Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620

  • Size

    521KB

  • Sample

    240507-y46scadh9z

  • MD5

    6fbe36ef1d6599968f107c7b6eb19225

  • SHA1

    8761289110102b0a661ffbe28ed7f0a730311c5e

  • SHA256

    ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620

  • SHA512

    cff59fcc496248772906e1c6a1cd5bfe7ece2103b52ed05fd2426fc5e1f5afd184821ee35a8d55f8ab32ddc24781fd733987d0a05f54df89a9478ac93d344428

  • SSDEEP

    6144:39y51HwqQwU0PbQpf1oFdHr34eXHZCTUPEn0IlHgv59OxsDXqYe8RBCu97x+ucSR:3E51HwgRdLoeXMHnfHgzOi6kR5x+9aUI

Score
10/10
gluptebazgratdiscoverydropperevasionexecutionloaderratspywarestealertrojan

Malware Config

Targets

    • Target

      ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620

    • Size

      521KB

    • MD5

      6fbe36ef1d6599968f107c7b6eb19225

    • SHA1

      8761289110102b0a661ffbe28ed7f0a730311c5e

    • SHA256

      ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620

    • SHA512

      cff59fcc496248772906e1c6a1cd5bfe7ece2103b52ed05fd2426fc5e1f5afd184821ee35a8d55f8ab32ddc24781fd733987d0a05f54df89a9478ac93d344428

    • SSDEEP

      6144:39y51HwqQwU0PbQpf1oFdHr34eXHZCTUPEn0IlHgv59OxsDXqYe8RBCu97x+ucSR:3E51HwgRdLoeXMHnfHgzOi6kR5x+9aUI

    Score
    10/10
    gluptebazgratdiscoverydropperevasionexecutionloaderratspywarestealertrojan

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks