Overview

overview

10

Static

static

009dae0a48...63.exe

windows7_x64

10

009dae0a48...63.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    39s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    009dae0a4892cc0d44f4d230edb301d10cf37b76d724b546880f48c21a9d9563.exe

  • Size

    3.8MB

  • MD5

    59a8ad9df39a24463e6f88be2f5658aa

  • SHA1

    6c7d2b44eb640be26358eb7bbe68e5189accc329

  • SHA256

    009dae0a4892cc0d44f4d230edb301d10cf37b76d724b546880f48c21a9d9563

  • SHA512

    305ea17ef8531bb71e09d67c3253de8a4d3f2c9802c26a4c1605e2c1164dfb2a7b3d55123840692957ba9c107fb36e890eb1ed01b6a9826ea1c543efbfae1b3b

Score
10/10
gluptebadropperevasionloadersuricata

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 2 IoCs
  • suricata: ET MALWARE Glupteba CnC Domain in DNS Lookup

    suricata: ET MALWARE Glupteba CnC Domain in DNS Lookup

    suricata
  • Modifies Windows Firewall 1 TTPs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\009dae0a4892cc0d44f4d230edb301d10cf37b76d724b546880f48c21a9d9563.exe
    "C:\Users\Admin\AppData\Local\Temp\009dae0a4892cc0d44f4d230edb301d10cf37b76d724b546880f48c21a9d9563.exe"
    1⤵
      PID:620
      • C:\Users\Admin\AppData\Local\Temp\009dae0a4892cc0d44f4d230edb301d10cf37b76d724b546880f48c21a9d9563.exe
        "C:\Users\Admin\AppData\Local\Temp\009dae0a4892cc0d44f4d230edb301d10cf37b76d724b546880f48c21a9d9563.exe"
        2⤵
          PID:1820
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:1660
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe ""
              3⤵
                PID:548
          • C:\Windows\system32\makecab.exe
            "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524151433.log C:\Windows\Logs\CBS\CbsPersist_20220524151433.cab
            1⤵
              PID:1756
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              1⤵
                PID:1736

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Modify Existing Service

              1
              T1031

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\rss\csrss.exe
                Filesize

                49KB

                MD5

                f7f508eee12f6ec7058415d014c8e652

                SHA1

                1531706cade359dd82d2a4ba82676dccd59e3753

                SHA256

                d54f40c36dcb615b50d6487b5787b5735be7b5a0459d36429439b7d92ccfb1a4

                SHA512

                c73e71379d39a277d4053c1c22b5a67494ea4374359e84eab58d5077c1885b61d36890672fb3bab05802846dd76cff8cd2e09bddc0af582596d9b3acdcec742e

                Download Submit
              • \Windows\rss\csrss.exe
                Filesize

                36KB

                MD5

                35f82c81320034a04808f99d390e8ba9

                SHA1

                84d401d39d5eedb1a635d2546cbbdc34e5caeb25

                SHA256

                32f62734b9eacd07d5d74f9cbc2f4fac9b866d57ab49d9993f3ee6754496c8ed

                SHA512

                6405355c57cd0843ca1e51c4608d42f78019772014f4f8b9cec0c4ec46b193c8f35c8e5e61a6c400c1a3c7af2446bf393c5af2716747acccbaf063e05d5b9688

                Download Submit
              • \Windows\rss\csrss.exe
                Filesize

                68KB

                MD5

                2b3a33dc919488904b6afc86b489e840

                SHA1

                dd07180ac55db0730e4a73ef03c3cb45b479d39c

                SHA256

                06375fa59cdf8c89aab0fd912600f0cc453b228a009120d8a110997a2beb5fd7

                SHA512

                376860ecb3eea7f8323ff3f0c5b17c13e15b52550fb8324413a7a9c4806d0ee1e0b9f9ec6ba816e6c024cc0a28d5376c78e20762e60378246ee400df8a69a62e

                Download Submit
              • memory/548-70-0x0000000000400000-0x000000000521C000-memory.dmp
                Filesize

                78.1MB

                Download
              • memory/548-66-0x0000000000000000-mapping.dmp
                Download
              • memory/548-68-0x0000000006AC0000-0x0000000006E64000-memory.dmp
                Filesize

                3.6MB

                Download
              • memory/548-69-0x0000000006AC0000-0x0000000006E64000-memory.dmp
                Filesize

                3.6MB

                Download
              • memory/620-57-0x0000000000400000-0x000000000521C000-memory.dmp
                Filesize

                78.1MB

                Download
              • memory/620-54-0x0000000006C40000-0x0000000006FE4000-memory.dmp
                Filesize

                3.6MB

                Download
              • memory/620-56-0x0000000006FF0000-0x00000000076DE000-memory.dmp
                Filesize

                6.9MB

                Download
              • memory/620-55-0x0000000006C40000-0x0000000006FE4000-memory.dmp
                Filesize

                3.6MB

                Download
              • memory/1660-59-0x0000000000000000-mapping.dmp
                Download
              • memory/1736-61-0x000007FEFC461000-0x000007FEFC463000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1736-60-0x0000000000000000-mapping.dmp
                Download
              • memory/1820-58-0x0000000006D30000-0x00000000070D4000-memory.dmp
                Filesize

                3.6MB

                Download
              • memory/1820-63-0x0000000000400000-0x000000000521C000-memory.dmp
                Filesize

                78.1MB

                Download
              • memory/1820-62-0x0000000006D30000-0x00000000070D4000-memory.dmp
                Filesize

                3.6MB

                Download