General
-
Target
https___thebabsite.com_app_app.exe
-
Size
3.9MB
-
Sample
201123-625ndn9the
-
MD5
04548b9a041bd71c90586a09c9211a6e
-
SHA1
d3811354ad78c5b0470448d917b84f2722c473a5
-
SHA256
d60c64e9104b55b04794bc7991675e4536317ebeb554c815e45181af2828332a
-
SHA512
a57fd2d6d83d6f3554a3ebd1591433b73216086a9768dedae32543cfb17e197cdbeb973f882ba965ca4074b17f76568c93d83e19f935d499650b8a46c9963e2f
Static task
static1
Behavioral task
behavioral1
Sample
https___thebabsite.com_app_app.exe
Resource
win7v20201028
Malware Config
Targets
-
-
Target
https___thebabsite.com_app_app.exe
-
Size
3.9MB
-
MD5
04548b9a041bd71c90586a09c9211a6e
-
SHA1
d3811354ad78c5b0470448d917b84f2722c473a5
-
SHA256
d60c64e9104b55b04794bc7991675e4536317ebeb554c815e45181af2828332a
-
SHA512
a57fd2d6d83d6f3554a3ebd1591433b73216086a9768dedae32543cfb17e197cdbeb973f882ba965ca4074b17f76568c93d83e19f935d499650b8a46c9963e2f
-
Glupteba Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-