: A sophisticated downloader used to deliver other malware like Formbook or Remcos RAT [4, 6].
: Creation of scheduled tasks or registry "Run" keys to ensure the malware starts with Windows.
: Attempts to connect to Command and Control (C2) servers via non-standard ports or encrypted channels to exfiltrate stolen data [2, 4]. GLA_05.rar
: Once the internal file is launched, it performs "process hollowing," injecting malicious code into legitimate system processes like RegAsm.exe or cvtres.exe to remain hidden [5, 7]. Indicators of Compromise (IoCs)
: An information stealer targeting credentials and cryptocurrency wallets [1]. Execution Chain : : A sophisticated downloader used to deliver other
: The user is prompted to extract the file, often requiring a password provided in the email body.
: The .rar extension indicates a WinRAR compressed archive. This format is often chosen by threat actors to bypass basic email security filters that may block .exe or .zip files more aggressively [3, 5]. : Once the internal file is launched, it
While specific hashes for "GLA_05.rar" vary by campaign, look for these typical behaviors: