glupteba | 341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0

General

Target

341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Size

4.3MB
MD5

41f354412b975406192a4448c9ac9616
SHA1

4077587c04bc361d4b7f60c5aa99d34993505e35
SHA256

341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0
SHA512

73913377801f852b5ed17a38a6ac99a45da1c02f8e39c5f5bc00874edf44ff00b084d7cacd28c54ef5b8c5813d9ad0bfc083495ce10ee1af675a8ec47e2e5ce2

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2012-115-0x00000000030D0000-0x00000000039EE000-memory.dmp	family_glupteba
behavioral1/memory/2012-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-572 = "China Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-492 = "India Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe

pid	process
2012	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
2012	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe

description	pid	process
Token: SeDebugPrivilege	2012	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
Token: SeImpersonatePrivilege	2012	341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe

C:\Users\Admin\AppData\Local\Temp\341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
"C:\Users\Admin\AppData\Local\Temp\341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Users\Admin\AppData\Local\Temp\341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe
"C:\Users\Admin\AppData\Local\Temp\341c7fa771ad9d005482e8da6310813a53ec3b0a0ceda84b503804d666fa5ea0.exe"
2⤵
- Modifies data under HKEY_USERS
PID:2112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-115-0x00000000030D0000-0x00000000039EE000-memory.dmp

Filesize
9.1MB

Download
memory/2012-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads