Overview

overview

10

Static

static

8f4dab0d8d...27.exe

windows7-x64

1

8f4dab0d8d...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 07:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827.exe

  • Size

    450KB

  • MD5

    7f1a66da47620401fe58544961c1e4fc

  • SHA1

    ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

  • SHA256

    8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

  • SHA512

    3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

  • SSDEEP

    12288:MDLD31DiGeKylEJCVwjZt/zQpAjmK4F5KA2m96i:oJe2t/z4AjzO5KA2mci

Score
10/10
cybergatevítimapersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

lokao.no-ip.org:2000

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    383214is

  • regkey_hkcu

    win32

  • regkey_hklm

    win32

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 16 IoCs
    persistence
  • Executes dropped EXE 10 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:600
      • C:\Users\Admin\AppData\Local\Temp\8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827.exe
        "C:\Users\Admin\AppData\Local\Temp\8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3744
        • C:\Users\Admin\AppData\Local\Temp\8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827.exe
          C:\Users\Admin\AppData\Local\Temp\8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Checks computer location settings
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4600
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Adds policy Run key to start application
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            PID:1380
            • C:\Windows\SysWOW64\install\server.exe
              "C:\Windows\system32\install\server.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:4124
              • C:\Windows\SysWOW64\install\server.exe
                C:\Windows\SysWOW64\install\server.exe
                6⤵
                • Adds policy Run key to start application
                • Executes dropped EXE
                • Modifies Installed Components in the registry
                • Adds Run key to start application
                • Drops file in System32 directory
                PID:208
                • C:\Windows\SysWOW64\install\server.exe
                  "C:\Windows\SysWOW64\install\server.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:4832
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 968
                    8⤵
                    • Program crash
                    PID:4848
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:4484
            • C:\Windows\SysWOW64\install\server.exe
              C:\Windows\SysWOW64\install\server.exe
              5⤵
              • Adds policy Run key to start application
              • Executes dropped EXE
              • Modifies Installed Components in the registry
              • Checks computer location settings
              • Adds Run key to start application
              • Drops file in System32 directory
              • Suspicious use of FindShellTrayWindow
              PID:1864
              • C:\Users\Admin\AppData\Roaming\install\server.exe
                "C:\Users\Admin\AppData\Roaming\install\server.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:2476
                • C:\Users\Admin\AppData\Roaming\install\server.exe
                  C:\Users\Admin\AppData\Roaming\install\server.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  PID:4188
                  • C:\Users\Admin\AppData\Roaming\install\server.exe
                    "C:\Users\Admin\AppData\Roaming\install\server.exe"
                    8⤵
                    • Executes dropped EXE
                    • Checks computer location settings
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4632
                    • C:\Windows\SysWOW64\install\server.exe
                      "C:\Windows\SysWOW64\install\server.exe"
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of SetWindowsHookEx
                      PID:3024
                      • C:\Windows\SysWOW64\install\server.exe
                        C:\Windows\SysWOW64\install\server.exe
                        10⤵
                        • Executes dropped EXE
                        PID:1584
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4832 -ip 4832
      1⤵
        PID:4624

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
              Filesize

              229KB

              MD5

              a703bd9204b2778b5cdae71a3381e32b

              SHA1

              5cec9ca1cce1e012766f36fc297e5982ded74e73

              SHA256

              485aabddaa359ac261dc05006a47a3a43d0c85afa4f38528100df5fdeb52760e

              SHA512

              f6e3f3b34717a25aa7bd20a2e4e9a88d4f1ce5bcf80fdd57ebb2f751883b98a65ba9cde1009557f10cba8d1a8b884ee844a2dcf3cd4de56f13a0cd33bdd124d7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
              Filesize

              229KB

              MD5

              9b63391145153146e31ce50145343409

              SHA1

              94628fe394742646e7b2197b71e19047159345d1

              SHA256

              64fc28ffd06c0a6fd846bee6d9c045f17b77ab49514b183385c8a23b4e495996

              SHA512

              68ed07d92122608deac3cb2307dd78af430f24992e0eb77005bace9c36b477da8e4c199bf4fb631f3f1560f7d10fa0b7db80df718d90cdbe3a9d5b1585d0f209

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
              Filesize

              229KB

              MD5

              71be00c1b370ca45bbb5741217739319

              SHA1

              6e3d5fdb953406283b15ce97e0ba6b2603b7d648

              SHA256

              1cf0ce3e29fde85758de03b0bf9ff799d89b48820270549e993fc8028fcc8921

              SHA512

              2d22b3dba01a4bcc3ea6ab920ccad8ac40bcbaee2e5d36dce67f7f71d22c7e82c865a814fe0afa3970122456181c5526e75d439f9b37f15efcd29e5227b378b9

              Download Submit

            • C:\Users\Admin\AppData\Roaming\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Users\Admin\AppData\Roaming\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Users\Admin\AppData\Roaming\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Users\Admin\AppData\Roaming\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Windows\SysWOW64\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Windows\SysWOW64\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Windows\SysWOW64\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Windows\SysWOW64\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Windows\SysWOW64\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Windows\SysWOW64\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Windows\SysWOW64\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • C:\Windows\SysWOW64\install\server.exe
              Filesize

              450KB

              MD5

              7f1a66da47620401fe58544961c1e4fc

              SHA1

              ba3e6d12e26ae2ff9852079e15a28dd3e7363ff0

              SHA256

              8f4dab0d8daec8fecba1aa19ef3843c62bff498a54188634f0a7917e61a55827

              SHA512

              3dea33e9bdf0c091d1a26abd5a62a49573c541c52541f94473295907aac342ff2a64844bff506ed4e3c69fca5bd8f0660fb0521246c99750f1cca7656dc34815

              Download Submit

            • memory/208-193-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/208-212-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1380-153-0x0000000024080000-0x00000000240E2000-memory.dmp

              Filesize

              392KB

              Download

            • memory/1380-150-0x0000000024080000-0x00000000240E2000-memory.dmp

              Filesize

              392KB

              Download

            • memory/1584-224-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1584-226-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1584-227-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1864-170-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1864-166-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1864-164-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/2476-174-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/2476-183-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/3024-219-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/3024-225-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/3744-134-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/3744-139-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/4124-184-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/4124-190-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/4188-203-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4188-192-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4188-199-0x0000000024010000-0x0000000024072000-memory.dmp

              Filesize

              392KB

              Download

            • memory/4188-182-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4484-159-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/4484-165-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/4600-142-0x0000000024010000-0x0000000024072000-memory.dmp

              Filesize

              392KB

              Download

            • memory/4600-138-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4600-136-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4600-137-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4600-156-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4600-140-0x0000000000400000-0x0000000000450000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4600-147-0x0000000024080000-0x00000000240E2000-memory.dmp

              Filesize

              392KB

              Download

            • memory/4632-198-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

              Download

            • memory/4632-213-0x0000000024010000-0x0000000024072000-memory.dmp

              Filesize

              392KB

              Download

            • memory/4632-202-0x0000000024010000-0x0000000024072000-memory.dmp

              Filesize

              392KB

              Download

            • memory/4632-228-0x0000000024010000-0x0000000024072000-memory.dmp

              Filesize

              392KB

              Download

            • memory/4832-214-0x0000000024010000-0x0000000024072000-memory.dmp

              Filesize

              392KB

              Download

            • memory/4832-229-0x0000000024010000-0x0000000024072000-memory.dmp

              Filesize

              392KB

              Download