glupteba | da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989

General

Target

da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Size

4.3MB
MD5

f107669a60976617a74c2ad10765e292
SHA1

05ba9f6dc0a4fce97725ea2e39865e466c98a6da
SHA256

da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989
SHA512

afe5b26041e72da4043cb3ba98ebad9712849121aaae267470b72a8f2f4b7c45b1e84bcb4f4891be85ef1ca50b4dbd996787108308acbb1ec506e37a075e52b3

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2068-115-0x0000000003020000-0x000000000393E000-memory.dmp	family_glupteba
behavioral1/memory/2068-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-492 = "India Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe

pid	process
2068	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
2068	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe

description	pid	process
Token: SeDebugPrivilege	2068	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
Token: SeImpersonatePrivilege	2068	da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe

C:\Users\Admin\AppData\Local\Temp\da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
"C:\Users\Admin\AppData\Local\Temp\da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Users\Admin\AppData\Local\Temp\da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe
"C:\Users\Admin\AppData\Local\Temp\da8b797d3b7c999316c155051b8e743bee9e642f2576a0c0032fb79a09c37989.exe"
2⤵
- Modifies data under HKEY_USERS
PID:4028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2068-115-0x0000000003020000-0x000000000393E000-memory.dmp

Filesize
9.1MB

Download
memory/2068-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads