Managed XDR

xex-lnk-exploit-builder_164.lnk (Glupteba) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
xex-lnk-exploit-builder_164.lnk
Тип файла
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon, Archive, ctime=Tue May 12 22:51:45 2026, mtime=Sat May 30 12:34:27 2026, atime=Tue May 12 22:51:45 2026, length=339968, window=hidenormalshowminimized
Размер файла
2.1 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
d4ef46ba647b47753697e18583e998d933a8ccab
SHA256
0b739bcca4cee6b0c98a2a1d86bc8be4d3b13e5244b31c81ebd1c6d065ca7623
MD5
9eca94f0c0e618d724f2a172fae14c87

Вредоносное ПО

  • Glupteba

Сигнатуры

Execution

T1204 suspicious_lnk: LNK file with suspicious content
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1072 detect_putty: Traces typical for Putty are detected in the system
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

Privilege Escalation

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

Defense Evasion

T1218 suspicious_cmdline: Executes a suspicious command
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1057 has_wmi: Executes one or several WMI requests
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1082 has_wmi: Executes one or several WMI requests
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Lateral Movement

T1072 detect_putty: Traces typical for Putty are detected in the system

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

glupteba_behavior: Glupteba indicators detected
network_bind: Starts servers listening at None
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
yara_rules: Static rules

Похожие отчёты

Managed XDR