Overview

overview

10

Static

static

1

2654d11f2d...f7.exe

windows7-x64

10

2654d11f2d...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2654d11f2d3ce974e432ad1c84bcd1f7.exe

  • Size

    4.5MB

  • MD5

    2654d11f2d3ce974e432ad1c84bcd1f7

  • SHA1

    053efdc46790dd1b49e93863df59c83c39342c8f

  • SHA256

    df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

  • SHA512

    8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

  • SSDEEP

    98304:UvcNtBvoJc7I0r0fy0hqQRi69numaD09pJ6N5f1qlFBdWiBl5E1oz2tiuD:UkJtjr0fXRi65rwfCFTZteoz2B

Score
10/10
gluptebametasploitbackdoordropperevasionloadertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 15 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
    "C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
    1⤵
      PID:2732
      • C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe
        "C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"
        2⤵
          PID:3192
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            3⤵
              PID:3620
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe /51-51
              3⤵
                PID:3704
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                  4⤵
                  • Creates scheduled task(s)
                  PID:2892
                • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                  C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                  4⤵
                    PID:4292
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              1⤵
              • Modifies Windows Firewall
              PID:2396

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2732-1-0x00000000012D0000-0x0000000001711000-memory.dmp

              Filesize

              4.3MB

              Download

            • memory/2732-2-0x0000000001720000-0x0000000002046000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/2732-3-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/2732-4-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/2732-6-0x0000000001720000-0x0000000002046000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/3192-7-0x00000000010D0000-0x0000000001510000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/3192-8-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3192-17-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-19-0x0000000001600000-0x0000000001B00000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/3704-20-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-21-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-27-0x0000000001600000-0x0000000001B00000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/3704-28-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-29-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-30-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-31-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-32-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-33-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-34-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-35-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-36-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-37-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-38-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-39-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download

            • memory/3704-40-0x0000000000400000-0x0000000000D41000-memory.dmp

              Filesize

              9.3MB

              Download