glupteba

General

Target

142a4cc96d518e6005b3e3f14c9435ac9e908d4700672f9d8cd12e333830340d
Size

4.2MB
Sample

240426-3yr48aff3z
MD5

d64e66f33ab2867cb03fafd0fd9f199f
SHA1

b49802537fa13de4501101403959b1b87900c172
SHA256

142a4cc96d518e6005b3e3f14c9435ac9e908d4700672f9d8cd12e333830340d
SHA512

a1acfdb815617dd98101d29e0ff529297484cac1ac5ea177afd9d27a9d1b468bf2bec0cf88cf77e53917fb72527eab1fc14ca8eff601ef42b03590fbbec71fc4
SSDEEP

98304:AkAjdDPAeC2B02wyEqB4QU18FBwX92iJvUa6o386BoSeiwZU4mjQxQ3:ruPAV2B0NRqB88FqJvA6j4GQq

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  142a4cc96d518e6005b3e3f14c9435ac9e908d4700672f9d8cd12e333830340d
- Size
  
  4.2MB
- MD5
  
  d64e66f33ab2867cb03fafd0fd9f199f
- SHA1
  
  b49802537fa13de4501101403959b1b87900c172
- SHA256
  
  142a4cc96d518e6005b3e3f14c9435ac9e908d4700672f9d8cd12e333830340d
- SHA512
  
  a1acfdb815617dd98101d29e0ff529297484cac1ac5ea177afd9d27a9d1b468bf2bec0cf88cf77e53917fb72527eab1fc14ca8eff601ef42b03590fbbec71fc4
- SSDEEP
  
  98304:AkAjdDPAeC2B02wyEqB4QU18FBwX92iJvUa6o386BoSeiwZU4mjQxQ3:ruPAV2B0NRqB88FqJvA6j4GQq
Score

10^/10

glupteba wannacry discovery dropper evasion loader persistence ransomware rootkit upx worm
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1