Overview

overview

10

Static

static

266748a114...ca.exe

windows7-x64

10

266748a114...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca.exe

  • Size

    639KB

  • MD5

    df2544e24b5fc152df10ee110f13998e

  • SHA1

    eca3c55a7023a7ca8453e1df451154515db857a1

  • SHA256

    266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca

  • SHA512

    79c04fbe175501e5cfe99c6a7c317abfb7b39bee5381c0f46350c9e4b1047664ea9aa6b957b73bfc9699908fdb30a5c8ef95c2c30e6171d9f7897f7bc05924a8

  • SSDEEP

    12288:X1nemiDXuGBb2zQTOkrMdR/ZLbzu0owpnpcCFQFLBPfQ/IVP31:X1wXuGS4O/zw0dVphoLBPfQw/

Score
10/10
cybergatewalqrypersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

walqry

C2

pizdes.zapto.org:81

pizdes.zapto.org:80

pizdes.zapto.org:8080

pizdes.zapto.org:8000

pizdes.zapto.org:82

pizdes.zapto.org:3128

pizdes.zapto.org:25

pizdes.zapto.org:110
Mutex

123qwe

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    error

  • message_box_title

    error

  • password

    123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 4 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca.exe
        "C:\Users\Admin\AppData\Local\Temp\266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:368
        • C:\Users\Admin\AppData\Local\Temp\266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca.exe
          "C:\Users\Admin\AppData\Local\Temp\266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca.exe"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:888
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:1980
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Loads dropped DLL
            • Drops desktop.ini file(s)
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:340
            • C:\Windows\errorlookup_1.6_setup.exe
              "C:\Windows\errorlookup_1.6_setup.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:760
            • C:\temp\install\svchost.exe
              "C:\temp\install\svchost.exe"
              5⤵
              • Executes dropped EXE
              PID:1816
              • C:\temp\install\svchost.exe
                "C:\temp\install\svchost.exe"
                6⤵
                • Executes dropped EXE
                PID:956

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      529KB

      MD5

      73fe963f04ea52343e7e937f296b0894

      SHA1

      ccee491d2b3faf38bc68744657b1f14f4d3990bd

      SHA256

      1a97b41c027256ea9c018c093cc9d1460671d322476b873e1ce9f715edc90c3d

      SHA512

      faaba1bb868184c64f9e21e7245eda710a0e63a03b6eb9f6178394f72c153c8a0bb2b30d555e99982d5c75ea5f55cdac71a9983b1d7a506ab99b79434f5e5d02

      Download Submit

    • C:\Windows\errorlookup_1.6_setup.exe
      Filesize

      299KB

      MD5

      e0c99bd1483281b8628e1437db862713

      SHA1

      f0df6c2071a1dfdd0c670c69c02e318c1d76f012

      SHA256

      f909744384353d1a07ec8fb35c4439ac0497f449c46bb8a7fc84f252d59e92eb

      SHA512

      e383946500aaf538af40e0a1d0b71e584fd09b6de2de45ab8065c58b686715ef4c2ce578f757eadba8eb4645e1fea64c9f16aa15e147e767ecbf842cebc86471

      Download Submit

    • C:\Windows\errorlookup_1.6_setup.exe
      Filesize

      299KB

      MD5

      e0c99bd1483281b8628e1437db862713

      SHA1

      f0df6c2071a1dfdd0c670c69c02e318c1d76f012

      SHA256

      f909744384353d1a07ec8fb35c4439ac0497f449c46bb8a7fc84f252d59e92eb

      SHA512

      e383946500aaf538af40e0a1d0b71e584fd09b6de2de45ab8065c58b686715ef4c2ce578f757eadba8eb4645e1fea64c9f16aa15e147e767ecbf842cebc86471

      Download Submit

    • C:\temp\install\svchost.exe
      Filesize

      639KB

      MD5

      df2544e24b5fc152df10ee110f13998e

      SHA1

      eca3c55a7023a7ca8453e1df451154515db857a1

      SHA256

      266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca

      SHA512

      79c04fbe175501e5cfe99c6a7c317abfb7b39bee5381c0f46350c9e4b1047664ea9aa6b957b73bfc9699908fdb30a5c8ef95c2c30e6171d9f7897f7bc05924a8

      Download Submit

    • C:\temp\install\svchost.exe
      Filesize

      639KB

      MD5

      df2544e24b5fc152df10ee110f13998e

      SHA1

      eca3c55a7023a7ca8453e1df451154515db857a1

      SHA256

      266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca

      SHA512

      79c04fbe175501e5cfe99c6a7c317abfb7b39bee5381c0f46350c9e4b1047664ea9aa6b957b73bfc9699908fdb30a5c8ef95c2c30e6171d9f7897f7bc05924a8

      Download Submit

    • \??\c:\temp\install\svchost.exe
      Filesize

      639KB

      MD5

      df2544e24b5fc152df10ee110f13998e

      SHA1

      eca3c55a7023a7ca8453e1df451154515db857a1

      SHA256

      266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca

      SHA512

      79c04fbe175501e5cfe99c6a7c317abfb7b39bee5381c0f46350c9e4b1047664ea9aa6b957b73bfc9699908fdb30a5c8ef95c2c30e6171d9f7897f7bc05924a8

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsj4953.tmp\System.dll
      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsj4953.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      c10e04dd4ad4277d5adc951bb331c777

      SHA1

      b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

      SHA256

      e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

      SHA512

      853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

      Download Submit

    • \temp\install\svchost.exe
      Filesize

      639KB

      MD5

      df2544e24b5fc152df10ee110f13998e

      SHA1

      eca3c55a7023a7ca8453e1df451154515db857a1

      SHA256

      266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca

      SHA512

      79c04fbe175501e5cfe99c6a7c317abfb7b39bee5381c0f46350c9e4b1047664ea9aa6b957b73bfc9699908fdb30a5c8ef95c2c30e6171d9f7897f7bc05924a8

      Download Submit

    • \temp\install\svchost.exe
      Filesize

      639KB

      MD5

      df2544e24b5fc152df10ee110f13998e

      SHA1

      eca3c55a7023a7ca8453e1df451154515db857a1

      SHA256

      266748a1141ec21f529c6226f99ac54b3e1ac963385af9285c2088cd2d4008ca

      SHA512

      79c04fbe175501e5cfe99c6a7c317abfb7b39bee5381c0f46350c9e4b1047664ea9aa6b957b73bfc9699908fdb30a5c8ef95c2c30e6171d9f7897f7bc05924a8

      Download Submit

    • memory/340-98-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/340-90-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/340-106-0x0000000003EE0000-0x0000000003F2B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/340-107-0x0000000003F30000-0x0000000003F7B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/340-105-0x0000000003D00000-0x0000000003D4B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/340-109-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/888-85-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/888-59-0x0000000075021000-0x0000000075023000-memory.dmp

      Filesize

      8KB

      Download

    • memory/888-56-0x0000000000400000-0x0000000000499000-memory.dmp

      Filesize

      612KB

      Download

    • memory/888-58-0x0000000000400000-0x0000000000499000-memory.dmp

      Filesize

      612KB

      Download

    • memory/888-72-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/888-91-0x0000000000400000-0x0000000000499000-memory.dmp

      Filesize

      612KB

      Download

    • memory/888-60-0x0000000000400000-0x0000000000499000-memory.dmp

      Filesize

      612KB

      Download

    • memory/888-61-0x0000000000400000-0x0000000000499000-memory.dmp

      Filesize

      612KB

      Download

    • memory/888-63-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1244-66-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1980-71-0x0000000074B81000-0x0000000074B83000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1980-77-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1980-108-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1980-78-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download