glupteba | 817492ecf2bf99cefbae7f2597ff273b62aaa0abde51176eabc89485840b10b7

Analysis

max time kernel
9s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_817492ecf2bf99cefbae7f2597ff273b62aaa0abde51176eabc89485840b10b7.exe
Size

4.2MB
MD5

902a6864c77a1156e2acf968217fc068
SHA1

c721a18cf0f7577f1b034c2867fa6e787d20b66a
SHA256

817492ecf2bf99cefbae7f2597ff273b62aaa0abde51176eabc89485840b10b7
SHA512

273c2e0ccf0fbd42611d1e190ce53620dac19b209a12840b8ca3ffc9744b271ca5246ff0ad269f57aa2cd7364f3642386bdde44beb3c566bf0f80bb0b90b77c8
SSDEEP

98304:v2LSaMsua00GVP4yTqyN9qqOwAlVOkMhr2c+PXxYGrYCnb5iVp8:uSaMsn00OaEsJO3hCc+Prbkg

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

resource	yara_rule
behavioral2/memory/3456-1-0x00000000049D0000-0x00000000052BB000-memory.dmp	family_glupteba
behavioral2/memory/3456-2-0x0000000000400000-0x000000000281F000-memory.dmp	family_glupteba
behavioral2/memory/3456-21-0x0000000000400000-0x000000000281F000-memory.dmp	family_glupteba
behavioral2/memory/3456-30-0x00000000049D0000-0x00000000052BB000-memory.dmp	family_glupteba
behavioral2/memory/3456-50-0x0000000000400000-0x000000000281F000-memory.dmp	family_glupteba
behavioral2/memory/3456-58-0x0000000000400000-0x000000000281F000-memory.dmp	family_glupteba
behavioral2/memory/4616-61-0x0000000000400000-0x000000000281F000-memory.dmp	family_glupteba
behavioral2/memory/4616-105-0x0000000000400000-0x000000000281F000-memory.dmp	family_glupteba
behavioral2/memory/4616-153-0x0000000000400000-0x000000000281F000-memory.dmp	family_glupteba
behavioral2/memory/2604-171-0x0000000000400000-0x000000000281F000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4004	netsh.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4752	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\JC_817492ecf2bf99cefbae7f2597ff273b62aaa0abde51176eabc89485840b10b7.exe
"C:\Users\Admin\AppData\Local\Temp\JC_817492ecf2bf99cefbae7f2597ff273b62aaa0abde51176eabc89485840b10b7.exe"
1⤵
PID:3456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:4284
- C:\Users\Admin\AppData\Local\Temp\JC_817492ecf2bf99cefbae7f2597ff273b62aaa0abde51176eabc89485840b10b7.exe
  "C:\Users\Admin\AppData\Local\Temp\JC_817492ecf2bf99cefbae7f2597ff273b62aaa0abde51176eabc89485840b10b7.exe"
  2⤵
  PID:4616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:3328
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1572
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:2604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2860
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4948
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwg3p1om.hbq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7d16a51c834b1cd8af786a5d8f583f36

SHA1
40595760747ff0b943a8d7736768cf13068115ab

SHA256
991c70dae4c38088ca25dbe5abfa56be774a66287df7047a1108749a24eceb6a

SHA512
b56d8302f248bcf98ffd412e38c1094d5b37f98ca96080de5cf42cc63c8bb877f83da016ef89635f7fcf362d704df44477a848b01db76ad82b9813e9bd922ff2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
363717e2019e1859ebc947082dc14efd

SHA1
e3bea8b8d8b7d8804ade9e9c612a16e8784c6473

SHA256
a8d611b58d1df30c3ceac7ab7d2db92cf992cd954b43953770ec3d90384b344f

SHA512
7100cbaf841e59b3a17f8a9af0ff44131a95972ff01e1f6360f685f09fa6ff82b868e10ee80fc693f54af6f09adffc67511f41094c96d0cbb92bd6e9bea0c944

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
cbb792a6cf6c6a78d7cd9abfa3ee6e03

