glupteba

General

Target

2024-05-11_d2f812118c89341715fbff0ba9530396_megazord
Size

2.7MB
Sample

240511-n3hzsahg57
MD5

d2f812118c89341715fbff0ba9530396
SHA1

8e9cfa2ebe51e9f71d55b161fb13aae13ee3744f
SHA256

716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d
SHA512

7a1884c5b2130db511f318103ece6ae1499c1e877e4dfc39d6c83b762febea258b5921fa72ae3b413ecfc752b571b2ce33f6fa1f680461d94fc3d2f1988d6c77
SSDEEP

24576:tRoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvQB5VA0UC1dUUKj/LZ8j3gy:boKmo4jC6Tov2RUC1doj/wgy

Score

10^/10

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Targets

- Target
  
  2024-05-11_d2f812118c89341715fbff0ba9530396_megazord
- Size
  
  2.7MB
- MD5
  
  d2f812118c89341715fbff0ba9530396
- SHA1
  
  8e9cfa2ebe51e9f71d55b161fb13aae13ee3744f
- SHA256
  
  716741d85859c7c4747395deb709dc0b4b2741a0d15850aa3a706cc05d61bf6d
- SHA512
  
  7a1884c5b2130db511f318103ece6ae1499c1e877e4dfc39d6c83b762febea258b5921fa72ae3b413ecfc752b571b2ce33f6fa1f680461d94fc3d2f1988d6c77
- SSDEEP
  
  24576:tRoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvQB5VA0UC1dUUKj/LZ8j3gy:boKmo4jC6Tov2RUC1doj/wgy
Score

10^/10

glupteba privateloader stealc zgrat dropper evasion execution loader rat stealer
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Modifies firewall policy service
  evasion
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects Windows executables referencing non-Windows User-Agents
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects encrypted or obfuscated .NET executables
- Detects executables (downlaoders) containing URLs to raw contents of a paste
- Detects executables Discord URL observed in first stage droppers
- Detects executables built or packed with MPress PE compressor
- Detects executables containing URLs to raw contents of a Github gist
- Detects executables containing artifacts associated with disabling Widnows Defender
- Detects executables referencing many varying, potentially fake Windows User-Agents
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2