Overview

overview

10

Static

static

10

6c5db6dce1...3e.exe

windows7-x64

10

6c5db6dce1...3e.exe

windows10-2004-x64

10

DusBrowserInst.exe

windows7-x64

6

DusBrowserInst.exe

windows10-2004-x64

6

IDWCH2.exe

windows7-x64

7

IDWCH2.exe

windows10-2004-x64

7

Litever01.exe

windows7-x64

10

Litever01.exe

windows10-2004-x64

10

anyname.exe

windows7-x64

3

anyname.exe

windows10-2004-x64

7

app.exe

windows7-x64

10

app.exe

windows10-2004-x64

10

askinstall50.exe

windows7-x64

10

askinstall50.exe

windows10-2004-x64

10

farlab_setup.exe

windows7-x64

7

farlab_setup.exe

windows10-2004-x64

7

inst002.exe

windows7-x64

10

inst002.exe

windows10-2004-x64

10

jamesnew.exe

windows7-x64

3

jamesnew.exe

windows10-2004-x64

3

justdezine.exe

windows7-x64

10

justdezine.exe

windows10-2004-x64

10

md3_3kvm.exe

windows7-x64

10

md3_3kvm.exe

windows10-2004-x64

10

mixseven.exe

windows7-x64

10

mixseven.exe

windows10-2004-x64

10

redcloud.exe

windows7-x64

10

redcloud.exe

windows10-2004-x64

10

vguuu.exe

windows7-x64

6

vguuu.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    4s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2024 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c5db6dce13ded4e0e6c7e9a526b063e.exe

  • Size

    4.4MB

  • MD5

    15f91f6b410dde682ba9afacc7a4d011

  • SHA1

    41b04c412ae131c8fcbf314f75a8ae8985468f59

  • SHA256

    3f2fe1d2857ba3eba92108104c95c0d4908b5aaa5677ba53c251a16714923a6b

  • SHA512

    a5f5bfaabfe4ecd5918fc60c588a3bd55fccfcf39cbdcb8eacace8da2fa85eee7cbb5e9487bc836bddf6cec77c2be7d3ec8916b2dbb34ab04925e093df06a37c

  • SSDEEP

    98304:gKfuYZFxltfUmFhK8e4g+ent8Ype+nTDlHn8obcTwMi:gKrz3VAt/pFTzcTw1

Score
10/10
gluptebametasploitbackdoordropperevasionloadertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 18 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 4 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
    "C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2444
    • C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
      "C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
      2⤵
        PID:868
        • C:\Windows\system32\cmd.exe
          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
          3⤵
            PID:3640
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe /133-133
            3⤵
              PID:1656
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                4⤵
                • Creates scheduled task(s)
                PID:4032
              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                4⤵
                  PID:3224
          • C:\Windows\system32\netsh.exe
            netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
            1⤵
            • Modifies Windows Firewall
            PID:2800

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            Filesize

            79KB

            MD5

            85213721393ce9e913751fd4da0199de

            SHA1

            2062ddb0a9d91f7c4a86d539bee619c1f94912d1

            SHA256

            a79d5cf64e78262dcf6ed37d96c3011db17e235102545441ae85bcccd256acfc

            SHA512

            4119213679ad91892875861a98f8332e98f1512407b0f54deec65e7fadc7663f9ae034266d75446dcea5849f6986972b89824b4ee0e1a093dd978db68f782be4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            Filesize

            46KB

            MD5

            9c28001c1e25154a7c863b385125ff35

            SHA1

            b5e226bba1e0944204203e45f0b0aeab9247595f

            SHA256

            d5378fa64f3022f259d2220dbe569a8818004f000d32fc16f247213dea8caf27

            SHA512

            19e8a603407c5fcd3bd7ceeed7029894cb5c600e353d6600c278615cf0c5b4dadf195483c05922eea81d3322f4b52d8e554cc6fbbc231322d732cdf94b4aee0a

            Download Submit

          • C:\Windows\rss\csrss.exe
            Filesize

            70KB

            MD5

            c8c987dc9c88ad4eeb99c4eb3887284f

            SHA1

            7461006bf646f9ff5858b53dfef29189ef7efe4e

            SHA256

            0361acc38ef3c5c97854fb4f968a892003a4150cdc32da516e586d8fac4d9b57

            SHA512

            93ac60bfac5e2ab3d4824492233729dd8ea361166ea76ebbfb5c348114e15a6756de2a56ec70b4d8a954c6b0f96cec8182f3cd6a73a8744e5decdfde3764c8c1

            Download Submit

          • C:\Windows\rss\csrss.exe
            Filesize

            107KB

            MD5

            c88a18dc0de41b3b4958be4470a535d0

            SHA1

            6984c20ca4bf2b792dd6271db6791d37ec8c7e9e

            SHA256

            e9d0f73ca2c91a90d6a509f50df887573a342569982cc4147ba4fef572a2ca20

            SHA512

            a4df19e97d35351342354d95b119de9681adaa6ecb694871b4a51c4526db1832f56c83352cfb94bf6ae96da60677de0d068a1a878d0d30d6be9319506c9b6b1c

            Download Submit

          • memory/868-16-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/868-7-0x0000000001070000-0x00000000014BC000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/868-8-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-29-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-27-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-30-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-19-0x0000000001600000-0x0000000001B00000-memory.dmp

            Filesize

            5.0MB

            Download

          • memory/1656-20-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-21-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-39-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-38-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-31-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-36-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-40-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-37-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-28-0x0000000001600000-0x0000000001B00000-memory.dmp

            Filesize

            5.0MB

            Download

          • memory/1656-32-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-33-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-34-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/1656-35-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/2444-3-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/2444-4-0x0000000000400000-0x0000000000D41000-memory.dmp

            Filesize

            9.3MB

            Download

          • memory/2444-2-0x00000000013E0000-0x0000000001D06000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/2444-6-0x00000000013E0000-0x0000000001D06000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/2444-1-0x0000000000F90000-0x00000000013D8000-memory.dmp

            Filesize

            4.3MB

            Download