glupteba | b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15

Analysis

max time kernel
2s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 20:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe
Size

6.5MB
MD5

2719d8e190af2ee1e460685a2b142eb6
SHA1

72c0b813bbb07cb670f3e1b8c34eaec41af1b198
SHA256

b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15
SHA512

4db85a2970b70faa8b8aeb083024571c4b986b46aed6a2ce6baac467fe5a0b19c06ee824f026bc5d85c6eaac9372812dd32876d845560c2a34a1817c650655b8
SSDEEP

98304:EzBINdjEvhrSo9OivPCePvKJIEuQHaf9bVdD6TM/ttO8VWGe+OJAZkaVmVLaM16K:EzeNdjIhh9Oi3ByVuQs9zN/73vCLH6

Score

10^/10

glupteba stealc dropper evasion loader stealer upx

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

resource	yara_rule
behavioral1/memory/1112-40-0x0000000002A00000-0x00000000032EB000-memory.dmp	family_glupteba
behavioral1/memory/1112-41-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1112-44-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1112-47-0x0000000002A00000-0x00000000032EB000-memory.dmp	family_glupteba
behavioral1/memory/1640-50-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1640-59-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1456-74-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1456-102-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1456-145-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1456-132-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1456-150-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1456-181-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2848	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2928	InstallSetup7.exe
1112	31839b57a4f11171d6abc8bbc4451ee4.exe
2756	BroomSetup.exe

Loads dropped DLL 5 IoCs

pid	Process
3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe
3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe
3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe
2928	InstallSetup7.exe
2928	InstallSetup7.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2340-236-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3020-235-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3020-232-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2340-246-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2340-275-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
788	bcdedit.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2740	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2924	schtasks.exe
1116	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2928	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	28
PID 3064 wrote to memory of 2928	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	28
PID 3064 wrote to memory of 2928	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	28
PID 3064 wrote to memory of 2928	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	28
PID 3064 wrote to memory of 2928	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	28
PID 3064 wrote to memory of 2928	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	28
PID 3064 wrote to memory of 2928	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	28
PID 3064 wrote to memory of 1112	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	29
PID 3064 wrote to memory of 1112	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	29
PID 3064 wrote to memory of 1112	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	29
PID 3064 wrote to memory of 1112	3064	b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe	29
PID 2928 wrote to memory of 2756	2928	InstallSetup7.exe	30
PID 2928 wrote to memory of 2756	2928	InstallSetup7.exe	30
PID 2928 wrote to memory of 2756	2928	InstallSetup7.exe	30
PID 2928 wrote to memory of 2756	2928	InstallSetup7.exe	30
PID 2928 wrote to memory of 2756	2928	InstallSetup7.exe	30
PID 2928 wrote to memory of 2756	2928	InstallSetup7.exe	30
PID 2928 wrote to memory of 2756	2928	InstallSetup7.exe	30

C:\Users\Admin\AppData\Local\Temp\b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe
"C:\Users\Admin\AppData\Local\Temp\b9123eff82d12c62b247a51cdb9ea2b166d38f1ec8dba8b6ef9be868e44eda15.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\nsoBA0F.tmp
    C:\Users\Admin\AppData\Local\Temp\nsoBA0F.tmp
    3⤵
    PID:3008
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:1640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:2556
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2848
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:1456
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:268
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        
        PID:708
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:412
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:788
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2924
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:3020

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240107200042.log C:\Windows\Logs\CBS\CbsPersist_20240107200042.cab
1⤵
PID:1672

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:2548

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

Filesize
422KB

MD5
375b89f2cb6e286f85054fc11737505e

SHA1
aae71085272f564d283c6a8ab9b9e318c094ce28

SHA256
f96955e494ada5d456ff948cab20a0f986d8e6e68ee886343f613f733c2147f1

SHA512
ccc668dd91dd25ce779b9deaa0c66bd3a5e9e5639d7d1a92da9253a6bd6800485558b64d4e203eb9cc7a4cabc5ccae5903117dceb1bcac6af65b31648b2e0ac9

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

Filesize
1024KB

MD5
e464a036233b083a53c398ce0a6b63bd

SHA1
7819eb90fd000b1eb10279e89f2d62dea18a6dcc

SHA256
de4a39cee92e14708854dbc92b966ab215de71210a8b42143619ccb912e7b1f4

SHA512
f7bfda457b231c5d620f45c85b568bdb4bb7ff0d84b875acdf8d752bb587a6243d0720acbb0ea1b1e50f07d9ebf00ddb9c79f321103f913b555f30dbfe2997b5

Download Submit
memory/708-87-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/708-95-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1112-46-0x0000000002600000-0x00000000029F8000-memory.dmp

Filesize
4.0MB

Download
memory/1112-18-0x0000000002600000-0x00000000029F8000-memory.dmp

Filesize
4.0MB

Download
memory/1112-47-0x0000000002A00000-0x00000000032EB000-memory.dmp

Filesize
8.9MB

Download
memory/1112-39-0x0000000002600000-0x00000000029F8000-memory.dmp

Filesize
4.0MB

Download
memory/1112-40-0x0000000002A00000-0x00000000032EB000-memory.dmp

Filesize
8.9MB

Download
memory/1112-41-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1112-44-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-106-0x00000000025D0000-0x00000000029C8000-memory.dmp

Filesize
4.0MB

Download
memory/1456-132-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-278-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-169-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-185-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-60-0x00000000025D0000-0x00000000029C8000-memory.dmp

Filesize
4.0MB

Download
memory/1456-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-270-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-72-0x00000000025D0000-0x00000000029C8000-memory.dmp

Filesize
4.0MB

Download
memory/1456-102-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-145-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-181-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1456-150-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1640-45-0x00000000028B0000-0x0000000002CA8000-memory.dmp

Filesize
4.0MB

Download
memory/1640-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1640-50-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1640-49-0x00000000028B0000-0x0000000002CA8000-memory.dmp

Filesize
4.0MB

Download
memory/2340-236-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2340-246-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2340-275-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2756-30-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2756-48-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2756-75-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3008-166-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/3008-215-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3008-183-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/3008-165-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/3008-167-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3008-186-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3008-237-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3008-272-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3008-178-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3008-247-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/3020-235-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3020-232-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3064-20-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-1-0x0000000000840000-0x0000000000EBA000-memory.dmp

Filesize
6.5MB

Download
memory/3064-0-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads