Analysis

  • max time kernel
    171s
  • max time network
    87s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 02:04

General

  • Target

    8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d.exe

  • Size

    516KB

  • MD5

    2b5f02ac65f14561fcedee693f2bf502

  • SHA1

    bd068680366ffde81ddfe116ec1bb1134dea13cb

  • SHA256

    8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d

  • SHA512

    bf8ba6182b3794250c554a4eb46a19e5e095c464013d533fb930cc2a02fc25a71e307fb4c02c2828d15937fce243d08a07e53a7d8d50e6cbe6e9f036302a7ba7

  • SSDEEP

    12288:agemE7L51gT6dcCQDNbHJHf87hw89A3CzKacbDQrS:mmE7l1ODNzJk7F9mCzKdDH

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

pislikkene.no-ip.org:82

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d.exe
    "C:\Users\Admin\AppData\Local\Temp\8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d.exe
      C:\Users\Admin\AppData\Local\Temp\8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Modifies Installed Components in the registry
        PID:1204
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops file in System32 directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1236
        • C:\Windows\SysWOW64\install\Svchost.exe
          "C:\Windows\system32\install\Svchost.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:1596
          • C:\Windows\SysWOW64\install\Svchost.exe
            C:\Windows\SysWOW64\install\Svchost.exe
            5⤵
            • Executes dropped EXE
            PID:1768
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1744

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

            Filesize

            267KB

            MD5

            567a4f3f6904c27a343b2775f4dbeb95

            SHA1

            fab7a488abc611896257fb0dcbaaa417daa1a9b6

            SHA256

            c98dddacb343e8f745501c52f583a5d25968221c6c22ef9b45e495702cefd35c

            SHA512

            a5112361d0e045d7a3c47edb1c4356406abc2ea8ee54aec96e65737b4f39c4501a4a3a8c9291238da4f14eecaee117dd18ed8ab6cee14d38e2981802ed3d12a7

          • C:\Users\Admin\AppData\Local\Temp\nah-isareti_5847.jpg

            Filesize

            37KB

            MD5

            3854ec8de65e3bb9b4a661ae8704fa3b

            SHA1

            0687b1f1d7dabf1d4771536855c399e6c7b1a62d

            SHA256

            157931be5848ffdf94d88bb3889a47a6be9e2ca37483bd3ba0823cb2e2b7c461

            SHA512

            6f76f72c94552de2ee31c14b93941cf12938a058d8c8c6b4b988251ae72d625f801969b23ce286905aaf56ae2da16de558f0c88edf6570b60461f03c1f66f97f

          • C:\Windows\SysWOW64\install\Svchost.exe

            Filesize

            516KB

            MD5

            2b5f02ac65f14561fcedee693f2bf502

            SHA1

            bd068680366ffde81ddfe116ec1bb1134dea13cb

            SHA256

            8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d

            SHA512

            bf8ba6182b3794250c554a4eb46a19e5e095c464013d533fb930cc2a02fc25a71e307fb4c02c2828d15937fce243d08a07e53a7d8d50e6cbe6e9f036302a7ba7

          • C:\Windows\SysWOW64\install\Svchost.exe

            Filesize

            516KB

            MD5

            2b5f02ac65f14561fcedee693f2bf502

            SHA1

            bd068680366ffde81ddfe116ec1bb1134dea13cb

            SHA256

            8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d

            SHA512

            bf8ba6182b3794250c554a4eb46a19e5e095c464013d533fb930cc2a02fc25a71e307fb4c02c2828d15937fce243d08a07e53a7d8d50e6cbe6e9f036302a7ba7

          • C:\Windows\SysWOW64\install\Svchost.exe

            Filesize

            516KB

            MD5

            2b5f02ac65f14561fcedee693f2bf502

            SHA1

            bd068680366ffde81ddfe116ec1bb1134dea13cb

            SHA256

            8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d

            SHA512

            bf8ba6182b3794250c554a4eb46a19e5e095c464013d533fb930cc2a02fc25a71e307fb4c02c2828d15937fce243d08a07e53a7d8d50e6cbe6e9f036302a7ba7

          • \Windows\SysWOW64\install\Svchost.exe

            Filesize

            516KB

            MD5

            2b5f02ac65f14561fcedee693f2bf502

            SHA1

            bd068680366ffde81ddfe116ec1bb1134dea13cb

            SHA256

            8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d

            SHA512

            bf8ba6182b3794250c554a4eb46a19e5e095c464013d533fb930cc2a02fc25a71e307fb4c02c2828d15937fce243d08a07e53a7d8d50e6cbe6e9f036302a7ba7

          • \Windows\SysWOW64\install\Svchost.exe

            Filesize

            516KB

            MD5

            2b5f02ac65f14561fcedee693f2bf502

            SHA1

            bd068680366ffde81ddfe116ec1bb1134dea13cb

            SHA256

            8d83dce739574a50a0864fbb3c0d6f8797c21305ee16200b9c2ff0ad4569040d

            SHA512

            bf8ba6182b3794250c554a4eb46a19e5e095c464013d533fb930cc2a02fc25a71e307fb4c02c2828d15937fce243d08a07e53a7d8d50e6cbe6e9f036302a7ba7

          • memory/888-68-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/888-67-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/888-57-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/888-70-0x0000000024010000-0x0000000024072000-memory.dmp

            Filesize

            392KB

          • memory/888-92-0x00000000240F0000-0x0000000024152000-memory.dmp

            Filesize

            392KB

          • memory/888-66-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/888-64-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/888-79-0x0000000024080000-0x00000000240E2000-memory.dmp

            Filesize

            392KB

          • memory/888-98-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/1204-84-0x0000000024080000-0x00000000240E2000-memory.dmp

            Filesize

            392KB

          • memory/1204-78-0x0000000074691000-0x0000000074693000-memory.dmp

            Filesize

            8KB

          • memory/1204-87-0x0000000024080000-0x00000000240E2000-memory.dmp

            Filesize

            392KB

          • memory/1208-73-0x0000000024010000-0x0000000024072000-memory.dmp

            Filesize

            392KB

          • memory/1236-99-0x00000000240F0000-0x0000000024152000-memory.dmp

            Filesize

            392KB

          • memory/1236-122-0x00000000240F0000-0x0000000024152000-memory.dmp

            Filesize

            392KB

          • memory/1236-124-0x0000000003C60000-0x0000000003CAA000-memory.dmp

            Filesize

            296KB

          • memory/1236-123-0x0000000003C60000-0x0000000003CAA000-memory.dmp

            Filesize

            296KB

          • memory/1236-117-0x0000000003C60000-0x0000000003CAA000-memory.dmp

            Filesize

            296KB

          • memory/1236-97-0x00000000240F0000-0x0000000024152000-memory.dmp

            Filesize

            392KB

          • memory/1236-118-0x0000000003C60000-0x0000000003CAA000-memory.dmp

            Filesize

            296KB

          • memory/1596-113-0x00000000004C0000-0x00000000004F3000-memory.dmp

            Filesize

            204KB

          • memory/1596-112-0x0000000000400000-0x0000000000449A24-memory.dmp

            Filesize

            294KB

          • memory/1768-121-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/1768-115-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/1768-116-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/1768-119-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

          • memory/1988-61-0x0000000000400000-0x0000000000449A24-memory.dmp

            Filesize

            294KB

          • memory/1988-54-0x0000000075281000-0x0000000075283000-memory.dmp

            Filesize

            8KB

          • memory/1988-62-0x0000000000250000-0x0000000000283000-memory.dmp

            Filesize

            204KB

          • memory/1988-60-0x0000000000400000-0x0000000000449A24-memory.dmp

            Filesize

            294KB

          • memory/1988-63-0x0000000000450000-0x000000000049A000-memory.dmp

            Filesize

            296KB