glupteba | b36ba7bf3d9bd14f518c4c5a4a68b28860e0f778fa89a7a8aa225fb7f97f355d | Triage

Submit
Reports

Overview

overview

Static

static

1

cryptolaemus

windows10-2004-x64

cryptolaemus

windows11-21h2-x64

Sharing

General

Target

b36ba7bf3d9bd14f518c4c5a4a68b28860e0f778fa89a7a8aa225fb7f97f355d
Size

4.2MB
Sample

240426-3lmc7sfc71
MD5

5377602cc16b14914978a4db2d3e8cac
SHA1

a4c679fe48ed474a3a1bfa1ae558983d5d8600bc
SHA256

b36ba7bf3d9bd14f518c4c5a4a68b28860e0f778fa89a7a8aa225fb7f97f355d
SHA512

975313c7a9b48a77b034efc7c3480d26f0872b8ba0638a828d2bf470882d27f8ea2950bf796a948e751916372e0f7a436c6ce1bffe4b6e530c04bd38947e2cd5
SSDEEP

98304:gkAjdDPAeC2B02wyEqB4QU18FBwX92iJvUa6o386BoSeiwZU4mjQxQm:LuPAV2B0NRqB88FqJvA6j4GQD

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit

Static task

static1

Behavioral task

behavioral1

Sample

b36ba7bf3d9bd14f518c4c5a4a68b28860e0f778fa89a7a8aa225fb7f97f355d.exe

Resource

win10v2004-20240419-en

glupteba discovery dropper evasion loader persistence rootkit

windows10-2004-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

b36ba7bf3d9bd14f518c4c5a4a68b28860e0f778fa89a7a8aa225fb7f97f355d.exe

Resource

win11-20240419-en

glupteba discovery dropper evasion loader persistence rootkit

windows11-21h2-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  b36ba7bf3d9bd14f518c4c5a4a68b28860e0f778fa89a7a8aa225fb7f97f355d
- Size
  
  4.2MB
- MD5
  
  5377602cc16b14914978a4db2d3e8cac
- SHA1
  
  a4c679fe48ed474a3a1bfa1ae558983d5d8600bc
- SHA256
  
  b36ba7bf3d9bd14f518c4c5a4a68b28860e0f778fa89a7a8aa225fb7f97f355d
- SHA512
  
  975313c7a9b48a77b034efc7c3480d26f0872b8ba0638a828d2bf470882d27f8ea2950bf796a948e751916372e0f7a436c6ce1bffe4b6e530c04bd38947e2cd5
- SSDEEP
  
  98304:gkAjdDPAeC2B02wyEqB4QU18FBwX92iJvUa6o386BoSeiwZU4mjQxQm:LuPAV2B0NRqB88FqJvA6j4GQD
Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gluptebadiscoverydropperevasionloaderpersistencerootkit

behavioral2

gluptebadiscoverydropperevasionloaderpersistencerootkit

© 2018-2024

Terms | Privacy