glupteba | b25b92d25b55c23f75775f1f50e83d5efc2881e8bdb02c0d2a3c3b4b21ccb9eb

General

Target

45cf09e26acea6e9d65bfef33939f4cc.exe
Size

4.4MB
MD5

45cf09e26acea6e9d65bfef33939f4cc
SHA1

0f8fde24d0f0cabbcfcd97eb1b7ae84f4cbd4331
SHA256

b25b92d25b55c23f75775f1f50e83d5efc2881e8bdb02c0d2a3c3b4b21ccb9eb
SHA512

8913e691f5e6f449cad2d0836635b148b0fc98411218b7f2f4920b40cb8ad9ae8b385a88806a045aaeca477076180ab3087519e0d1ab4345bac82a9739a9af35
SSDEEP

98304:YoIRGeaWtfnBWWGqJlOOpLFWikkLMXwxFr8oiWtWKo4pX0x:mvnhGqJlOOjWRkLMAxFDF9

Score

10^/10

glupteba metasploit backdoor dropper evasion loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

resource	yara_rule
behavioral2/memory/860-2-0x0000000005280000-0x0000000005BA6000-memory.dmp	family_glupteba
behavioral2/memory/860-3-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral2/memory/860-5-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral2/memory/860-6-0x0000000005280000-0x0000000005BA6000-memory.dmp	family_glupteba
behavioral2/memory/456-8-0x0000000005190000-0x0000000005AB6000-memory.dmp	family_glupteba
behavioral2/memory/456-9-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral2/memory/456-14-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral2/memory/456-18-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4464	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4176	860	WerFault.exe	15

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1456	schtasks.exe

GoLang User-Agent 4 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	88	Go-http-client/1.1
HTTP User-Agent header	89	Go-http-client/1.1
HTTP User-Agent header	90	Go-http-client/1.1
HTTP User-Agent header	56	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\45cf09e26acea6e9d65bfef33939f4cc.exe
"C:\Users\Admin\AppData\Local\Temp\45cf09e26acea6e9d65bfef33939f4cc.exe"
1⤵
PID:860
- C:\Users\Admin\AppData\Local\Temp\45cf09e26acea6e9d65bfef33939f4cc.exe
  "C:\Users\Admin\AppData\Local\Temp\45cf09e26acea6e9d65bfef33939f4cc.exe"
  2⤵
  PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2032
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe ""
    3⤵
    PID:1336
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 832
  2⤵
  - Program crash
  PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 860 -ip 860
1⤵
PID:976

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/456-7-0x0000000004D40000-0x0000000005181000-memory.dmp

Filesize
4.3MB

Download
memory/456-8-0x0000000005190000-0x0000000005AB6000-memory.dmp

Filesize
9.1MB

Download
memory/456-9-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/456-14-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/456-18-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/860-1-0x0000000004E30000-0x0000000005274000-memory.dmp

Filesize
4.3MB

Download
memory/860-2-0x0000000005280000-0x0000000005BA6000-memory.dmp

Filesize
9.1MB

Download
memory/860-3-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/860-5-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/860-6-0x0000000005280000-0x0000000005BA6000-memory.dmp

Filesize
9.1MB

Download
memory/1336-23-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-33-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-21-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download
memory/1336-24-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-30-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download
memory/1336-31-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-32-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-22-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-34-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-35-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-36-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-37-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-38-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-39-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-40-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/1336-41-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads