glupteba | df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f

General

Target

df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Size

4.3MB
MD5

d24a42719f9482447b38eea18a124d38
SHA1

4c84918f81e63a31e836d780200704b67b538876
SHA256

df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f
SHA512

ed4ea7d1640ff371f61088e6b9539057317df11fb9d292a78ba7c3c1b0e251a44c7f214f401a0339d7fc8c9f007fba67ad6cf1980c16eef8180f5a074672ab04

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2492-116-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba
behavioral1/memory/2492-115-0x0000000003080000-0x000000000399E000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies data under HKEY_USERS 64 IoCs

Processes:

df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe

pid	process
2492	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
2492	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe

description	pid	process
Token: SeDebugPrivilege	2492	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
Token: SeImpersonatePrivilege	2492	df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe

C:\Users\Admin\AppData\Local\Temp\df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
"C:\Users\Admin\AppData\Local\Temp\df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Users\Admin\AppData\Local\Temp\df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe
"C:\Users\Admin\AppData\Local\Temp\df6c03a48c36accf785cd3c92cb2c63cff2bdfef56eeb7b4994719378231fd2f.exe"
2⤵
- Modifies data under HKEY_USERS
PID:3364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-116-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/2492-115-0x0000000003080000-0x000000000399E000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads