glupteba

General

Target

666b5db1f0816eebf1ce57db45e2b794964a8525703aff99ab641ddf528cc0da
Size

398KB
Sample

240417-q87lfacc2w
MD5

80ed2ba902f81245754fd51e10993191
SHA1

744d9c9f66859423bb49ed764453e97cda0a793e
SHA256

666b5db1f0816eebf1ce57db45e2b794964a8525703aff99ab641ddf528cc0da
SHA512

2f1c2130e9abd4fd19312c78c8a08bf117ce5196dd50f33550cc98af671787bfae825e5ef476ea29dd0e8f74bb24ddbbe01c777292d43bc2e5de91bacd3a8237
SSDEEP

6144:Ta/EeAczUH3+WX8ZFZ0Cdb3/4/+/2fTEAuLLwfXCfVyPzVnz3cTxPhnShaVzUNrz:TwADHuWX8ZpKS2ADfwvEEr1jUP1ShwLW

Score

10^/10

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Targets

- Target
  
  612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc.exe
- Size
  
  424KB
- MD5
  
  7660d1df7575e664c8f11be23a924bba
- SHA1
  
  22a6592b490e2ef908f7ecacb7cad34256bdd216
- SHA256
  
  612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
- SHA512
  
  77c22370eaed5e096a476778d24c26fcd0105d56419bbd1a5af125028dea702aa8537017629920de08f9b7c20d3b9242606e37ace3e456d34730d0e54f20c15e
- SSDEEP
  
  12288:ryWjrJS5FchtDO/V4Cqi0RlYZTRjzg2AYU:ryoJ8KhtDgVfJLTRjs2AYU
Score

10^/10

glupteba stealc zgrat dropper evasion loader rat stealer rhadamanthys discovery persistence rootkit spyware upx
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies firewall policy service
  evasion
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2