General
-
Target
f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005
-
Size
789KB
-
Sample
240425-kgwrzahb56
-
MD5
8026082d59bac905bcc4098c69b98743
-
SHA1
5c8bffce653aa3b6c3e14d5f02927648b5ca8768
-
SHA256
f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005
-
SHA512
304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42
-
SSDEEP
12288:UsP3NrvWMBOyImjR4rrRyimS3lE28kNp6MARWch8kMp5okT23gvub5mqn6Ec0Lhy:UsP3NrvW31m9Ysd9lgvu4q6EgtOt3F3u
Static task
static1
Behavioral task
behavioral1
Sample
f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
Resource
win10v2004-20240412-en
Malware Config
Targets
-
-
Target
f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005
-
Size
789KB
-
MD5
8026082d59bac905bcc4098c69b98743
-
SHA1
5c8bffce653aa3b6c3e14d5f02927648b5ca8768
-
SHA256
f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005
-
SHA512
304339d26694f1225a23014862676f759c9332ea43ab53c9cb665346228dbed5ece4dca5e41b4d577fdf18ea70f7c61cda852e5122a7fbcf3bdfec5acc0f9f42
-
SSDEEP
12288:UsP3NrvWMBOyImjR4rrRyimS3lE28kNp6MARWch8kMp5okT23gvub5mqn6Ec0Lhy:UsP3NrvW31m9Ysd9lgvu4q6EgtOt3F3u
-
Glupteba payload
-
Modifies firewall policy service
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1Subvert Trust Controls
1Install Root Certificate
1