Overview

overview

10

Static

static

fa4e598fe6...9e.exe

windows7-x64

10

fa4e598fe6...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    5s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe

  • Size

    5.0MB

  • MD5

    b35136bf591963c588eb24e67df17537

  • SHA1

    aadc59616a36a1dbdbf36b9893c91d33ac407869

  • SHA256

    fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e

  • SHA512

    1271704d322ed6ec637fac4c6e77bde3e154673f98998386eca9a813e5962f1907658932a8e22b43947fb5cf857bd2e8a9e192821fed073e1ad4972ee257eb4a

Score
10/10
gluptebadropperevasionloader

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 7 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe
    "C:\Users\Admin\AppData\Local\Temp\fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe"
    1⤵
      PID:460
      • C:\Users\Admin\AppData\Local\Temp\fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe
        "C:\Users\Admin\AppData\Local\Temp\fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e.exe"
        2⤵
          PID:2168
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:2268
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                4⤵
                • Modifies Windows Firewall
                PID:4632
            • C:\Windows\system32\cmd.exe
              C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
              3⤵
                PID:3664
                • C:\Windows\system32\netsh.exe
                  netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
                  4⤵
                  • Modifies Windows Firewall
                  PID:3280
              • C:\Windows\rss\csrss.exe
                C:\Windows\rss\csrss.exe ""
                3⤵
                  PID:2392
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
              1⤵
                PID:1896

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Modify Existing Service

              1
              T1031

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\rss\csrss.exe
                Filesize

                5.0MB

                MD5

                b35136bf591963c588eb24e67df17537

                SHA1

                aadc59616a36a1dbdbf36b9893c91d33ac407869

                SHA256

                fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e

                SHA512

                1271704d322ed6ec637fac4c6e77bde3e154673f98998386eca9a813e5962f1907658932a8e22b43947fb5cf857bd2e8a9e192821fed073e1ad4972ee257eb4a

                Download Submit
              • C:\Windows\rss\csrss.exe
                Filesize

                5.0MB

                MD5

                b35136bf591963c588eb24e67df17537

                SHA1

                aadc59616a36a1dbdbf36b9893c91d33ac407869

                SHA256

                fa4e598fe61e6938199af4450bbc194b213ce44cbaa06b51268381102f1c0d9e

                SHA512

                1271704d322ed6ec637fac4c6e77bde3e154673f98998386eca9a813e5962f1907658932a8e22b43947fb5cf857bd2e8a9e192821fed073e1ad4972ee257eb4a

                Download Submit
              • memory/460-134-0x0000000000400000-0x0000000005765000-memory.dmp
                Filesize

                83.4MB

                Download
              • memory/460-132-0x0000000000400000-0x0000000005765000-memory.dmp
                Filesize

                83.4MB

                Download
              • memory/460-130-0x0000000006108000-0x000000000649F000-memory.dmp
                Filesize

                3.6MB

                Download
              • memory/460-131-0x0000000000400000-0x0000000005765000-memory.dmp
                Filesize

                83.4MB

                Download
              • memory/2168-145-0x00000000060D2000-0x0000000006469000-memory.dmp
                Filesize

                3.6MB

                Download
              • memory/2168-136-0x0000000000400000-0x0000000005765000-memory.dmp
                Filesize

                83.4MB

                Download
              • memory/2168-135-0x00000000060D2000-0x0000000006469000-memory.dmp
                Filesize

                3.6MB

                Download
              • memory/2168-144-0x0000000000400000-0x0000000005765000-memory.dmp
                Filesize

                83.4MB

                Download
              • memory/2168-133-0x0000000000000000-mapping.dmp
                Download
              • memory/2268-137-0x0000000000000000-mapping.dmp
                Download
              • memory/2392-141-0x0000000000000000-mapping.dmp
                Download
              • memory/2392-146-0x0000000006400000-0x0000000006797000-memory.dmp
                Filesize

                3.6MB

                Download
              • memory/2392-147-0x0000000000400000-0x0000000005765000-memory.dmp
                Filesize

                83.4MB

                Download
              • memory/2392-148-0x0000000000400000-0x0000000005765000-memory.dmp
                Filesize

                83.4MB

                Download
              • memory/3280-140-0x0000000000000000-mapping.dmp
                Download
              • memory/3664-139-0x0000000000000000-mapping.dmp
                Download
              • memory/4632-138-0x0000000000000000-mapping.dmp
                Download