Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b9df2710a2b71af9139373827354f14665fea10652871e6dacf8954e18322a7d

  • Size

    4.2MB

  • Sample

    240420-zjbbdahe49

  • MD5

    8ec00d33cf600a6e0775180b2e0b6c0a

  • SHA1

    ef12fe7f7484028c86592713ca67f0afe6ee2a94

  • SHA256

    b9df2710a2b71af9139373827354f14665fea10652871e6dacf8954e18322a7d

  • SHA512

    e160c75a21bb0794f881884e8543113659e7d2c23afb36e5c91b09209b0a1bfefae80491ef15eea588667a16611309ea5cdeb6a65dcd22e087031a38bf9b6ba7

  • SSDEEP

    98304:bVFRqPMdPA984H0WMAw6acMgLNchhd+W2lPIIo31xn1vrLR/3LzT:hFYkS+E0uawLNQ+/9Bo7/D

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkitupx

Malware Config

Targets

    • Target

      b9df2710a2b71af9139373827354f14665fea10652871e6dacf8954e18322a7d

    • Size

      4.2MB

    • MD5

      8ec00d33cf600a6e0775180b2e0b6c0a

    • SHA1

      ef12fe7f7484028c86592713ca67f0afe6ee2a94

    • SHA256

      b9df2710a2b71af9139373827354f14665fea10652871e6dacf8954e18322a7d

    • SHA512

      e160c75a21bb0794f881884e8543113659e7d2c23afb36e5c91b09209b0a1bfefae80491ef15eea588667a16611309ea5cdeb6a65dcd22e087031a38bf9b6ba7

    • SSDEEP

      98304:bVFRqPMdPA984H0WMAw6acMgLNchhd+W2lPIIo31xn1vrLR/3LzT:hFYkS+E0uawLNQ+/9Bo7/D

    Score
    10/10
    gluptebadropperevasionloaderupxdiscoverypersistencerootkit

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks