glupteba | 7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30

General

Target

7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Size

4.3MB
MD5

fb8b4808ebeb8ad8a3ce25eb748abda3
SHA1

1bfc4349045eacfd129a694ee3f4b197f745a02f
SHA256

7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30
SHA512

20b90e1de7d7a4c399f1a8f213c23cde832a5d032c71ff3f2290043c256ab4ac7b30031f6dc973a757ba72e860a2fe8675df8192093276e800bcf7ec790f2c78

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2160-115-0x0000000002F80000-0x000000000389E000-memory.dmp	family_glupteba
behavioral1/memory/2160-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-492 = "India Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe

pid	process
2160	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
2160	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe

description	pid	process
Token: SeDebugPrivilege	2160	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
Token: SeImpersonatePrivilege	2160	7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe

C:\Users\Admin\AppData\Local\Temp\7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
"C:\Users\Admin\AppData\Local\Temp\7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Users\Admin\AppData\Local\Temp\7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe
"C:\Users\Admin\AppData\Local\Temp\7702a80626eeded003011996ebdea16071ec5259d7988d2d064429874399aa30.exe"
2⤵
- Modifies data under HKEY_USERS
PID:968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-115-0x0000000002F80000-0x000000000389E000-memory.dmp

Filesize
9.1MB

Download
memory/2160-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads