glupteba

Sharing

General

Target

file_x86x64_release.zip
Size

10.7MB
Sample

240517-zbvp2shf9z
MD5

73ab5075c62b5627cf6e646275bc32f0
SHA1

648eb3ba87cd5cd2ba66627beef3ac0255e6d3b8
SHA256

57e35a9db07b372120acd222627eba20e03d4baa88d5fc098e681ddd98b31e87
SHA512

a2fba085fb84d1bdcb39cb2f2d35b8058d8e6a55776904d729312f92d2d8860fcab88de15e4e1e400f99e4c530a06e2793a14520257d71a81a6fb179bcba3f44
SSDEEP

196608:Em86l40MzBbR9vBiaVwRFeUWaybY+WiXW/UwHnzEsV1nrAQITSQMDy2bDj:h8I40s95wjeVkiXWskzEsnJIGQMDb

Score

10^/10

Malware Config

Extracted

Family

risepro

147.45.47.126:58709

Targets

- Target
  
  file_x86x64_release/concrt140.dll
- Size
  
  309KB
- MD5
  
  31f210ed5c6f2d8faa1d896cda18584b
- SHA1
  
  5444d919f5014fb6bf58cefc6f01088c32a24a00
- SHA256
  
  5393f592cded7bd8ae07b2afc3efdcc4a0b05f7e8e74380a267398266fc02d41
- SHA512
  
  d39aa7acfd982759825b537a9ca5b04e6cdd9c0a28089e0f666ae4b75e84e2e2e58180103da38bea79efe3252cb9f1932efa69b64461cb76173645e8b6ddf3f6
- SSDEEP
  
  6144:Ylm+bq4hSdOec4xWMXdtvo4KbrniIzb7wQjnWzgCE33g:pmP/eJXzvSCzW3g
Score

1^/10
behavioral1 behavioral2
- Target
  
  file_x86x64_release/file.exe
- Size
  
  712.0MB
- MD5
  
  1b46efea69196395a3c449b51f34db34
- SHA1
  
  48f324b80cd0a99ae86b524ec87d0730b795829e
- SHA256
  
  ff5ef2b18f72873d947d56ff4d5e9ad98af122cd7260d9b2ae931f81df1fc4a7
- SHA512
  
  c92907ccd3ad05cd42ab34e71dfc4e45d5b4d6307411d880506197640210d82db726c467fb76bb773a96409a0d23484578c2825b1bc50103cc9b4636cbce2003
- SSDEEP
  
  98304:zTW+uIGD8foJWXlj+F2gMFqA/sOVfeS5zc4UcwqyB4qNGDPXRDCOBc4S5BTjGv0e:3QIGD8UyxfrRRfngGDqefMOBcxTg0lI
Score

10^/10

glupteba risepro tofsee collection discovery dropper evasion execution loader persistence rootkit spyware stealer themida trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Modifies firewall policy service
  evasion
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Manipulates WinMon driver.
  Roottkits write to WinMon to hide PIDs from being detected.
  rootkit evasion
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  file_x86x64_release/msvcp140.dll
- Size
  
  576KB
- MD5
  
  a11a1d761d757d367146f0f772632d8c
- SHA1
  
  9fd3eee4c4111dc386510a930192d56a2e938dfe
- SHA256
  
  2cc02c5e6654aa9175d5963f811cac222f4a2604dc28553139c675b1a78995a7
- SHA512
  
  6fbbb77766ee9846d6d3bde2ced5eeaafe721de5524a410a4821dfa6c08edbd00905bec2b9237b8f7986d6d06dbe444c5845130193da537cadaf29ea784c48e1
- SSDEEP
  
  12288:fFrCZUcfGI/O+bE9krdFFM5lle0dkM4X2n08ukSIAg6wQEKZm+jWodEEVrR+:9rCZUNYX2nSkGg6wQEKZm+jWodEE9R+
Score

1^/10
behavioral5 behavioral6
- Target
  
  file_x86x64_release/res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.pyc
- Size
  
  114KB
- MD5
  
  a2f3ded45da8870e93e5d2186dab27e8
- SHA1
  
  3f8e0cddecc3827b33ec02cd78d192c18f1ddf82
- SHA256
  
  fc19237a4e9ae65829dbde384ce0de2c78b22d9577384dded9d4cde569a12742
- SHA512
  
  438621491061c7f14f59c48d0d2fdd637a17c058df13417e21d660d81632dbb826a6144032f6f9192ab9bb0afb46b8f6cf3982879dc9942261c2538dbd17187c
- SSDEEP
  
  3072:k6BVH7SBjeSCbupKVfG2yQJ23J+Svsy9k/TukuPMh:zrbKeWmDyQ+13kOPMh
Score

3^/10
behavioral7 behavioral8