General

  • Target

    fd23d52e2ce8268f9648e5239256f5960e62d681315653c776eea49f45ec7c15

  • Size

    4.1MB

  • Sample

    240517-a4zf9she8v

  • MD5

    eb00d146a50bfc74d8281f4cca8fe3bc

  • SHA1

    54761a16f66a52fdf5d878c9b5a2dcc964c93006

  • SHA256

    fd23d52e2ce8268f9648e5239256f5960e62d681315653c776eea49f45ec7c15

  • SHA512

    8d65e62e4a651b20f29a731e56f5cd08f1601dd97dfb5863d5c471303eed25981a0cf523c3fa1e672a59f599583aaca81e466575cb2c0609408c7a686f934019

  • SSDEEP

    49152:H7QmEbcqaZzGq8QcqWQjVg2jH5kShpuw/ycY+0yIq1wyJFXQ2nyEuQGmmL:bWbHa59Z7dviShpLY7RCwkXQ2n5oL

Malware Config

Targets

    • Target

      fd23d52e2ce8268f9648e5239256f5960e62d681315653c776eea49f45ec7c15

    • Size

      4.1MB

    • MD5

      eb00d146a50bfc74d8281f4cca8fe3bc

    • SHA1

      54761a16f66a52fdf5d878c9b5a2dcc964c93006

    • SHA256

      fd23d52e2ce8268f9648e5239256f5960e62d681315653c776eea49f45ec7c15

    • SHA512

      8d65e62e4a651b20f29a731e56f5cd08f1601dd97dfb5863d5c471303eed25981a0cf523c3fa1e672a59f599583aaca81e466575cb2c0609408c7a686f934019

    • SSDEEP

      49152:H7QmEbcqaZzGq8QcqWQjVg2jH5kShpuw/ycY+0yIq1wyJFXQ2nyEuQGmmL:bWbHa59Z7dviShpLY7RCwkXQ2n5oL

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks