glupteba | d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c

General

Target

d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Size

4.3MB
MD5

a9f44b3ddb77c04e15feadd2cb981c4c
SHA1

66c59a6269e403d0c37a3b3559346ebfe283c54e
SHA256

d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c
SHA512

245827d86a9ac7c9b356bee78428e9dab5890b90b9bd9e783f3ff6ec778ff3b42ee0298aba90eed01a8e17a4c55d6d5fe2c13a4b1560914448490b3eb02133c8

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2176-115-0x0000000002FE0000-0x00000000038FE000-memory.dmp	family_glupteba
behavioral1/memory/2176-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe

pid	process
2176	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
2176	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe

description	pid	process
Token: SeDebugPrivilege	2176	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
Token: SeImpersonatePrivilege	2176	d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe

C:\Users\Admin\AppData\Local\Temp\d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
"C:\Users\Admin\AppData\Local\Temp\d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
- C:\Users\Admin\AppData\Local\Temp\d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe
  "C:\Users\Admin\AppData\Local\Temp\d33772defc5835f420428fce2beddc18cbc641d180992bc35da12260d606074c.exe"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2176-115-0x0000000002FE0000-0x00000000038FE000-memory.dmp

Filesize
9.1MB

Download
memory/2176-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads