General

  • Target

    3f1140ab36ad08e3e25fdb41c8e6528c5d4ef70cb4f8e846b48260e1e52eb8a2

  • Size

    376KB

  • Sample

    240417-q3wa8abh4y

  • MD5

    9e6cf21ea52cc7414fd5c758ba11ff18

  • SHA1

    b7064fa34d5b6c28a36e279b464759ef90e0ca35

  • SHA256

    3f1140ab36ad08e3e25fdb41c8e6528c5d4ef70cb4f8e846b48260e1e52eb8a2

  • SHA512

    9aa33ac00355b8fa3f60fadada3a18767d6c8d6867e70c8cbea10e0b19786c9e1543a76b65970d6b897b1a4258c3791378641daed21f5d9d2a7f21f18359c7c9

  • SSDEEP

    6144:Spv0FMr8WHBbZsdcEBoLeLhpSQ4m9bgO2in9xdCdVMSZB7vQIE1nb96p8m73kb8U:Sa+nuBKKSQ4kbgO2e9x4mQ7QvNJuK8U

Malware Config

Targets

    • Target

      56768dc2486a0eadfb82e3df6436434d1b6502d542fe6c41e2b52aae948b140f.exe

    • Size

      390KB

    • MD5

      f3054dc7004336617747743d172b111b

    • SHA1

      4c619d882a80bff1ec7d26bc5f5f6b7cf93676be

    • SHA256

      56768dc2486a0eadfb82e3df6436434d1b6502d542fe6c41e2b52aae948b140f

    • SHA512

      f3181fcd53823a635e9c828de8090017b0f97cc4903f75dfeba721bd98c77a4de867e94cd929954063469b926350f40476fe1a07bad6b2fe0007b78f3772ed69

    • SSDEEP

      12288:0mpLB0g2B9kBnIS7aqDiF2EzP1h3HLTx9SlIczAvDvv:d0njm/7DDiF/v3ncIc8vDvv

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks