glupteba

General

Target

v2_file_x86x64.rar
Size

10.0MB
Sample

240420-r7jzesbe41
MD5

f55d4e6678451a6f75bdb83d3b1336c7
SHA1

9d3ca8fb3a661342812add29c2d7caf53eab9fe6
SHA256

486ca0c7b2c67e899d74392deb9bd609d41b185b0364b7c161f8d2d042a31786
SHA512

fb11cf3365bcd40f9ff8ea41d02fa163be3b00d83478e172db8896341bcef17ea3a32782d23044a1bbc4882e7ab28ff2b6954dcc3ec7029ce715157e247028be
SSDEEP

196608:YnoSG07h96IWydRfrmpbaKF7hiDY5D0/7qCrDaBKGtWM2IBFMSUv6YBe:CZhdsIWydhGHiDBO0+B86FJ3

Score

10^/10

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.23

Attributes

url_path
/f993692117a3fda2.php

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199673019888

https://t.me/irfail

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.50:33080

Targets

- Target
  
  setup.exe
- Size
  
  759.0MB
- MD5
  
  a3a3e8990cefc370fc3c3db21603f21e
- SHA1
  
  43363d10f946a9dba9b4f004bc961bd3991029e5
- SHA256
  
  239c9656f60b14ee7ab89da649d1411c8d1fa2d5fa1d687e61e5680674ff279b
- SHA512
  
  d543fb6072c3e25e6a67a6a7a904cb9f9ce1c48774fadc09f8e1c147c1467a5ef73f6b1b81850bb0a28a3653834c31c8acb1be88543f467a1e6f32dffd9c3e9e
- SSDEEP
  
  98304:u5mpCa1OHSR+XHb3Poj+eKiW6ytGwWXW:GWCamxbw6/iCww
Score

10^/10

glupteba stealc dropper evasion loader spyware stealer themida trojan redline risepro vidar zgrat logsdiller cloud (tg: @logsdillabot)discovery infostealer pyinstaller rat
- Detect Vidar Stealer
  stealer
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies firewall policy service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2