glupteba | 00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5

General

Target

00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
Size

3.8MB
MD5

075868ed27e487456ec6f05db49e5872
SHA1

25052a094096e8ef0672de1c8acfe8291ed5364e
SHA256

00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5
SHA512

fa6e754976edf35ceddb7ccef785c54c2d971a77bbfae64e05531c66816a0ff9a55c5f7192e8a2fc27a597011aa62079d946834fb0c5b7e9814dcfef52ffea83

Score

10^/10

glupteba dropper loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4516-131-0x0000000000400000-0x0000000000B0F000-memory.dmp	family_glupteba
behavioral2/memory/1452-135-0x0000000002C00000-0x00000000032F5000-memory.dmp	family_glupteba
behavioral2/memory/4516-134-0x0000000000400000-0x0000000000B0F000-memory.dmp	family_glupteba
behavioral2/memory/4516-136-0x0000000000400000-0x0000000000B0F000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2116 created 4516 2116 svchost.exe 00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe

description	pid	process	target process
PID 2116 created 4516	2116	svchost.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe

description	pid	process	target process
PID 1452 set thread context of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe

pid	process
4516	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
4516	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4516	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
Token: SeImpersonatePrivilege	4516	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
Token: SeTcbPrivilege	2116	svchost.exe
Token: SeTcbPrivilege	2116	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exesvchost.exe

description	pid	process	target process
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 1452 wrote to memory of 4516	1452	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 2116 wrote to memory of 1796	2116	svchost.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 2116 wrote to memory of 1796	2116	svchost.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
PID 2116 wrote to memory of 1796	2116	svchost.exe	00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe

C:\Users\Admin\AppData\Local\Temp\00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
"C:\Users\Admin\AppData\Local\Temp\00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
"C:\Users\Admin\AppData\Local\Temp\00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Users\Admin\AppData\Local\Temp\00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe
"C:\Users\Admin\AppData\Local\Temp\00dd0ab522628e625e192839bfa5cdc49bf9ee52b58713d95452b2cf633333f5.exe"
3⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-133-0x0000000002858000-0x0000000002BFE000-memory.dmp

Filesize
3.6MB

Download
memory/1452-135-0x0000000002C00000-0x00000000032F5000-memory.dmp

Filesize
7.0MB

Download
memory/1796-137-0x0000000000000000-mapping.dmp

Download
memory/4516-130-0x0000000000000000-mapping.dmp

Download
memory/4516-131-0x0000000000400000-0x0000000000B0F000-memory.dmp

Filesize
7.1MB

Download
memory/4516-134-0x0000000000400000-0x0000000000B0F000-memory.dmp

Filesize
7.1MB

Download
memory/4516-136-0x0000000000400000-0x0000000000B0F000-memory.dmp

Filesize
7.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads