General

  • Target

    489a9fcd495fd2fd0175464d21e5d9febdde316da3e0e5ed15c3865381fe21e5

  • Size

    4.1MB

  • Sample

    240509-2vcppaef59

  • MD5

    7ac0905b0fcebd7b28f9c2cfeee7855a

  • SHA1

    701e7419504a14c780b05cfc0016c488c93e5ef6

  • SHA256

    489a9fcd495fd2fd0175464d21e5d9febdde316da3e0e5ed15c3865381fe21e5

  • SHA512

    60af84ed7a5e6b1424d729985f8e0ca326fe5dcb39a8105e2f0c32474cd8575bc0571a5f26cf8d073367373f85b514fb703c21b09af55ceb59f8d233c4e9a01f

  • SSDEEP

    98304:8NDkrDkWF0Od7Bbpe5aREltWx6CTK/peOvQS+4COpa+u:6or6Od7re5aRZx6kgpe94Cln

Malware Config

Targets

    • Target

      489a9fcd495fd2fd0175464d21e5d9febdde316da3e0e5ed15c3865381fe21e5

    • Size

      4.1MB

    • MD5

      7ac0905b0fcebd7b28f9c2cfeee7855a

    • SHA1

      701e7419504a14c780b05cfc0016c488c93e5ef6

    • SHA256

      489a9fcd495fd2fd0175464d21e5d9febdde316da3e0e5ed15c3865381fe21e5

    • SHA512

      60af84ed7a5e6b1424d729985f8e0ca326fe5dcb39a8105e2f0c32474cd8575bc0571a5f26cf8d073367373f85b514fb703c21b09af55ceb59f8d233c4e9a01f

    • SSDEEP

      98304:8NDkrDkWF0Od7Bbpe5aREltWx6CTK/peOvQS+4COpa+u:6or6Od7re5aRZx6kgpe94Cln

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks