Overview

overview

10

Static

static

5

cf60acded0...97.exe

windows7-x64

10

cf60acded0...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2022, 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf60acded0fd519b2f0322549282e260c8a7efee654d564bff835d2f30073997.exe

  • Size

    1.1MB

  • MD5

    6ad158f11a5f717855659f919e50bfc8

  • SHA1

    e131ea67a82999decdc71d95bd198b419b374181

  • SHA256

    cf60acded0fd519b2f0322549282e260c8a7efee654d564bff835d2f30073997

  • SHA512

    c851c05f17fd5871a711516f93d7b096eaa5cb3b0fbe88b1c3ea42bba1d28f23d0cff316bd07719222d883da05ada5ea87abd93f19ff65c09ea3cf9a5e42c529

  • SSDEEP

    24576:VA7jTeFeRmJkcoQricOIQxiZY1iaapCdbxQx1mTT:VA7/eFLJZoQrbTFZY1iaa4dk1Q

Score
10/10
cybergateativadopersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Ativado

C2

anonymatuu.no-ip.biz:999

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123

  • regkey_hkcu

    svchost

  • regkey_hklm

    svchost

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1412
      • C:\Users\Admin\AppData\Local\Temp\cf60acded0fd519b2f0322549282e260c8a7efee654d564bff835d2f30073997.exe
        "C:\Users\Admin\AppData\Local\Temp\cf60acded0fd519b2f0322549282e260c8a7efee654d564bff835d2f30073997.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Users\Admin\AppData\Local\Temp\microsoft.exe
          "C:\Users\Admin\AppData\Local\Temp\microsoft.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Users\Admin\AppData\Local\Temp\microsoft.exe
            "C:\Users\Admin\AppData\Local\Temp\microsoft.exe"
            4⤵
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:932
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
              • Modifies Installed Components in the registry
              PID:2016
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
              • Loads dropped DLL
              • Drops desktop.ini file(s)
              • Drops file in System32 directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:1696
              • C:\Windows\SysWOW64\install\svchost.exe
                "C:\Windows\system32\install\svchost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:1676
                • C:\Windows\SysWOW64\install\svchost.exe
                  "C:\Windows\SysWOW64\install\svchost.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:2020
        • C:\Users\Admin\AppData\Local\Temp\runtime.exe
          "C:\Users\Admin\AppData\Local\Temp\runtime.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:940

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      229KB

      MD5

      749f8c05ff306a3ab84651efdd66ac8b

      SHA1

      6f101f5240cfcae5850d0dd24b7ea13075aee46e

      SHA256

      96d6bd4ad6df9a6412ab2ebae524c7b65cf991081415d7783e27f350bd5b5360

      SHA512

      ea674570aa79b9ef559b41adbe4a598702397fda850d46ef8f5ae9b481e3b7c976e5a2107660a5acf9a8323760fb4428dc3f6889698ab39a87a82d70c69cac85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\microsoft.exe
      Filesize

      930KB

      MD5

      600e7019b86f01d33cdd8233085deb96

      SHA1

      c0c491f6bf6bb550e49a82fc1159dad7894de58f

      SHA256

      b00da994c4d55f987ce171d4b661f019b3354f9d2d97fefc67275544a930bc9d

      SHA512

      5f2a2a78f5aa0553927f854d5f7876138ac694607294e3f843f3bc3e1453b376db2b0caeaacd14621a6e815fa4f2ab9bc3d65c514258011e31599c18357e1748

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\microsoft.exe
      Filesize

      930KB

      MD5

      600e7019b86f01d33cdd8233085deb96

      SHA1

      c0c491f6bf6bb550e49a82fc1159dad7894de58f

      SHA256

      b00da994c4d55f987ce171d4b661f019b3354f9d2d97fefc67275544a930bc9d

      SHA512

      5f2a2a78f5aa0553927f854d5f7876138ac694607294e3f843f3bc3e1453b376db2b0caeaacd14621a6e815fa4f2ab9bc3d65c514258011e31599c18357e1748

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\microsoft.exe
      Filesize

      930KB

      MD5

      600e7019b86f01d33cdd8233085deb96

      SHA1

      c0c491f6bf6bb550e49a82fc1159dad7894de58f

      SHA256

      b00da994c4d55f987ce171d4b661f019b3354f9d2d97fefc67275544a930bc9d

      SHA512

      5f2a2a78f5aa0553927f854d5f7876138ac694607294e3f843f3bc3e1453b376db2b0caeaacd14621a6e815fa4f2ab9bc3d65c514258011e31599c18357e1748

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\runtime.exe
      Filesize

      24KB

      MD5

      db0133a26e827ea34d19cf356bb6111c

      SHA1

      043d74163d9fa5052e79a6f784b0482e700efbd6

      SHA256

      cbda9bf6054d20dfbb0b369aab2bc48729d71b063ad4645dc9a55687bcf14149

      SHA512

      6fcf393b7a5b065b5b42f3251c4be5daf6897361bd8597ba5373b8359bdc4115f164fb814abea5cb00c24ed5c0c777307202c0351a502881ec1bee5b4f6aa291

      Download Submit

    • C:\Windows\SysWOW64\install\svchost.exe
      Filesize

      930KB

      MD5

      600e7019b86f01d33cdd8233085deb96

      SHA1

      c0c491f6bf6bb550e49a82fc1159dad7894de58f

      SHA256

      b00da994c4d55f987ce171d4b661f019b3354f9d2d97fefc67275544a930bc9d

      SHA512

      5f2a2a78f5aa0553927f854d5f7876138ac694607294e3f843f3bc3e1453b376db2b0caeaacd14621a6e815fa4f2ab9bc3d65c514258011e31599c18357e1748

      Download Submit

    • C:\Windows\SysWOW64\install\svchost.exe
      Filesize

      930KB

      MD5

      600e7019b86f01d33cdd8233085deb96

      SHA1

      c0c491f6bf6bb550e49a82fc1159dad7894de58f

      SHA256

      b00da994c4d55f987ce171d4b661f019b3354f9d2d97fefc67275544a930bc9d

      SHA512

      5f2a2a78f5aa0553927f854d5f7876138ac694607294e3f843f3bc3e1453b376db2b0caeaacd14621a6e815fa4f2ab9bc3d65c514258011e31599c18357e1748

      Download Submit

    • C:\Windows\SysWOW64\install\svchost.exe
      Filesize

      930KB

      MD5

      600e7019b86f01d33cdd8233085deb96

      SHA1

      c0c491f6bf6bb550e49a82fc1159dad7894de58f

      SHA256

      b00da994c4d55f987ce171d4b661f019b3354f9d2d97fefc67275544a930bc9d

      SHA512

      5f2a2a78f5aa0553927f854d5f7876138ac694607294e3f843f3bc3e1453b376db2b0caeaacd14621a6e815fa4f2ab9bc3d65c514258011e31599c18357e1748

      Download Submit

    • \Users\Admin\AppData\Local\Temp\microsoft.exe
      Filesize

      930KB

      MD5

      600e7019b86f01d33cdd8233085deb96

      SHA1

      c0c491f6bf6bb550e49a82fc1159dad7894de58f

      SHA256

      b00da994c4d55f987ce171d4b661f019b3354f9d2d97fefc67275544a930bc9d

      SHA512

      5f2a2a78f5aa0553927f854d5f7876138ac694607294e3f843f3bc3e1453b376db2b0caeaacd14621a6e815fa4f2ab9bc3d65c514258011e31599c18357e1748

      Download Submit

    • \Windows\SysWOW64\install\svchost.exe
      Filesize

      930KB

      MD5

      600e7019b86f01d33cdd8233085deb96

      SHA1

      c0c491f6bf6bb550e49a82fc1159dad7894de58f

      SHA256

      b00da994c4d55f987ce171d4b661f019b3354f9d2d97fefc67275544a930bc9d

      SHA512

      5f2a2a78f5aa0553927f854d5f7876138ac694607294e3f843f3bc3e1453b376db2b0caeaacd14621a6e815fa4f2ab9bc3d65c514258011e31599c18357e1748

      Download Submit

    • memory/932-81-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-79-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-68-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-70-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-71-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-73-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-74-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-76-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-72-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-106-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/932-112-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-93-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/932-82-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/932-84-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/932-67-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/1412-87-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1696-113-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1696-111-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1696-118-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2000-61-0x0000000075451000-0x0000000075453000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2016-101-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2016-98-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2016-92-0x00000000748B1000-0x00000000748B3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2020-56-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2020-54-0x000007FEF3410000-0x000007FEF3E33000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/2020-63-0x0000000000B86000-0x0000000000BA5000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2020-55-0x000007FEF2370000-0x000007FEF3406000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2020-133-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2020-134-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2020-135-0x0000000000400000-0x000000000044E000-memory.dmp

      Filesize

      312KB

      Download