glupteba | f7b6af1c5ca4d6111b901eb452c6954d2cd0016366bf772797bf17dc81472aae

Analysis

max time kernel
203s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7b6af1c5ca4d6111b901eb452c6954d2cd0016366bf772797bf17dc81472aae.exe
Size

4.2MB
MD5

4ebfeebf833a84e36fe375262df8c1d9
SHA1

b3708977a104bbf7b9a09fb341f061551fe75116
SHA256

f7b6af1c5ca4d6111b901eb452c6954d2cd0016366bf772797bf17dc81472aae
SHA512

b93405d274e06e6228186ed17e890b1604fd33e9b8c7130351d6262256a6e443d8438d5f33dccb5a12ac091698c5dc174a8699daeba1f8573592c19398e13081
SSDEEP

98304:iqHi1d0SyoX78y0lw6KgquB6K/8xk2dOgHHCcd83Go1dtg4:XHi1dHyM8y/uB6Asn18Pt

Score

10^/10

glupteba dropper loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral2/memory/452-1-0x0000000002D60000-0x000000000364B000-memory.dmp	family_glupteba
behavioral2/memory/452-2-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/452-4-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/452-5-0x0000000002D60000-0x000000000364B000-memory.dmp	family_glupteba
behavioral2/memory/452-7-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/452-27-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/452-37-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3544	powershell.exe
3544	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3544	452	f7b6af1c5ca4d6111b901eb452c6954d2cd0016366bf772797bf17dc81472aae.exe	95
PID 452 wrote to memory of 3544	452	f7b6af1c5ca4d6111b901eb452c6954d2cd0016366bf772797bf17dc81472aae.exe	95
PID 452 wrote to memory of 3544	452	f7b6af1c5ca4d6111b901eb452c6954d2cd0016366bf772797bf17dc81472aae.exe	95

C:\Users\Admin\AppData\Local\Temp\f7b6af1c5ca4d6111b901eb452c6954d2cd0016366bf772797bf17dc81472aae.exe
"C:\Users\Admin\AppData\Local\Temp\f7b6af1c5ca4d6111b901eb452c6954d2cd0016366bf772797bf17dc81472aae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ynkpwwwd.tkw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/452-27-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/452-2-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/452-3-0x0000000002960000-0x0000000002D58000-memory.dmp

Filesize
4.0MB

Download
memory/452-4-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/452-5-0x0000000002D60000-0x000000000364B000-memory.dmp

Filesize
8.9MB

Download
memory/452-7-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/452-37-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/452-0-0x0000000002960000-0x0000000002D58000-memory.dmp

Filesize
4.0MB

Download
memory/452-1-0x0000000002D60000-0x000000000364B000-memory.dmp

Filesize
8.9MB

Download
memory/3544-35-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3544-24-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download
memory/3544-13-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/3544-11-0x0000000004D60000-0x0000000005388000-memory.dmp

Filesize
6.2MB

Download
memory/3544-10-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3544-28-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3544-25-0x0000000005C60000-0x0000000005C7E000-memory.dmp

Filesize
120KB

Download
memory/3544-26-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3544-8-0x0000000004630000-0x0000000004666000-memory.dmp

Filesize
216KB

Download
memory/3544-12-0x0000000004D00000-0x0000000004D22000-memory.dmp

Filesize
136KB

Download
memory/3544-29-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3544-31-0x0000000004910000-0x000000000495C000-memory.dmp

Filesize
304KB

Download
memory/3544-34-0x0000000006270000-0x00000000062B4000-memory.dmp

Filesize
272KB

Download
memory/3544-19-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/3544-36-0x0000000007010000-0x0000000007086000-memory.dmp

Filesize
472KB

Download
memory/3544-9-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3544-38-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download