glupteba | 60ea0e105fd73e96c1f9c5af05f1bf55b6a5abb9470881c1d679991a6729c51d

Analysis

max time kernel
0s
max time network
106s
platform
windows10-1703_x64
resource
win10-20231129-en
resource tags

arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
submitted
11/12/2023, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60ea0e105fd73e96c1f9c5af05f1bf55b6a5abb9470881c1d679991a6729c51d.exe
Size

4.1MB
MD5

51ad6d074c513e9a1735e4da9b34d615
SHA1

63aac45f0526da253b2df6a106c631febffd92a7
SHA256

60ea0e105fd73e96c1f9c5af05f1bf55b6a5abb9470881c1d679991a6729c51d
SHA512

d190717a395a931f7948e505b0413cc2dc67f21e4fb4b1783bb44ba7c88655aef458c0e0e78516ea3e82fe6b0c4ae7a18144394172e14dc59ac8aa0a26cc1640
SSDEEP

98304:+e6iOIy/yYQAnCMwI/wjPD8qzluFBIaf3An5kQ:+0OkUCrIoj48n5kQ

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

resource	yara_rule
behavioral1/memory/4208-2-0x0000000002D40000-0x000000000362B000-memory.dmp	family_glupteba
behavioral1/memory/4208-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4208-300-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4208-301-0x0000000002D40000-0x000000000362B000-memory.dmp	family_glupteba
behavioral1/memory/2712-304-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-803-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-1045-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1548-1049-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1548-1294-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3840	netsh.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1084	schtasks.exe
3572	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\60ea0e105fd73e96c1f9c5af05f1bf55b6a5abb9470881c1d679991a6729c51d.exe
"C:\Users\Admin\AppData\Local\Temp\60ea0e105fd73e96c1f9c5af05f1bf55b6a5abb9470881c1d679991a6729c51d.exe"
1⤵
PID:4208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  PID:4308
- C:\Users\Admin\AppData\Local\Temp\60ea0e105fd73e96c1f9c5af05f1bf55b6a5abb9470881c1d679991a6729c51d.exe
  "C:\Users\Admin\AppData\Local\Temp\60ea0e105fd73e96c1f9c5af05f1bf55b6a5abb9470881c1d679991a6729c51d.exe"
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3500
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:1000
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4612
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1000
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:656
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3572

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3ycf0fm.umo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
7KB

MD5
e9dbf60bafb21ba9055b3b641c287772

SHA1
7296bda9869a3b45f08946307ab331c6f933d2d3

SHA256
0849e3d669a67cb0e571def393c43b4e94076c22ab816b16a27db11608b5d012

SHA512
12b122408f85c260b1c9e74906ceb159d43b662a0c5341ab7d435b4f04a96b2631f9bdda67866e43f240518d95adea82e429a96abb57c8903aaeef6e769139be

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
191de16fcb054fbf970a1ea367d17ac5

SHA1
c81943b3c355321c0bcc57aa961ce92d7e38657b

SHA256
84b1db454cc3e2512f36d4475765abcdfdfd6640d2dc3a0d91140125798e8418

SHA512
86bea22dc0f9052acf1d20849b1d9de0f98da5f25b9165f0325252fc07893a7ea64eceb16d480a6fa4fa4e66e63848dd1c793fd3b950ae67240e4048fb5eab50

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
d4edaebac20ddb0add0c85d3476d5379

SHA1
3919a11ce82ae7e1f7b62d1c3d2e9d5b6c7fef61

SHA256
a92f14c6dc58c0c394f0b84bf0cbaf5e34d936309eb7c361570b93d6977ba848

SHA512
a4a1e347ff4b67db3c9d0df5d2100063bb39ce5f597de7c79ae95c611a5cb290e6b173e63f05bdc55de5b61904d2d0b110d8d37bc67bec1e2a64bc30c1a9876d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
867f4379ee2c0723bce4d03c646f7f11

SHA1
f51f5a93a328a196e40ae1d3e437d7a4f05f8da5

SHA256
d2ef8941a14b2acafc547254b1f49ca030adb94af27faf6e58e212dab01b0e97

SHA512
bad8175de886185e0a036714a3fa0b28531b623624a05e58d61062fe4fe916c2afa503f1c32f84e1b1c13e8988294c8a6a0552a7be7148c676cf7800d1e3f674

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
dd72e37364bbc2661bb2f57a030af44a

SHA1
afd1c6c8a7e89aca41c9bc4bd6ea5cc2e69c5701

SHA256
d8c01ad18b765c6e9cb2533c3ba90f50232d2b5c3a91e15845f6fa54221a0806

SHA512
1d0c809dc94cb86e114b7df311a368f60ff642b3bc5cf774e4bb51f2b8a2431794176a428f74d13b2bf4cb8f64c7aab7bf821a1e6cba4c78e087455ba5db8f29

Download Submit
C:\Windows\rss\csrss.exe

Filesize
34KB

MD5
13ded01c4806ab650b890fdbfb1b27f6

SHA1
f1207432aa44e0991145e0d35e373eebb9b30483

SHA256
32506a46faf4243e4880c5428c778dc21ae9a7e21442a337a5e73d00ac23a8dd

SHA512
0fe04e99387852c6fb4936e3c719dfe70dee42be06911026994230f86ffd24d9047a9338a9607843c233632f6b9160beef975a200fcea22f307cc097d3ceea5a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1KB

MD5
8b9ea2e72fa7bd7b134f05505298b35b

SHA1
b189293ba91f1f77f59c11620c69b496da595d9c

SHA256
1381c0866ca7ab1a9a0200fcec14c5a48095f5bc07204fc8f4ba0e0d723361e7

SHA512
d2ee251f6fe2d40140829f90f6aa1e798540a9bfa5ce2543da422d3c98065bae269afdc9d65513c7f2b6665c793fd573e7571cc5866932d5809da2efc5e64d56

Download Submit
memory/1000-822-0x000000006FE60000-0x000000006FEAB000-memory.dmp

Filesize
300KB

Download
memory/1000-1041-0x0000000073130000-0x000000007381E000-memory.dmp

Filesize
6.9MB

Download
memory/1000-801-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/1000-799-0x0000000073130000-0x000000007381E000-memory.dmp

Filesize
6.9MB

Download
memory/1000-823-0x000000006FEB0000-0x0000000070200000-memory.dmp

Filesize
3.3MB

Download
memory/1000-800-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/1000-828-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/1548-1557-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1558-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1049-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1048-0x0000000002E00000-0x00000000031F9000-memory.dmp

Filesize
4.0MB

Download
memory/1548-1294-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1556-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1551-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1561-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1555-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1554-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1553-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1552-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1559-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1560-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1550-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-1045-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-803-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-582-0x00000000029B0000-0x0000000002DB8000-memory.dmp

Filesize
4.0MB

Download
memory/2712-304-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-303-0x00000000029B0000-0x0000000002DB8000-memory.dmp

Filesize
4.0MB

Download
memory/2800-554-0x0000000073130000-0x000000007381E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-556-0x0000000008150000-0x00000000084A0000-memory.dmp

Filesize
3.3MB

Download
memory/2800-796-0x0000000073130000-0x000000007381E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-583-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/2800-577-0x000000006FED0000-0x0000000070220000-memory.dmp

Filesize
3.3MB

Download
memory/2800-576-0x000000006FE60000-0x000000006FEAB000-memory.dmp

Filesize
300KB

Download
memory/3500-336-0x0000000009CE0000-0x0000000009D85000-memory.dmp

Filesize
660KB

Download
memory/3500-311-0x0000000008770000-0x00000000087BB000-memory.dmp

Filesize
300KB

Download
memory/3500-330-0x000000006FE60000-0x000000006FEAB000-memory.dmp

Filesize
300KB

Download
memory/3500-331-0x000000006FEB0000-0x0000000070200000-memory.dmp

Filesize
3.3MB

Download
memory/3500-551-0x0000000073130000-0x000000007381E000-memory.dmp

Filesize
6.9MB

Download
memory/3500-310-0x0000000008250000-0x00000000085A0000-memory.dmp

Filesize
3.3MB

Download
memory/3500-337-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3500-307-0x0000000073130000-0x000000007381E000-memory.dmp

