Analysis
-
max time kernel
150s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-06-2022 03:58
General
-
Target
1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe
-
Size
977KB
-
MD5
48929afcff653c2c0f2f34a5ac9128bc
-
SHA1
200062fa01991623b0f2867550cb7c565dad4502
-
SHA256
1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2
-
SHA512
c2041c99170978088d389c780e995a30c83c5ff768cf2c930320f0baa93ea2330844f2c54eb797694f11e4c35abd2879ccfa1952df8df32207abc1b58ed4e423
Malware Config
Extracted
cybergate
v1.07.5
Cyb3r
myhostname.no-ip.biz:100
I43O1VJK33FR56
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe"C:\Users\Admin\AppData\Local\Temp\1d534a8fe53894a015b883d60847f4ac993119095eba3babed47b10d15502ea2.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pSaltyDave""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\7za.exe"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pSaltyDave"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Server.exeC:\Users\Admin\AppData\Roaming\Server.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD54af5dd0550411628426b705c9fa50b4f
SHA17c9e4ddf1e7898f436d6a0e6c66b84f5b27e2172
SHA256916f2992d39bfcdb98b71d1366204c3e2e7a15be665c6e17bdc3372310dee4d8
SHA5123d655acd2c39dd77865a71e00f003712532cd1fb50992c64c44875e48d9e81bd9f0c39de173cb8f40f362c746f118856b0c025fc8fcd930bfdf2372d962f296d
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
C:\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\AppData\Roaming\Server.7zFilesize
248KB
MD53d9e49143ffe764c753204a64c5094ad
SHA15ffdf7c0b4977e2ebafef306d5b7fc4aa5fa70a2
SHA2565a626a58b4d4cd799f1b7327e9ebf7daef4ab025559ca739dd826884c5c62adb
SHA5128e8b9dd11a96a469f8db2e75cba2e71821a864ed6e2a874de2ed6bac40bb6e5d7d10cbdd3635162120931a070e894cbfe2c6e8275ed069f5270851cd5018b4f7
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
C:\Windows\SysWOW64\WinDir\Svchost.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
\Users\Admin\AppData\Roaming\7za.exeFilesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
\Users\Admin\AppData\Roaming\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
\Users\Admin\AppData\Roaming\Server.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
\Windows\SysWOW64\WinDir\Svchost.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
\Windows\SysWOW64\WinDir\Svchost.exeFilesize
296KB
MD5eb9eea07ed254728a1a71f12bbca7470
SHA1813f028970bfc0630a3b8a92379b121e173d0f0c
SHA25675e7cec6b0a64ae37178197f1363cba977de2b7f8426c1d8169f4f00d50d4f9e
SHA51283f64399f7a278f6e92127577877d8583f33ece50aa7f42cfcdd227682ab52b9cdefcc40d5a671360e9715b7a429617805bfd250de220195d31b90cfa53dcccc
-
memory/912-55-0x0000000000000000-mapping.dmp
-
memory/1140-69-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/1140-95-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/1140-65-0x0000000000000000-mapping.dmp
-
memory/1140-78-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1140-88-0x00000000104F0000-0x0000000010555000-memory.dmpFilesize
404KB
-
memory/1352-59-0x0000000000000000-mapping.dmp
-
memory/1364-72-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/1416-86-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1416-75-0x0000000000000000-mapping.dmp
-
memory/1416-77-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB
-
memory/1416-83-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1964-104-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/2016-92-0x0000000000000000-mapping.dmp
-
memory/2016-100-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2016-101-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB
-
memory/2016-107-0x0000000010560000-0x00000000105C5000-memory.dmpFilesize
404KB