glupteba

Sharing

General

Target

91f4b7ae747bfd036882e084650f608782b6054ecc8ab32f5fe91b91caf80e5d
Size

5.4MB
Sample

241111-nbywxsxqgs
MD5

04d15b7cbf0569864486cc138604d68c
SHA1

2bdb39e458ba4e7a5e0e262262c54b0ecf685956
SHA256

91f4b7ae747bfd036882e084650f608782b6054ecc8ab32f5fe91b91caf80e5d
SHA512

1d2dcf2c1a41ab14795c7485d1a825de7f6237d726e6e1d4414dccaadf6cc77df9e5ae1ee4554321ce3b0c23899612c9be7b18ce2bf5cb829a1a04e564c3ccc0
SSDEEP

98304:Nyl4iDs/IxYMuVTHphqbk6Ao0Bs3+4dbi8R1BV5qxRJ36XUR+o0LVAeShTu4vLYU:8TZGpVrvqdAoSEb/rBV5OuToVHLYjkJp

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Version

1.7.3

Botnet

5c07c7a19b0c108c44d95accd1e1b897aa1528e1

Attributes

url4cnc
https://telete.in/fsp1boomgasio

rc4.plain

Targets

- Target
  
  028d53f5224f9cc8c60bd953504f1efa.exe
- Size
  
  4.4MB
- MD5
  
  90a0bd1a164b2af8a7b15f75ab07e3f1
- SHA1
  
  c8def0f5b75c51b2efa40b07ebe035566d8be1a1
- SHA256
  
  276387214b560792419a07b097ee76400519c2c902f378207d30acf851ac2213
- SHA512
  
  b0cd55af23728cbf3a63392c492aff201df688f1185eb5f577e56151c8d871d49ae392d51bdfdf0dde360d86fc919174015d6d6cabbd3c3f59cdec5ca53bf4c0
- SSDEEP
  
  98304:N9q+oGJo+qJJL2CXFhmOdc3hKpw0dx4juSWejiXkiOvNqwf7BiqK8XaYtXBr:zq+oGeyUw0wjuSW/XkfNJ74qXDr
Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence privilege_escalation rootkit trojan
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba family
  glupteba
- Glupteba payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Windows security bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Manipulates WinMon driver.
  Roottkits write to WinMon to hide PIDs from being detected.
  rootkit evasion
- Manipulates WinMonFS driver.
  Roottkits write to WinMonFS to hide directories/files from being detected.
  rootkit evasion
behavioral1 behavioral2
- Target
  
  Bot_Checker.exe
- Size
  
  56KB
- MD5
  
  391ca27e1e5cc0da88d1fcc8df1d0d85
- SHA1
  
  25bd7c5b7d88bcd01610226fccb0910b48dc1eee
- SHA256
  
  a9ee4862c1e7931ef8366b090ac1f3212e79cc17d7737f537978d9a3fb0c5ef1
- SHA512
  
  2dbb84eb664798766a669c7d407be76d5154bd7d0b99f2c2371ad0ae3e1124605df0771b228f7a3406f023fa9cbba3022afb5b48207cf1eb14d94cda7a5117f9
- SSDEEP
  
  768:dQR+JJlY3yGJxNojkTnJI6TWzzejkZy/xbD9BxufhqXKClqp9:NAoITdT0Zy5bZXYmlqp9
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4
- Target
  
  Uninstall.exe
- Size
  
  97KB
- MD5
  
  a8c53399726fea24e4af993e971df5af
- SHA1
  
  50b4c4d3cf172106417dc0e59eaa63bf7cd0603e
- SHA256
  
  6b13a733947bc2395695cc6f9a8b59eae88cf6467e368a810bcac0c10d6c46a6
- SHA512
  
  b2159712ecfa8f7e9a75a190e858cc791bcdcd19118a6db40041d7ffbda531343a63244d35012702dda8514191e8bf6e838ab896c9db232f2c163fc4d4cd2bf9
- SSDEEP
  
  1536:zO/z6hPABUjO/Zd1716EoLiL4l1HdIaqQPDm0xK8i6f0Zn9PRVW8sW45o75U:kzgjO/Zd1RePDmZ8tf05iW4u1U
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral5 behavioral6
- Target
  
  Versium.exe
- Size
  
  746KB
- MD5
  
  393d6260e39b68b2d60300e4f62ebc83
- SHA1
  
  16c58c5b7dee3ce4c3a40925ba4eed3c188faf46
- SHA256
  
  e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3
- SHA512
  
  d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198
- SSDEEP
  
  6144:d/QiQXCz5m+ksmpk3U9j0IMsoxvjFEOTb9WmZX/8shzdsY4CpHPhnBvudg:VQi3zc6m6UR0IMp1hf39Wkv8xwJB2i
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral7 behavioral8
- Target
  
  VersiumResearch32bit.exe
- Size
  
  504KB
- MD5
  
  8479bce60218cd871c118308ded82d39
- SHA1
  
  0388ec861b2ac5c7f4dc6eed249d92d3002fe66e
- SHA256
  
  15078be80772a449383c5f6a7631955039b82ebaf507ab67e61093b70b98dc43
- SHA512
  
  f4be47baee6baeacbe1e27174ad83700efc78ab2d02262d718c7436d2304fc16618a5911bed63ed8d2e947af3c511d17b77ddfccea9a4e6aab9f3956fcf322f8
- SSDEEP
  
  12288:KZCvp4LezCdIzVgs4Bi9ecBTBB85c50J3FTI:KZuKezCqzVgsy8acqBI
Score

10^/10

raccoon 5c07c7a19b0c108c44d95accd1e1b897aa1528e1 discovery stealer
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
behavioral10 behavioral9
- Target
  
  VersiumResearch64bit.exe
- Size
  
  252KB
- MD5
  
  ee19bc8a2b6c6fd7c30037389457a4df
- SHA1
  
  e1fca1cc33574e59dec62763ee6e7de1a5198095
- SHA256
  
  76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0
- SHA512
  
  38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001
- SSDEEP
  
  3072:45uNO+8s6V5WQZV08YLmqa/Qh10UNtGOWmA3hLKKKKKU8AAFTbp8ELQHsoOJNuY2:45W8sscuVVYLOoh1MGfJXnIZRhv
Score

1^/10
behavioral11 behavioral12
- Target
  
  Versiumresearch.exe
- Size
  
  163KB
- MD5
  
  b1dbc3b027105d8032541bc0c5e71abb
- SHA1
  
  1ef1950ecb44e6bd8d0a3849868ec9a0ceaa1130
- SHA256
  
  b0eb54f46e5919460cb8d21fdcd695e3356b6311ab0547f18dc3d84a66a14bc4
- SHA512
  
  3f7fd0aa71e6fae5eeaf16cc47a1ac43cdd1f643c1e7e439eb068685558929cf3c74552ad70fbf2d6cad94cc11bb8ea9c099ef1401b868947f1a9e5e44b34f7b
- SSDEEP
  
  3072:3iwHlYGynq3D2/NS6hskuAM44ht1kENNUUd/mYK:bGGD21S6hskuAC/vNNw
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral13 behavioral14