glupteba | 2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1

General

Target

2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Size

4.3MB
MD5

6cd11609ac4e3ff446a0d40d25a96d0b
SHA1

69c8ffcc1216b86580c150d0d47651a257bf2696
SHA256

2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1
SHA512

d8516d34271982ef2d24ed8b8cde45b0b29c358df704199856010d7247c584a8a187fbb4529b99aa137a38ed9ad9dc0382fb859b66328d248212a935142b58e6

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2648-115-0x0000000002FE0000-0x00000000038FE000-memory.dmp	family_glupteba
behavioral1/memory/2648-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time"	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe

pid	process
2648	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
2648	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe

description	pid	process
Token: SeDebugPrivilege	2648	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
Token: SeImpersonatePrivilege	2648	2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe

C:\Users\Admin\AppData\Local\Temp\2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
"C:\Users\Admin\AppData\Local\Temp\2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Users\Admin\AppData\Local\Temp\2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe
"C:\Users\Admin\AppData\Local\Temp\2a28fb348ef59245eddf02761fb2ca282db406b7c8983b19090d468b82b112e1.exe"
2⤵
- Modifies data under HKEY_USERS
PID:2476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2648-115-0x0000000002FE0000-0x00000000038FE000-memory.dmp

Filesize
9.1MB

Download
memory/2648-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads