glupteba | bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8

General

Target

bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
Size

3.8MB
MD5

8c3064332c06033b41fa36b82aa425b5
SHA1

331a6343c6fbe5c5e22944f104bd86cb11c80d97
SHA256

bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8
SHA512

a53755532b237d3bb1ac5f1ad89adec66edae8ca913a1de433fdb46fbe4c7681643d6d9efa8174bed300ac60edf12bda34d36e148e2b543741a0a10ef17d8e01

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1108-56-0x00000000039A0000-0x0000000004092000-memory.dmp	family_glupteba
behavioral1/memory/1108-57-0x0000000000400000-0x000000000314A000-memory.dmp	family_glupteba
behavioral1/memory/2020-60-0x0000000000400000-0x000000000314A000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exebfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe

pid	process
1108	bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
2020	bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe

description	pid	process
Token: SeDebugPrivilege	1108	bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
Token: SeImpersonatePrivilege	1108	bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 1688	2020	bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe	cmd.exe
PID 2020 wrote to memory of 1688	2020	bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe	cmd.exe
PID 2020 wrote to memory of 1688	2020	bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe	cmd.exe
PID 2020 wrote to memory of 1688	2020	bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe	cmd.exe
PID 1688 wrote to memory of 1644	1688	cmd.exe	netsh.exe
PID 1688 wrote to memory of 1644	1688	cmd.exe	netsh.exe
PID 1688 wrote to memory of 1644	1688	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
"C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe
"C:\Users\Admin\AppData\Local\Temp\bfd3d410e0062b1a1949e753597b59ab5fd3b64855cf0cf8b215fa98ddd90dc8.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:1644

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:860

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220520100103.log C:\Windows\Logs\CBS\CbsPersist_20220520100103.cab
1⤵
PID:608

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
2.8MB

MD5
f65b4348b6f8fb2a9e91d3619619746b

SHA1
13dc66df6102b790f5ec5268dac0e95b8c8d3e96

SHA256
71d52f5a6613907d4078cb8ed8fdf00afa3b7e11f8482fc544f1ad1edb442550

SHA512
4a24efa39ed9b210f1c107302a25d0c0836d9998cb98a1bd8b4276ffbcb18849d2b8ab413a4442ff5611948fa2626fed90bc7c735ba78dd0e876670a815d513a

Download Submit
\Windows\rss\csrss.exe
Filesize
2.9MB

MD5
f7fadbc3a600bb9d632fe4af86b21717

SHA1
20a3a1cd5872b9b9784436376e1ff91979548387

SHA256
2b555355a52da6b91ccd78ade59fef7969203f1ee4ec94f837e17a9e23164ebe

SHA512
5dc551116032d38ffd4985af4228776c77a04f84f468a19834ede5b21eb4fdc7a3fb9466d1c7cfc387bc2dc9b96c00e912379bfe68bdd9cee152a06bbad30c80

Download Submit
\Windows\rss\csrss.exe
Filesize
2.8MB

MD5
f65b4348b6f8fb2a9e91d3619619746b

SHA1
13dc66df6102b790f5ec5268dac0e95b8c8d3e96

SHA256
71d52f5a6613907d4078cb8ed8fdf00afa3b7e11f8482fc544f1ad1edb442550

SHA512
4a24efa39ed9b210f1c107302a25d0c0836d9998cb98a1bd8b4276ffbcb18849d2b8ab413a4442ff5611948fa2626fed90bc7c735ba78dd0e876670a815d513a

Download Submit
memory/860-68-0x00000000031C0000-0x0000000003565000-memory.dmp

Filesize
3.6MB

Download
memory/860-66-0x0000000000000000-mapping.dmp

Download
memory/1108-54-0x00000000035F0000-0x0000000003995000-memory.dmp

Filesize
3.6MB

Download
memory/1108-55-0x00000000035F0000-0x0000000003995000-memory.dmp

Filesize
3.6MB

Download
memory/1108-56-0x00000000039A0000-0x0000000004092000-memory.dmp

Filesize
6.9MB

Download
memory/1108-57-0x0000000000400000-0x000000000314A000-memory.dmp

Filesize
45.3MB

Download
memory/1644-63-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1644-62-0x0000000000000000-mapping.dmp

Download
memory/1688-61-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x0000000000400000-0x000000000314A000-memory.dmp

Filesize
45.3MB

Download
memory/2020-59-0x00000000032E0000-0x0000000003685000-memory.dmp

Filesize
3.6MB

Download
memory/2020-58-0x00000000032E0000-0x0000000003685000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads