240404-v3bzssdf4w

  • MD5

    e2d21962c915bda170ab3b65d4c31313

  • SHA1

    9eb22d5b1f1df8694575244d7c4ef009807e661e

  • SHA256

    3a7259cb6547266d44b1e380bfea5c4bc07c7a2523ad6cd7ce66139fa16b7122

  • SHA512

    c34858c05505473838ba35b93d2446f8f1fac72873258987cdc482017ba6f74d4b630e9a6ba2498034635f339e30cf87208544800aca0f96aefc40473b8d3d52

  • SSDEEP

    98304:gCeBGx3cgoWt2rHW1U559GC9as8ULpQIV5sk9so2FegdYADjK0bSqg3Ld9I:uBk3cZrHfb9Z9auTeo2FjHDvb32k

Malware Config

Targets

    • Target

      3a7259cb6547266d44b1e380bfea5c4bc07c7a2523ad6cd7ce66139fa16b7122

    • Size

      4.1MB

    • MD5

      e2d21962c915bda170ab3b65d4c31313

    • SHA1

      9eb22d5b1f1df8694575244d7c4ef009807e661e

    • SHA256

      3a7259cb6547266d44b1e380bfea5c4bc07c7a2523ad6cd7ce66139fa16b7122

    • SHA512

      c34858c05505473838ba35b93d2446f8f1fac72873258987cdc482017ba6f74d4b630e9a6ba2498034635f339e30cf87208544800aca0f96aefc40473b8d3d52

    • SSDEEP

      98304:gCeBGx3cgoWt2rHW1U559GC9as8ULpQIV5sk9so2FegdYADjK0bSqg3Ld9I:uBk3cZrHfb9Z9auTeo2FjHDvb32k

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks