Overview

overview

10

Static

static

fa4e598fe6...9e.exe

windows7-x64

10

fa4e598fe6...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    8s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe

  • Size

    5.0MB

  • MD5

    b35136bf591963c588eb24e67df17537

  • SHA1

    aadc59616a36a1dbdbf36b9893c91d33ac407869

  • SHA256

    fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e

  • SHA512

    1271704d322ed6ec637fac4c6e77bde3e154673f98998386eca9a813e5962f1907658932a8e22b43947fb5cf857bd2e8a9e192821fed073e1ad4972ee257eb4a

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 3 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe
    "C:\Users\Admin\AppData\Local\Temp\fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe"
    1⤵
      PID:336
      • C:\Users\Admin\AppData\Local\Temp\fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe
        "C:\Users\Admin\AppData\Local\Temp\fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe"
        2⤵
          PID:2032
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:1780
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:1512
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe ""
              3⤵
                PID:1608
          • C:\Windows\system32\makecab.exe
            "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220725153410.log C:\Windows\Logs\CBS\CbsPersist_20220725153410.cab
            1⤵
              PID:1580

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Modify Existing Service

            1
            T1031

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\rss\csrss.exe
              Filesize

              5.0MB

              MD5

              b35136bf591963c588eb24e67df17537

              SHA1

              aadc59616a36a1dbdbf36b9893c91d33ac407869

              SHA256

              fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e

              SHA512

              1271704d322ed6ec637fac4c6e77bde3e154673f98998386eca9a813e5962f1907658932a8e22b43947fb5cf857bd2e8a9e192821fed073e1ad4972ee257eb4a

              Download Submit
            • \Windows\rss\csrss.exe
              Filesize

              5.0MB

              MD5

              d9918ae52d8c06efd90ce053c0790e7c

              SHA1

              dc30cc60cb1d462f4d940db023c4b7aaf6f085bc

              SHA256

              151e40473d3e0186a6e5fc8fb399e1f633cd3f4a6b7ad22ed1fdb677ccde14c1

              SHA512

              72d8770a85c8154c342ee801f7b84fd783e6e95b5a65146a0910389b1db76046c3b7f8fdde34e7f157b0074bf68460091db4c3a88bd93a1335b1d9a3f5fca5b7

              Download Submit
            • \Windows\rss\csrss.exe
              Filesize

              5.0MB

              MD5

              b35136bf591963c588eb24e67df17537

              SHA1

              aadc59616a36a1dbdbf36b9893c91d33ac407869

              SHA256

              fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e

              SHA512

              1271704d322ed6ec637fac4c6e77bde3e154673f98998386eca9a813e5962f1907658932a8e22b43947fb5cf857bd2e8a9e192821fed073e1ad4972ee257eb4a

              Download Submit
            • memory/336-55-0x0000000005DB0000-0x0000000006147000-memory.dmp
              Filesize

              3.6MB

              Download
            • memory/336-56-0x0000000000400000-0x0000000005765000-memory.dmp
              Filesize

              83.4MB

              Download
            • memory/336-57-0x0000000000400000-0x0000000005765000-memory.dmp
              Filesize

              83.4MB

              Download
            • memory/336-54-0x0000000005DB0000-0x0000000006279000-memory.dmp
              Filesize

              4.8MB

              Download
            • memory/1512-61-0x0000000000000000-mapping.dmp
              Download
            • memory/1512-62-0x000007FEFB541000-0x000007FEFB543000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1608-66-0x0000000000000000-mapping.dmp
              Download
            • memory/1608-69-0x0000000005E70000-0x0000000006339000-memory.dmp
              Filesize

              4.8MB

              Download
            • memory/1608-70-0x0000000005E70000-0x0000000006207000-memory.dmp
              Filesize

              3.6MB

              Download
            • memory/1608-71-0x0000000000400000-0x0000000005765000-memory.dmp
              Filesize

              83.4MB

              Download
            • memory/1608-72-0x0000000000400000-0x0000000005765000-memory.dmp
              Filesize

              83.4MB

              Download
            • memory/1780-59-0x0000000000000000-mapping.dmp
              Download
            • memory/2032-63-0x0000000000400000-0x0000000005765000-memory.dmp
              Filesize

              83.4MB

              Download
            • memory/2032-60-0x0000000005DE0000-0x0000000006177000-memory.dmp
              Filesize

              3.6MB

              Download
            • memory/2032-58-0x0000000005DE0000-0x00000000062A9000-memory.dmp
              Filesize

              4.8MB

              Download
            • memory/2032-68-0x0000000000400000-0x0000000005765000-memory.dmp
              Filesize

              83.4MB

              Download