General

  • Target

    ba7dd83dc7cc9d396b49d8afd312591627746714dd208e63f03c46ca5a977bd7

  • Size

    378KB

  • Sample

    240417-qpxxwsba3s

  • MD5

    15cda3a3ce59d6a3a7d1f9332740075f

  • SHA1

    84ce37039e087e2ab06561a9852fca4e86f9e86f

  • SHA256

    ba7dd83dc7cc9d396b49d8afd312591627746714dd208e63f03c46ca5a977bd7

  • SHA512

    335c2fd5b420fc4f3a90dec86c1479d263572e7931474052893ae5331a5b9c746f9f5fc18453d9698efc21a0c9d2c067506cb9f77fa2f26dc2f7a60eb03c7d6b

  • SSDEEP

    6144:udMjpDm3+cfU1mll0W7xuAYDFqn3xtyW3JVz0anvsPWZqX21EccWnB3qLCmPxva5:IipDmu8LR7VWq3xtJR9vWOT1EZIULXx6

Malware Config

Targets

    • Target

      2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0.exe

    • Size

      396KB

    • MD5

      01f642a68a587ee691ce6033c436e0e1

    • SHA1

      e54acbd5ed2125b5118deeec10c059d4e88803cd

    • SHA256

      2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0

    • SHA512

      da2cd93c653639de73c1461d0fe92cb666794159ebcb7d8492abb859c0cd10e1ffcc65effd1d13a72f74aa571c70d0f1c901246478d1ee77d5a7a7546ac87202

    • SSDEEP

      6144:9foVL+C+YZTWgnFaF7VVeTJuFi5YFvfYdAE2aJi3yeYKmMvfsNVY1cvG35yp:9c9ZTWaFaFxVQ2YdAE2aJi3uKIN3

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks