glupteba | df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

General

Target

2654d11f2d3ce974e432ad1c84bcd1f7.exe
Size

4.5MB
MD5

2654d11f2d3ce974e432ad1c84bcd1f7
SHA1

053efdc46790dd1b49e93863df59c83c39342c8f
SHA256

df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
SHA512

8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
SSDEEP

98304:UvcNtBvoJc7I0r0fy0hqQRi69numaD09pJ6N5f1qlFBdWiBl5E1oz2tiuD:UkJtjr0fXRi65rwfCFTZteoz2B

Score

10^/10

glupteba metasploit backdoor dropper evasion loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 15 IoCs

resource	yara_rule
behavioral2/memory/2732-2-0x0000000001720000-0x0000000002046000-memory.dmp	family_glupteba
behavioral2/memory/2732-3-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/2732-4-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/2732-6-0x0000000001720000-0x0000000002046000-memory.dmp	family_glupteba
behavioral2/memory/3192-8-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3192-17-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3704-20-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3704-21-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3704-28-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3704-29-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3704-30-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3704-31-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3704-32-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3704-33-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3704-34-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2396	netsh.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2892	schtasks.exe

GoLang User-Agent 3 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	40	Go-http-client/1.1
HTTP User-Agent header	59	Go-http-client/1.1
HTTP User-Agent header	61	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
"C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
  "C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
  2⤵
  PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:3620
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe /51-51
    3⤵
    PID:3704
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4292

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-1-0x00000000012D0000-0x0000000001711000-memory.dmp

Filesize
4.3MB

Download
memory/2732-2-0x0000000001720000-0x0000000002046000-memory.dmp

Filesize
9.1MB

Download
memory/2732-3-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2732-4-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2732-6-0x0000000001720000-0x0000000002046000-memory.dmp

Filesize
9.1MB

Download
memory/3192-7-0x00000000010D0000-0x0000000001510000-memory.dmp

Filesize
4.2MB

Download
memory/3192-8-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3192-17-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-19-0x0000000001600000-0x0000000001B00000-memory.dmp

Filesize
5.0MB

Download
memory/3704-20-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-21-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-27-0x0000000001600000-0x0000000001B00000-memory.dmp

Filesize
5.0MB

Download
memory/3704-28-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-29-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-30-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-31-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-32-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-33-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-34-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-35-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-36-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-37-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-38-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-39-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3704-40-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads