glupteba | 573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178

General

Target

573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Size

4.3MB
MD5

251146af46b92f407e7cfa5b2ef8cb10
SHA1

cdea8e2f427831944acec666b739ed1a79c23d43
SHA256

573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178
SHA512

60cae501729658639668e9d21ef1719fef0a99cd6eb67e37866f66f99e8538fd0bf92e03d142f6abc2ce806b2f23f33dbc3bf58c52f846ef52c171f993e40371

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3464-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba
behavioral1/memory/3464-115-0x0000000002E70000-0x000000000378E000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time"	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe

pid	process
3464	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
3464	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe

description	pid	process
Token: SeDebugPrivilege	3464	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
Token: SeImpersonatePrivilege	3464	573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe

C:\Users\Admin\AppData\Local\Temp\573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
"C:\Users\Admin\AppData\Local\Temp\573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Users\Admin\AppData\Local\Temp\573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe
"C:\Users\Admin\AppData\Local\Temp\573b1401267c1460f64781fb52edff8de3834a8a75f14f41a5e481c41a0c0178.exe"
2⤵
- Modifies data under HKEY_USERS
PID:3156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3464-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/3464-115-0x0000000002E70000-0x000000000378E000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads