glupteba | 294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050

General

Target

294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Size

4.3MB
MD5

1bcac3843c2cecf188c5182ec450a500
SHA1

eef22630d6f9bc88049ed1d8fe7ad0ae3ad01c36
SHA256

294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050
SHA512

4b3e79da15a2578835503a01eab3a7c02343c170397f981602dc2684aeeba0f0978b2b38ff0b24553b1983978fb4c75693c982d29842b83f470e897393b8ea49

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2372-115-0x0000000002EF0000-0x000000000380E000-memory.dmp	family_glupteba
behavioral1/memory/2372-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe

pid	process
2372	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
2372	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe

description	pid	process
Token: SeDebugPrivilege	2372	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
Token: SeImpersonatePrivilege	2372	294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe

C:\Users\Admin\AppData\Local\Temp\294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
"C:\Users\Admin\AppData\Local\Temp\294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Users\Admin\AppData\Local\Temp\294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe
"C:\Users\Admin\AppData\Local\Temp\294d39dc0a349f3caa943995e3214187d0b9f1fc17c2e95d99acc380ae067050.exe"
2⤵
- Modifies data under HKEY_USERS
PID:3392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2372-115-0x0000000002EF0000-0x000000000380E000-memory.dmp

Filesize
9.1MB

Download
memory/2372-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads