glupteba | 693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe
Size

4.1MB
MD5

881aa53278b6fd49243280d29897d19d
SHA1

dd028f2c1f5b5356e81eadc0e39f263105847f19
SHA256

693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda
SHA512

2fd0d0eef468aa3ebac35c2979976214ba4c7c49a2bd86ddbd48be30c87073bbc67f72e171ec7056d14e4671561d16a636f47664db861a1227ce75e07d12c49c
SSDEEP

98304:JGrnwiB2dYFBQLVw0Jv37FWi1chPr/xRmmjECQgDNU:JG7LuY/yhvJWf/qmwCQmU

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

resource	yara_rule
behavioral1/memory/2696-138-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral1/memory/2696-139-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba
behavioral1/memory/2696-140-0x0000000000400000-0x0000000002EDD000-memory.dmp	family_glupteba

Detects Windows executables referencing non-Windows User-Agents 4 IoCs

resource	yara_rule
behavioral1/memory/2696-138-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2696-139-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2696-140-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2696-141-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables Discord URL observed in first stage droppers 4 IoCs

resource	yara_rule
behavioral1/memory/2696-138-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2696-139-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2696-140-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2696-141-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 4 IoCs

resource	yara_rule
behavioral1/memory/2696-138-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2696-139-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2696-140-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2696-141-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 4 IoCs

resource	yara_rule
behavioral1/memory/2696-138-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2696-139-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2696-140-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2696-141-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 4 IoCs

resource	yara_rule
behavioral1/memory/2696-138-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2696-139-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2696-140-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2696-141-0x0000000000400000-0x0000000002EDD000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2228	netsh.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1524	bcdedit.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
572	schtasks.exe
2996	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe
"C:\Users\Admin\AppData\Local\Temp\693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe"
1⤵
PID:2724
- C:\Users\Admin\AppData\Local\Temp\693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe
  "C:\Users\Admin\AppData\Local\Temp\693fa17c698273ec0029c95a052cebf63a9e00c8e9ccc9cc1c77b586425efcda.exe"
  2⤵
  PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2748
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2228
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:2696
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:572
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:1732
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1524
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2996

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240607015413.log C:\Windows\Logs\CBS\CbsPersist_20240607015413.cab
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC083.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
2.8MB

MD5
ecf927efdc5df91d96e3ba914f04eb94

SHA1
6ffc6ea918540211be2f918a4ee5e4af9b556307

SHA256
16d5a70ff8cf79b1673aeb7746729d0bea24a9792c56dfbaa6e9aaf2c07ae80f

SHA512
7efb3f83dac25d38cb3c01ede96bf464f9c06ac1ffa503e4601b99905b0ce22a207786ec06ae6ffd7472604a904962e4b1048af1bbaf97e6a5b3c734fc9f7a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
448KB

MD5
b6b472b1f0c8b46a26e07f7ed6ff85e9

SHA1
a3a0b71d51ba90bff662aea973bc753c6cabc2e6

SHA256
94a6062689f1434e56260172d5a1c8a5a6c99c897a21fea8280cd069e718f5e3

SHA512
aa9ac904a8dc69bbe1e57ce127763e96e6d5da7cd118f0b4a5e3a778ce189beac06f10344d7a78a463d6d64bfeddc7b0142ca70cfd7660aed8be04299c352ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC1B3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
448KB

MD5
33f63e6278297e30159507b38e1e4424

SHA1
24f7158e8d2a8a74792557baeeeb7792039a10e0

SHA256
bb9e5d7e8667c94a45f99684bac7a72458beeeae50125310016e1269e2e0f6d5

SHA512
b7bb9196450a6da06eb1fb22f45e029a2ce41a42a7191abb1e4d8ca10c98993a94d2b36129194984ef85c59160cebaa24b9e59b0cc1c1f70a883895b598a9c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
448KB

MD5
1220c3c024d4107c5136935bb5e9b821

SHA1
da6fc337aa6e49090cee1be61c3dbd9be7cb5335

SHA256
ef23252e509d3ac741be7e5a6d46e9363fba6ae0689395a8162663575dcf3764

SHA512
4a01f7bb330114633ad733d083eee63c66d88800aac29ab31a6cc4d75f743a3db6aed59dccb9444ac21b4edd5ac1cb2cb317076bd4d6a5a869194abd064b9f0d

Download Submit
C:\Windows\rss\csrss.exe

Filesize
448KB

MD5
18d9fffa36ea9ece21f797fdba0ddad7

SHA1
2e450930c0345bb4c247d6141f61932c920e9f08

SHA256
4fb1793250724d6a109adff064461f9dd105423ee69e6ffd073bcc70c9498429

SHA512
e2249b54d98ee3fae2723da69b121c2667d79674afda3249ccc620a8cfb0b24ff438a9ce093083ec657ad7c4b1c0fe968e8a7aa8036b8b9ab97f8e49fc9ca704

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.2MB

MD5
b89bf94cd7749450ba0ec2c7ff193c0c

SHA1
5bb3cffc2fa4321bbb3703429487b32c85f769a7

SHA256
180c373d06e70d9d3d14298969e21ffafe2f016ae32b5296dd044de16f2c07ba

SHA512
3857e7183f9839023a7fe97ab87a532749c500ea4e4b207d0c9f07ee621a404e477002e97825f4c41cc5393ba10474a8daae9dc9bf3b492746137cb5462a179e

Download Submit
C:\Windows\rss\csrss.exe

Filesize
128KB

MD5
20135139afc48fd93d3b4f4564597f8c

SHA1
d8b2c4135adaeabf072e15da020d8df284bc3ef4

SHA256
1d1c3de0760fc109333d5148ad082285b3cefd32f34c3deb7ff3d87a4f59c7c2

SHA512
eb3f643ab329f21b5525167358d86a9dc16617159443f125a62ced80bbadcc946e5ade0de4aa61b910eb92b7334e8aceafa9f0905d0b56b58bb736f69e0419bf

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
448KB

MD5
91172a448951b6d010751e6473fa6abd

SHA1
45ae9d86040c5f33318d33e81ba82ae64f950771

SHA256
f49b2d7a211617fa44200bc9f792534adbc4ced0930269876d2a8b8ce02d6773

SHA512
df384f804114158475931bb0851d2516768b209e5cf26020fff76d828d3b216d09adb5e55c9265ecb5495f369f762e44445851c540bbcd0d6dcee0a686bbb25a

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
448KB

MD5
3b89d375ed9346b1969d505eda5f7dee

SHA1
5e5affacf7c193be0f3b2c9e647a4f1a34bb6556

SHA256
58f3486ed9b0d89553f8e8d25bec2b8d58690a55ba5539611400f01c707ec33f

SHA512
c0199ec5264164698570c0fdaf9f6c51ea548c51c0ec9a857358eeffd18ee08de05698b3d47410103f2408c03fb65e7332df9e24e503c92f276ded85c504d391

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
2.1MB

MD5
8a872d08a57aff8f56e38ed98cb61492

SHA1
9dcfcb815de8f33b880ad742da6d48e4438f7fd1

SHA256
62040e1f986db481f2e00147e67868a1b60b029fd03f55927123add367e2300c

SHA512
dca946da2fb4c69d01703cd3df840617de8f77739c1046bef983b42e692608c50b5ee149ed4b70411db56c0523aaf5e75c3e53e7371801f4f5656699bbf9c6a3

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
2.1MB

MD5
5378ffbe159e2678a303e0351de7758b

SHA1
2c473070e9497b1724703b07164d642b53a9dcd3

SHA256
1f975f5900ba3a759c290357908f390c79dec9921de2325d747a6acf905a9529

SHA512
eb2542fe2eb759a2a1fe1053bfef04112a79c02d68f2c31c913cea36a5b3c33176cae291035ce62324e05ef4b4582cfcada9ebda208b066979ddfe1f67cf1ce9

Download Submit
memory/1840-37-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1840-23-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-5-0x0000000003170000-0x0000000003568000-memory.dmp

Filesize
4.0MB

Download
memory/2416-15-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-133-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-138-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-16-0x0000000002EE0000-0x00000000032D8000-memory.dmp

Filesize
4.0MB

Download
memory/2696-97-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-112-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-144-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-143-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-142-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-141-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-134-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-135-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-136-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-137-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-140-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2696-139-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2724-6-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2724-0-0x0000000003170000-0x0000000003568000-memory.dmp

Filesize
4.0MB

Download
memory/2724-1-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2724-2-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download
memory/2724-3-0x0000000000400000-0x0000000002EDD000-memory.dmp

Filesize
42.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads