General

  • Target

    e1c246833f93f8afa700267b380192b0d9abe77611c5821dfa9f46493c4b56bc

  • Size

    4.2MB

  • Sample

    240427-2bslsshh48

  • MD5

    747022037ac7257b9962af4ac7cf9efe

  • SHA1

    c273e25600ea9a334652ef2c7d4d5b8c41de94ea

  • SHA256

    e1c246833f93f8afa700267b380192b0d9abe77611c5821dfa9f46493c4b56bc

  • SHA512

    1765a538143993f7fabf965c4cd632b3af137985819a42566877cc829d5ec36b0bd9d174f146d85d173cc3a09d56f55acd1cd435689249379bb8a48ed2f362c3

  • SSDEEP

    98304:XamOmyh13YwSD+iffg9rOMOczucEEdNxQlfwo87Elwi0PG1d:XTy8Jy4o9ecZxQhwo8IinPG1d

Malware Config

Targets

    • Target

      e1c246833f93f8afa700267b380192b0d9abe77611c5821dfa9f46493c4b56bc

    • Size

      4.2MB

    • MD5

      747022037ac7257b9962af4ac7cf9efe

    • SHA1

      c273e25600ea9a334652ef2c7d4d5b8c41de94ea

    • SHA256

      e1c246833f93f8afa700267b380192b0d9abe77611c5821dfa9f46493c4b56bc

    • SHA512

      1765a538143993f7fabf965c4cd632b3af137985819a42566877cc829d5ec36b0bd9d174f146d85d173cc3a09d56f55acd1cd435689249379bb8a48ed2f362c3

    • SSDEEP

      98304:XamOmyh13YwSD+iffg9rOMOczucEEdNxQlfwo87Elwi0PG1d:XTy8Jy4o9ecZxQhwo8IinPG1d

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Modifies Windows Firewall

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Tasks