General

  • Target

    97fec03b84ab258614148496ef79735edf1f937763b0cb857db6f55476dc310a

  • Size

    378KB

  • Sample

    240417-q8qb6aag28

  • MD5

    4075beed0f66fda1f8be112c19655302

  • SHA1

    fbda51527f64e16f9ea8c51a7d2ef4fa4045ef79

  • SHA256

    97fec03b84ab258614148496ef79735edf1f937763b0cb857db6f55476dc310a

  • SHA512

    6e2d309383c88dd569b72d65456731c5c642655e7c3c43d23742260753d734bd1a64577974be9881b2ace6853848677ea6e0338593668a962aac34031c47320d

  • SSDEEP

    6144:aHP+Mtw8V5lu27UBlHqY6OG3sSTxecwOlZbjOcIcOBzxxg/tbC2v1PrP:aHP+MtpM2ABlHz0sSiOllCQOvMbrhP

Malware Config

Targets

    • Target

      2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0.exe

    • Size

      396KB

    • MD5

      01f642a68a587ee691ce6033c436e0e1

    • SHA1

      e54acbd5ed2125b5118deeec10c059d4e88803cd

    • SHA256

      2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0

    • SHA512

      da2cd93c653639de73c1461d0fe92cb666794159ebcb7d8492abb859c0cd10e1ffcc65effd1d13a72f74aa571c70d0f1c901246478d1ee77d5a7a7546ac87202

    • SSDEEP

      6144:9foVL+C+YZTWgnFaF7VVeTJuFi5YFvfYdAE2aJi3yeYKmMvfsNVY1cvG35yp:9c9ZTWaFaFxVQ2YdAE2aJi3uKIN3

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks