glupteba | 491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb

General

Target

491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Size

4.3MB
MD5

0d2baff50a239053d5e1bd00160e60a8
SHA1

7ecbaa51acb6295051ae70586f521c676e364843
SHA256

491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb
SHA512

d352c6ed74a672bd84f8dbb706f2738fcf698dd9efebf965f240f4853732a41067f8cbb39372873c92b32407c0f41697b6212566747fa40ac0f0ee9a088de852

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3608-115-0x0000000003070000-0x000000000398E000-memory.dmp	family_glupteba
behavioral1/memory/3608-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe

pid	process
3608	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
3608	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe

description	pid	process
Token: SeDebugPrivilege	3608	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
Token: SeImpersonatePrivilege	3608	491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe

C:\Users\Admin\AppData\Local\Temp\491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
"C:\Users\Admin\AppData\Local\Temp\491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608
- C:\Users\Admin\AppData\Local\Temp\491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe
  "C:\Users\Admin\AppData\Local\Temp\491a59a09706b8235c5221799c0f6b045693f6e7c4ba0753e37902fbb1a17abb.exe"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3608-115-0x0000000003070000-0x000000000398E000-memory.dmp

Filesize
9.1MB

Download
memory/3608-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads