General
Target

1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe

Filesize

4MB

Completed

20-05-2022 05:13

Task

behavioral2

Score
10/10
MD5

79b2dce444347169977d7fa87137f839

SHA1

239779f6b48824a9e7626f6aa3c306c08eb244dd

SHA256

1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef

SHA256

73d68bf150662bb78ceb913dd54d5fe2414aed37769dd453102eb4ac9ea5fc565fbd45ecd9ba4e95422ba191ff0f8d1544d6fcb715b6c51fac5bbe1cc805346f

Malware Config
Signatures 6

Filter: none

  • Glupteba

    Description

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1208-131-0x0000000000400000-0x0000000000AE9000-memory.dmpfamily_glupteba
  • Suspicious use of NtCreateUserProcessOtherParentProcess
    svchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1604 created 12081604svchost.exe1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
  • Suspicious behavior: EnumeratesProcesses
    1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe

    Reported IOCs

    pidprocess
    12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
  • Suspicious use of AdjustPrivilegeToken
    1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exesvchost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    Token: SeImpersonatePrivilege12081ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    Token: SeTcbPrivilege1604svchost.exe
    Token: SeTcbPrivilege1604svchost.exe
  • Suspicious use of WriteProcessMemory
    svchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1604 wrote to memory of 3761604svchost.exe1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    PID 1604 wrote to memory of 3761604svchost.exe1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    PID 1604 wrote to memory of 3761604svchost.exe1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
    "C:\Users\Admin\AppData\Local\Temp\1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe
      "C:\Users\Admin\AppData\Local\Temp\1ea3c3acb4c6e533907cc7bdafd5cb4bd5e8294b717803e86b57c925d5992aef.exe"
      PID:376
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    Suspicious use of NtCreateUserProcessOtherParentProcess
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1604
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/376-132-0x0000000000000000-mapping.dmp

                          • memory/1208-130-0x0000000002E73000-0x000000000320B000-memory.dmp

                          • memory/1208-131-0x0000000000400000-0x0000000000AE9000-memory.dmp