glupteba | a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8

General

Target

a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Size

4.3MB
MD5

b10eefeb3e0a0607a8cbc6b749dad934
SHA1

5adf93ad29dc04a1690a9d181da343cede83a617
SHA256

a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8
SHA512

cbf831ca5f199c6731e3ad7aa8c6e8c8b7d3e627c12354fc83bf3dc41113999edf62a9fc40220d6db5ffc53055609a7a659415082677a12facb290d3e25a89cc

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2360-115-0x00000000030A0000-0x00000000039BE000-memory.dmp	family_glupteba
behavioral1/memory/2360-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe

pid	process
2360	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
2360	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe

description	pid	process
Token: SeDebugPrivilege	2360	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
Token: SeImpersonatePrivilege	2360	a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe

C:\Users\Admin\AppData\Local\Temp\a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
"C:\Users\Admin\AppData\Local\Temp\a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Users\Admin\AppData\Local\Temp\a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe
"C:\Users\Admin\AppData\Local\Temp\a8c84630a81683a9befefb6ef477b6bca114aa3c84abc8d753e2a14c02b984d8.exe"
2⤵
- Modifies data under HKEY_USERS
PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-115-0x00000000030A0000-0x00000000039BE000-memory.dmp

Filesize
9.1MB

Download
memory/2360-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads