Overview

overview

10

Static

static

5

03c8b9940b...69.exe

windows7_x64

10

03c8b9940b...69.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe

  • Size

    1.5MB

  • MD5

    7cd651329281022f1754aa0160acfa1b

  • SHA1

    3839c31f358e4ed87cddc64c5f70c5bd653b1442

  • SHA256

    03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969

  • SHA512

    27cd74171426da490f7488260b4ddb0c4c8ecf4407b4d6575db9b13a93f26d5b1e8d96cd234de78922508e8b80daa7d7bb7fdea6e230009cabdadf167270d0ac

Score
10/10
cybergatecuidadonoipstealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

cuidadonoip

C2

redlan1.hopto.org:1552

Mutex

4BW6N06V7085IT

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    SkypeUpdate

  • install_file

    Skype.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345

  • regkey_hkcu

    Adobefinder

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe
    "C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe
      "C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe
        "C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1160
        • C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe
          "C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe"
          4⤵
          • Drops startup file
          • Suspicious use of SetThreadContext
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:436
          • C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe
            "C:\Users\Admin\AppData\Local\Temp\03c8b9940b3e065534d1196bbed3858a762084f09b072dd45af989b705244969.exe"
            5⤵
              PID:1844

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\PerceptionSimulationService\chgusr.exe
      Filesize

      1.5MB

      MD5

      180389e4bb6c6682b2a625c87a4d6f83

      SHA1

      ba07e7ba7aadebb5af9ba693a1248c5865465275

      SHA256

      69ecbbf58f1e37174e685eb6de092b81facf17293cbccc55ef10fceba3a1b6ef

      SHA512

      a7124e53b1e2360b2b42f8aab3fd2fbc3a962d378e0b26db97d7dad1b07e7cbd24b2dc1f039d63f7adda2f5de2f511dac36b69b5116290b25147284324a5e121

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\PerceptionSimulationService\vssadmin.vbs
      Filesize

      145B

      MD5

      0d73b6b4ec13fedc935d1bb18964fb56

      SHA1

      e01772bb7dd1ce53546108b1a7243cb3c89595ac

      SHA256

      bc0afebfe5d9720d28251c178f8cc82378f620efd50d724f078f3ae6c71f6adf

      SHA512

      73966e6c02e6e69266947218df5fe6515d06a6084ffe2c79dcf5e8e0a28fc5d8a7d7a7d98b9f261a6f8af2230b6902aba6506003f7fd62ffbf04ea6173589ec2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      222KB

      MD5

      f3219df3f1f316edc41521fbd2fc7345

      SHA1

      f8b6b78a1317be9b12a365db931e559274042df7

      SHA256

      a5107e0e7bc73645222fb3be9f80cca033d2caf627aaad8cd386907ae30e71ab

      SHA512

      a368718d7232c985ef384aa3a4a0d4d4b5e088d46db28ff0845fe9511e54adc3c13ec89260509d6bcc06716726e3160c41a3e9b476162caea560f18f2337734c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vssadmin.url
      Filesize

      104B

      MD5

      1ca604c26a580ab5f17237571c4ca256

      SHA1

      35703826d7fb692562eb62200eae64eecc81fa97

      SHA256

      dc2766a952ee5cc9106ffcc014b6dbd8d8c791cfb8bf20166b4480978a3f6377

      SHA512

      8d184257c0dc5d6a029d579645ff3b1e5d79638ae1a3f10f7ec82e405c5c0b28a3698715dba75904a3c15311f42545b6eda68cd6da4b6b5d57246d333e66e833

      Download Submit
    • memory/436-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1160-79-0x0000000010410000-0x0000000010471000-memory.dmp
      Filesize

      388KB

      Download
    • memory/1160-83-0x0000000010410000-0x0000000010471000-memory.dmp
      Filesize

      388KB

      Download
    • memory/1160-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1160-77-0x0000000010410000-0x0000000010471000-memory.dmp
      Filesize

      388KB

      Download
    • memory/1832-70-0x0000000000080000-0x00000000000CC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1832-74-0x0000000010410000-0x0000000010471000-memory.dmp
      Filesize

      388KB

      Download
    • memory/1832-68-0x0000000000080000-0x00000000000CC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1832-67-0x000000000008BBCC-mapping.dmp
      Download
    • memory/1832-57-0x0000000000080000-0x00000000000CC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1832-55-0x0000000000080000-0x00000000000CC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1844-86-0x00000000000C0000-0x000000000010C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1844-96-0x00000000000CBBCC-mapping.dmp
      Download
    • memory/1844-97-0x00000000000C0000-0x000000000010C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1844-102-0x00000000000C0000-0x000000000010C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1892-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
      Filesize

      8KB

      Download