General
-
Target
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78.exe
-
Size
4.2MB
-
Sample
250318-2kqhssyxhv
-
MD5
9e95a2f30e9621a865f2dfc65dc24673
-
SHA1
c25c03c225709bff58f0fca6bf93c17b28a99aca
-
SHA256
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78
-
SHA512
478eb0640bb5584842d3f8bc00ac7b575f345fc3e70cf04f3b272bf2487af898cbb2f82522b994a7e858bfdc78df89facae968cf6a775c972a5d387710f52e5e
-
SSDEEP
98304:gX+V5iS4211ab8CRU3jj44988X/pz+96Jas+tdDDO/yqmS:gX+V57421108CyI18UwwtdkmS
Malware Config
Targets
-
-
Target
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78.exe
-
Size
4.2MB
-
MD5
9e95a2f30e9621a865f2dfc65dc24673
-
SHA1
c25c03c225709bff58f0fca6bf93c17b28a99aca
-
SHA256
52a39ad858c97ff0fd70f58eb0efbd6bd41e27f19872cd585370e5e2583c2a78
-
SHA512
478eb0640bb5584842d3f8bc00ac7b575f345fc3e70cf04f3b272bf2487af898cbb2f82522b994a7e858bfdc78df89facae968cf6a775c972a5d387710f52e5e
-
SSDEEP
98304:gX+V5iS4211ab8CRU3jj44988X/pz+96Jas+tdDDO/yqmS:gX+V57421108CyI18UwwtdkmS
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba family
-
Glupteba payload
-
Windows security bypass
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Manipulates WinMon driver.
Roottkits write to WinMon to hide PIDs from being detected.
-
Manipulates WinMonFS driver.
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1