SHA1
53d24315ff5201a095741580b25709bd6c2b168d

SHA256
3fe0f4bb5acbc9e535b91f38de628c0e26e55b2e68d2efd63a37681ff9764a1a

SHA512
fc9568dfa75fb084ff9f76744eeea2cca1aa3aa2f1f76d7001a08e5ebdcc56e904340f3f1a109268e60c964a9bad4da754da960ca8e86335e670c7417d89a448

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c8a70ec10d08589bd7351161f7a6fcb5

SHA1
2bc4754cd0fba4716b8b4ce68ea62714356c7f59

SHA256
362d63908d2aa6e54b9b7c89163d91fbea6b0073b9671dd0bf6217cf7ed41760

SHA512
99132bf68ca4a94fcad6a379e03e0f0c4636cf3cf7ec8468255cfad7524c56c1cc2dd9bb8397e7073992cbb22b9913a7468b3dbbf52109caff4e11e47ca193a9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7e85e2a91e6be1adb92c7e0b014d8a8f

SHA1
539c890dc850fb0e07b7cdecb2cd0fbff35a05d4

SHA256
1da2aa8daa22b9db6e9b4e4e4c8eeb0efde621c6664145e0ab61fb820273c26c

SHA512
dd2630b8862d3eaf89b1be4d2bfe6354b4dc8a2b50b1cb582104f503deda7c606588487549150736ad205c33c8467bf9226843b1de40485a96d3350a6e98af77

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
902a6864c77a1156e2acf968217fc068

SHA1
c721a18cf0f7577f1b034c2867fa6e787d20b66a

SHA256
817492ecf2bf99cefbae7f2597ff273b62aaa0abde51176eabc89485840b10b7

SHA512
273c2e0ccf0fbd42611d1e190ce53620dac19b209a12840b8ca3ffc9744b271ca5246ff0ad269f57aa2cd7364f3642386bdde44beb3c566bf0f80bb0b90b77c8

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
902a6864c77a1156e2acf968217fc068

SHA1
c721a18cf0f7577f1b034c2867fa6e787d20b66a

SHA256
817492ecf2bf99cefbae7f2597ff273b62aaa0abde51176eabc89485840b10b7

SHA512
273c2e0ccf0fbd42611d1e190ce53620dac19b209a12840b8ca3ffc9744b271ca5246ff0ad269f57aa2cd7364f3642386bdde44beb3c566bf0f80bb0b90b77c8

Download Submit
memory/1572-124-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/1572-149-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/1572-138-0x00000000700F0000-0x0000000070444000-memory.dmp

Filesize
3.3MB

Download
memory/1572-137-0x000000006FF70000-0x000000006FFBC000-memory.dmp

Filesize
304KB

Download
memory/1572-122-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/1572-136-0x000000007FDA0000-0x000000007FDB0000-memory.dmp

Filesize
64KB

Download
memory/1572-135-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/1572-123-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2604-171-0x0000000000400000-0x000000000281F000-memory.dmp

Filesize
36.1MB

Download
memory/2636-84-0x00000000079E0000-0x0000000007A83000-memory.dmp

Filesize
652KB

Download
memory/2636-74-0x00000000700F0000-0x0000000070444000-memory.dmp

Filesize
3.3MB

Download
memory/2636-62-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/2636-72-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2636-73-0x000000006FF70000-0x000000006FFBC000-memory.dmp

Filesize
304KB

Download
memory/2636-85-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

Filesize
68KB

Download
memory/2636-89-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/2636-86-0x0000000007D50000-0x0000000007D64000-memory.dmp