Filesize
6.9MB

Download
memory/3500-308-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3500-309-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/3856-1055-0x00000000078A0000-0x0000000007BF0000-memory.dmp

Filesize
3.3MB

Download
memory/3856-1076-0x000000007EAB0000-0x000000007EAC0000-memory.dmp

Filesize
64KB

Download
memory/3856-1077-0x000000006FDC0000-0x000000006FE0B000-memory.dmp

Filesize
300KB

Download
memory/3856-1078-0x000000006FE10000-0x0000000070160000-memory.dmp

Filesize
3.3MB

Download
memory/3856-1052-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/3856-1057-0x0000000007E50000-0x0000000007E9B000-memory.dmp

Filesize
300KB

Download
memory/3856-1053-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/3856-1054-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/4208-1-0x0000000002940000-0x0000000002D3D000-memory.dmp

Filesize
4.0MB

Download
memory/4208-300-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4208-2-0x0000000002D40000-0x000000000362B000-memory.dmp

Filesize
8.9MB

Download
memory/4208-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4208-301-0x0000000002D40000-0x000000000362B000-memory.dmp

Filesize
8.9MB

Download
memory/4308-82-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-26-0x00000000096A0000-0x0000000009716000-memory.dmp

Filesize
472KB

Download
memory/4308-83-0x000000000A840000-0x000000000A8D4000-memory.dmp

Filesize
592KB

Download
memory/4308-76-0x000000000A610000-0x000000000A62E000-memory.dmp

Filesize
120KB

Download
memory/4308-73-0x000000000A630000-0x000000000A663000-memory.dmp

Filesize
204KB

Download
memory/4308-72-0x000000007F6C0000-0x000000007F6D0000-memory.dmp

Filesize
64KB

Download
memory/4308-276-0x000000000A7E0000-0x000000000A7FA000-memory.dmp

Filesize
104KB

Download
memory/4308-75-0x000000006FD90000-0x00000000700E0000-memory.dmp

Filesize
3.3MB

Download
memory/4308-299-0x0000000073030000-0x000000007371E000-memory.dmp

Filesize
6.9MB

Download
memory/4308-74-0x000000006FD40000-0x000000006FD8B000-memory.dmp

Filesize
300KB

Download
memory/4308-35-0x0000000009660000-0x000000000969C000-memory.dmp

Filesize
240KB

Download
memory/4308-81-0x000000000A670000-0x000000000A715000-memory.dmp

Filesize
660KB

Download
memory/4308-15-0x00000000086B0000-0x00000000086FB000-memory.dmp

Filesize
300KB

Download
memory/4308-14-0x0000000008670000-0x000000000868C000-memory.dmp

Filesize
112KB

Download
memory/4308-13-0x00000000082A0000-0x00000000085F0000-memory.dmp

Filesize
3.3MB

Download
memory/4308-10-0x00000000078E0000-0x0000000007902000-memory.dmp

Filesize
136KB

Download
memory/4308-11-0x00000000081B0000-0x0000000008216000-memory.dmp

Filesize
408KB

Download
memory/4308-12-0x0000000007FD0000-0x0000000008036000-memory.dmp

Filesize
408KB

Download
memory/4308-9-0x0000000007930000-0x0000000007F58000-memory.dmp

Filesize
6.2MB

Download
memory/4308-7-0x0000000073030000-0x000000007371E000-memory.dmp

Filesize
6.9MB

Download
memory/4308-8-0x00000000072F0000-0x0000000007300000-memory.dmp

Filesize
64KB

Download
memory/4308-6-0x00000000071E0000-0x0000000007216000-memory.dmp

Filesize
216KB

Download
memory/4308-281-0x000000000A7D0000-0x000000000A7D8000-memory.dmp

Filesize
32KB

Download
memory/4612-1296-0x0000000002C40000-0x0000000002CEE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads