glupteba | e164923d190995c709d3d08f8d96825a7dbfdff4bf6b583dd4cc21b312f0d760

General

Target

app.exe
Size

4.5MB
MD5

fc71c451366dd6e7f0aeeb306752fa52
SHA1

8748f5854b6dde9205903a9774ff0b0f62b452bd
SHA256

e164923d190995c709d3d08f8d96825a7dbfdff4bf6b583dd4cc21b312f0d760
SHA512

9fc08f712663a7b6ed52bf8ee36ef8f7f5aaa12b064ec92bf050a22214cd023422e806c7bba4e0233384fe3343a30a07d8f8fa8db496065bc755adde2f5c8c11

Score

10^/10

glupteba metasploit backdoor dropper loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1820-55-0x0000000001300000-0x0000000001C1E000-memory.dmp	family_glupteba
behavioral2/memory/1820-56-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Drops file in System32 directory 6 IoCs

Processes:

app.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	app.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	app.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	app.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	app.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	app.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	app.exe

Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20211014130525.cab makecab.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20211014130525.cab	makecab.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

app.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-751 = "Tonga Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-741 = "Neuseeland Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-91 = "Chilenische Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-522 = "Nord-Zentralasien Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-214 = "Pacific Sommerzeit (Mexiko)"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-771 = "Montevideo Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-832 = "Östl. Südamerika Normalzeit "	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-442 = "Arabische Normalzeit "	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-692 = "Tasmanien Normalzeit"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-364 = "Mittlerer Osten Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-591 = "Malaiische Halbinsel Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-261 = "Westeuropäische Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-382 = "Südafrika Normalzeit"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-222 = "Alaska Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-402 = "Arabische Normalzeit "	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-501 = "Nepal Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-721 = "Zentralpazifische Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-492 = "Indien Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-432 = "Iran Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-272 = "Westafrikanische Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-502 = "Nepal Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-602 = "Taipeh Normalzeit"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-231 = "Hawaii Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-182 = "Mountain Normalzeit (Mexiko)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-542 = "Myanmar Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-121 = "Westl. Südamerika Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-351 = "Osteuropäische Sommerzeit "	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-271 = "Westafrikanische Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer-zu-Peer-Vertrauensstellung"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-251 = "Datumsgrenze Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-491 = "Indien Sommerzeit"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-105 = "Zentalbrasilianische Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-592 = "Malaiische Halbinsel Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-241 = "Samoa Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@%SystemRoot%\system32\dnsapi.dll,-103 = "DNS-Serververtrauen (Domain Name System)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-352 = "Osteuropäische Zeit "	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-831 = "Östl. Südamerika Sommerzeit "	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-561 = "Südostasiatische Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-1472 = "Magadan Normalzeit"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-662 = "Zentralaustralische Normalzeit "	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-161 = "Central Sommerzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-52 = "Grönland Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-362 = "Osteuropäische Zeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-742 = "Neuseeland Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-1041 = "Ulan-Bator Sommerzeit"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-252 = "Datumsgrenze Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-332 = "Osteuropäische Zeit "	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-672 = "Ostaustralische Normalzeit"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-892 = "Marokko Normalzeit"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06\@tzres.dll,-401 = "Arabische Sommerzeit "	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	app.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

app.exe

pid process

1820 app.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

app.exe

description pid process

Token: SeDebugPrivilege 1820 app.exe
Token: SeImpersonatePrivilege 1820 app.exe

pid	process
1820	app.exe

description	pid	process
Token: SeDebugPrivilege	1820	app.exe
Token: SeImpersonatePrivilege	1820	app.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 548 wrote to memory of 592	548	taskeng.exe	default-browser-agent.exe
PID 548 wrote to memory of 592	548	taskeng.exe	default-browser-agent.exe
PID 548 wrote to memory of 592	548	taskeng.exe	default-browser-agent.exe

C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1808

C:\Windows\system32\taskeng.exe
taskeng.exe {66ED2501-140A-452C-B647-88A664CB7C45} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:592

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211014130525.log C:\Windows\Logs\CBS\CbsPersist_20211014130525.cab
1⤵
- Drops file in Windows directory
PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-54-0x0000000000000000-mapping.dmp

Download
memory/1808-57-0x0000000000F40000-0x000000000137B000-memory.dmp

Filesize
4.2MB

Download
memory/1820-53-0x0000000000EC0000-0x00000000012FB000-memory.dmp

Filesize
4.2MB

Download
memory/1820-55-0x0000000001300000-0x0000000001C1E000-memory.dmp

Filesize
9.1MB

Download
memory/1820-56-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads