Overview

overview

10

Static

static

926c51ff26...bf.exe

windows7-x64

10

926c51ff26...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    926c51ff26dcad0f4e61cc66c7df26f130b6ec6351a7f548fbc90e7c82b188bf.exe

  • Size

    464KB

  • MD5

    ed11e8aa6dfc108eab3560d20a90047c

  • SHA1

    65e31696064fcf49207d22142f8166ee7e3294c7

  • SHA256

    926c51ff26dcad0f4e61cc66c7df26f130b6ec6351a7f548fbc90e7c82b188bf

  • SHA512

    f214e6bf38239ac394e94834cf5742223c2b76315c0be4ea9aa69a8985f0ae2a3ddef38f093258f6df622c0312dfb6f860e5b494aca5b0af9fd085b9d9dfe81c

  • SSDEEP

    12288:AP7ZyPBOzdvKZivg/egCFs2jrUDsyCgLsaeO:AzZyPQzdvJvceVwsyNsa

Score
10/10
cybergatewalllero sxe 11.6persistencestealertrojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

WALLLERO SXE 11.6

C2

braian.no-ip.biz:4662

Mutex

1MABO4436T64FQ

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Win32

  • install_file

    Win32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    Win32

  • regkey_hklm

    Win32

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\926c51ff26dcad0f4e61cc66c7df26f130b6ec6351a7f548fbc90e7c82b188bf.exe
    "C:\Users\Admin\AppData\Local\Temp\926c51ff26dcad0f4e61cc66c7df26f130b6ec6351a7f548fbc90e7c82b188bf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\926c51ff26dcad0f4e61cc66c7df26f130b6ec6351a7f548fbc90e7c82b188bf.EXE
      "C:\Users\Admin\AppData\Local\Temp\926c51ff26dcad0f4e61cc66c7df26f130b6ec6351a7f548fbc90e7c82b188bf.EXE"
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/872-56-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/872-58-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/872-60-0x0000000075B41000-0x0000000075B43000-memory.dmp

    Filesize

    8KB

    Download

  • memory/872-61-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/872-62-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/872-64-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1500-59-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download