Filesize
80KB

Download
memory/3456-1-0x00000000049D0000-0x00000000052BB000-memory.dmp

Filesize
8.9MB

Download
memory/3456-0-0x00000000045D0000-0x00000000049C8000-memory.dmp

Filesize
4.0MB

Download
memory/3456-21-0x0000000000400000-0x000000000281F000-memory.dmp

Filesize
36.1MB

Download
memory/3456-2-0x0000000000400000-0x000000000281F000-memory.dmp

Filesize
36.1MB

Download
memory/3456-30-0x00000000049D0000-0x00000000052BB000-memory.dmp

Filesize
8.9MB

Download
memory/3456-28-0x00000000045D0000-0x00000000049C8000-memory.dmp

Filesize
4.0MB

Download
memory/3456-58-0x0000000000400000-0x000000000281F000-memory.dmp

Filesize
36.1MB

Download
memory/3456-50-0x0000000000400000-0x000000000281F000-memory.dmp

Filesize
36.1MB

Download
memory/4284-54-0x00000000078B0000-0x00000000078B8000-memory.dmp

Filesize
32KB

Download
memory/4284-27-0x0000000007B50000-0x00000000081CA000-memory.dmp

Filesize
6.5MB

Download
memory/4284-53-0x00000000078C0000-0x00000000078DA000-memory.dmp

Filesize
104KB

Download
memory/4284-51-0x0000000007850000-0x000000000785E000-memory.dmp

Filesize
56KB

Download
memory/4284-57-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4284-49-0x0000000007810000-0x0000000007821000-memory.dmp

Filesize
68KB

Download
memory/4284-4-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4284-5-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4284-48-0x0000000007910000-0x00000000079A6000-memory.dmp

Filesize
600KB

Download
memory/4284-47-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/4284-32-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4284-34-0x000000007FBF0000-0x000000007FC00000-memory.dmp

Filesize
64KB

Download
memory/4284-46-0x00000000076F0000-0x0000000007793000-memory.dmp

Filesize
652KB

Download
memory/4284-35-0x00000000700F0000-0x0000000070444000-memory.dmp

Filesize
3.3MB

Download
memory/4284-45-0x0000000007690000-0x00000000076AE000-memory.dmp

Filesize
120KB

Download
memory/4284-33-0x000000006FF70000-0x000000006FFBC000-memory.dmp

Filesize
304KB

Download
memory/4284-31-0x00000000076B0000-0x00000000076E2000-memory.dmp

Filesize
200KB

Download
memory/4284-6-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4284-3-0x0000000004B70000-0x0000000004BA6000-memory.dmp

Filesize
216KB

Download
memory/4284-7-0x0000000005360000-0x0000000005988000-memory.dmp

Filesize
6.2MB

Download
memory/4284-8-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/4284-52-0x0000000007870000-0x0000000007884000-memory.dmp

Filesize
80KB

Download
memory/4284-9-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/4284-10-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/4284-20-0x0000000005AF0000-0x0000000005E44000-memory.dmp

Filesize
3.3MB

Download
memory/4284-22-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/4284-23-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/4284-29-0x00000000074F0000-0x000000000750A000-memory.dmp

Filesize
104KB

Download
memory/4284-26-0x0000000007450000-0x00000000074C6000-memory.dmp

Filesize
472KB

Download
memory/4284-25-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4284-24-0x00000000066D0000-0x0000000006714000-memory.dmp

Filesize
272KB

Download
memory/4380-121-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4380-119-0x000000007FA20000-0x000000007FA30000-memory.dmp

Filesize
64KB

Download
memory/4380-109-0x0000000070710000-0x0000000070A64000-memory.dmp

Filesize
3.3MB

Download
memory/4380-108-0x000000006FF70000-0x000000006FFBC000-memory.dmp

Filesize
304KB

Download
memory/4380-94-0x0000000005A80000-0x0000000005DD4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-92-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4380-93-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4380-91-0x00000000740D0000-0x0000000074880000-memory.dmp

Filesize
7.7MB

Download
memory/4616-105-0x0000000000400000-0x000000000281F000-memory.dmp

Filesize
36.1MB

Download
memory/4616-153-0x0000000000400000-0x000000000281F000-memory.dmp

Filesize
36.1MB

Download
memory/4616-61-0x0000000000400000-0x000000000281F000-memory.dmp

Filesize
36.1MB

Download
memory/4616-59-0x00000000044E0000-0x00000000048D8000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads