glupteba | 98390e5008cdcc1bf8d1dd153604af94ac789463c15244d1ac0fa29eeba83836

General

Target

98390e5008cdcc1bf8d1dd153604af94ac789463c15244d1ac0fa29eeba83836.exe
Size

5.0MB
MD5

ed1f0a0037c07611763cb8f21ea92798
SHA1

4e365dc665d1e138115a061cac86b362af035f8e
SHA256

98390e5008cdcc1bf8d1dd153604af94ac789463c15244d1ac0fa29eeba83836
SHA512

ae227bafb233fd5bd2ef0d304a20e01812454c110c38d7351178eb2d69a25769520c201b0c2e6170cd408995a698c2b8a1be7f8a3aaf1270540a9eae83f3ef8a

Score

10^/10

glupteba dropper evasion loader suricata

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1284-132-0x0000000000400000-0x0000000001113000-memory.dmp	family_glupteba
behavioral2/memory/1284-134-0x0000000000400000-0x0000000001113000-memory.dmp	family_glupteba
behavioral2/memory/1544-138-0x0000000000400000-0x0000000001113000-memory.dmp	family_glupteba
behavioral2/memory/1544-146-0x0000000000400000-0x0000000001113000-memory.dmp	family_glupteba
behavioral2/memory/3920-149-0x0000000000400000-0x0000000001113000-memory.dmp	family_glupteba
behavioral2/memory/3920-150-0x0000000000400000-0x0000000001113000-memory.dmp	family_glupteba
behavioral2/memory/3920-151-0x0000000000400000-0x0000000001113000-memory.dmp	family_glupteba

suricata: ET MALWARE Glupteba CnC Domain in DNS Lookup
suricata: ET MALWARE Glupteba CnC Domain in DNS Lookup
suricata
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

872 netsh.exe
1816 netsh.exe

pid	process
872	netsh.exe
1816	netsh.exe

C:\Users\Admin\AppData\Local\Temp\98390e5008cdcc1bf8d1dd153604af94ac789463c15244d1ac0fa29eeba83836.exe
"C:\Users\Admin\AppData\Local\Temp\98390e5008cdcc1bf8d1dd153604af94ac789463c15244d1ac0fa29eeba83836.exe"
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\98390e5008cdcc1bf8d1dd153604af94ac789463c15244d1ac0fa29eeba83836.exe
"C:\Users\Admin\AppData\Local\Temp\98390e5008cdcc1bf8d1dd153604af94ac789463c15244d1ac0fa29eeba83836.exe"
2⤵
PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:2640

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"
3⤵
PID:1552

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1816

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\rss\csrss.exe
Filesize
5.0MB

MD5
ed1f0a0037c07611763cb8f21ea92798

SHA1
4e365dc665d1e138115a061cac86b362af035f8e

SHA256
98390e5008cdcc1bf8d1dd153604af94ac789463c15244d1ac0fa29eeba83836

SHA512
ae227bafb233fd5bd2ef0d304a20e01812454c110c38d7351178eb2d69a25769520c201b0c2e6170cd408995a698c2b8a1be7f8a3aaf1270540a9eae83f3ef8a

Download Submit
C:\Windows\rss\csrss.exe
Filesize
5.0MB

MD5
ed1f0a0037c07611763cb8f21ea92798

SHA1
4e365dc665d1e138115a061cac86b362af035f8e

SHA256
98390e5008cdcc1bf8d1dd153604af94ac789463c15244d1ac0fa29eeba83836

SHA512
ae227bafb233fd5bd2ef0d304a20e01812454c110c38d7351178eb2d69a25769520c201b0c2e6170cd408995a698c2b8a1be7f8a3aaf1270540a9eae83f3ef8a

Download Submit
memory/872-140-0x0000000000000000-mapping.dmp

Download
memory/1284-130-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download
memory/1284-134-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download
memory/1284-135-0x0000000003346000-0x00000000036DD000-memory.dmp

Filesize
3.6MB

Download
memory/1284-131-0x0000000003346000-0x00000000036DD000-memory.dmp

Filesize
3.6MB

Download
memory/1284-132-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download
memory/1544-137-0x00000000033A9000-0x0000000003740000-memory.dmp

Filesize
3.6MB

Download
memory/1544-133-0x0000000000000000-mapping.dmp

Download
memory/1544-138-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download
memory/1544-146-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download
memory/1544-136-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download
memory/1552-141-0x0000000000000000-mapping.dmp

Download
memory/1816-142-0x0000000000000000-mapping.dmp

Download
memory/2640-139-0x0000000000000000-mapping.dmp

Download
memory/3920-143-0x0000000000000000-mapping.dmp

Download
memory/3920-147-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download
memory/3920-148-0x0000000003900000-0x0000000003C97000-memory.dmp

Filesize
3.6MB

Download
memory/3920-149-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download
memory/3920-150-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download
memory/3920-151-0x0000000000400000-0x0000000001113000-memory.dmp

Filesize
13.1MB

Download

Analysis

Sharing