Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4594279f193a52a3000200fcc595f7875a457ff65cb91e5508630952a6cc6915

  • Size

    4.2MB

  • Sample

    240430-l37l2ahh3s

  • MD5

    385c8584e540fac31b92cd8092599d88

  • SHA1

    87fb9978a53acc597aeb09b06b5596bf11aacfbc

  • SHA256

    4594279f193a52a3000200fcc595f7875a457ff65cb91e5508630952a6cc6915

  • SHA512

    6939b234f01c5d81783cd62e021966bd548333a6b813c1bec32552ec1f5a2544b50b9c48663343a945b52789b1df49edd0a93dd1ec4d533e9f9a3031192782c1

  • SSDEEP

    98304:n/b+KJmiBMor9GQLaPpt0vK/+kpZQUDoPdzttRPI9D4Y5T6eALBIt:z+KAorFLaPpt06r/QU0Pd5tRu4YZ6ej

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkitupx

Malware Config

Targets

    • Target

      4594279f193a52a3000200fcc595f7875a457ff65cb91e5508630952a6cc6915

    • Size

      4.2MB

    • MD5

      385c8584e540fac31b92cd8092599d88

    • SHA1

      87fb9978a53acc597aeb09b06b5596bf11aacfbc

    • SHA256

      4594279f193a52a3000200fcc595f7875a457ff65cb91e5508630952a6cc6915

    • SHA512

      6939b234f01c5d81783cd62e021966bd548333a6b813c1bec32552ec1f5a2544b50b9c48663343a945b52789b1df49edd0a93dd1ec4d533e9f9a3031192782c1

    • SSDEEP

      98304:n/b+KJmiBMor9GQLaPpt0vK/+kpZQUDoPdzttRPI9D4Y5T6eALBIt:z+KAorFLaPpt06r/QU0Pd5tRu4YZ6ej

    Score
    10/10
    gluptebadiscoverydropperevasionloaderpersistencerootkitupx

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks