Overview

overview

10

Static

static

4c4395c3da...9b.exe

windows7-x64

10

4c4395c3da...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 00:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b.exe

  • Size

    343KB

  • MD5

    7a6786b94b63b769789f7ff20c597181

  • SHA1

    d13c1a6e8e02f4f8ee57ba8de437ac5eeeeb6e28

  • SHA256

    4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b

  • SHA512

    977befc7113e00cce98606428c4d250cb27c434c0912106d85365582bcdd4a45e929a86005c733fd606c8597b693ea2112b6fcf3079cdfc9ceb3d97b4d2077d3

  • SSDEEP

    6144:7FW769vwwb5aUgP+3eXzbfquX6x5YyDuFrg1a34JdJzBSPE7C39LZw:7M053+zbyifyDuFrg1Y4JdJzBSPXx

Score
10/10
cybergatenew vicitime ;)persistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

New Vicitime ;)

C2

mrayoub.no-ip.biz:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Antivirus

  • install_file

    Avira Et Node.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1284
      • C:\Users\Admin\AppData\Local\Temp\4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b.exe
        "C:\Users\Admin\AppData\Local\Temp\4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v msmmsgr /t REG_SZ /d "C:\Windows\TEMP\x\services.exe" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1224
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v msmmsgr /t REG_SZ /d "C:\Windows\TEMP\x\services.exe" /f
            4⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:1892
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ctfmon /t REG_SZ /d "C:\Windows\TEMP\services.exe" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ctfmon /t REG_SZ /d "C:\Windows\TEMP\services.exe" /f
            4⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:756
        • C:\Users\Admin\AppData\Local\Temp\4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b.exe
          C:\Users\Admin\AppData\Local\Temp\4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2036
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:632
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Deletes itself
            • Loads dropped DLL
            • Drops desktop.ini file(s)
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1928
            • C:\Windows\SysWOW64\Antivirus\Avira Et Node.exe
              "C:\Windows\system32\Antivirus\Avira Et Node.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:1936
              • C:\Windows\SysWOW64\Antivirus\Avira Et Node.exe
                "C:\Windows\SysWOW64\Antivirus\Avira Et Node.exe"
                6⤵
                • Executes dropped EXE
                PID:2032

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
            Filesize

            229KB

            MD5

            daea1b84a6af5af9bec75c835732511b

            SHA1

            6f3d11f99c65b93e06a56ea2f1dc6e890df944e5

            SHA256

            02a014e67c3059e288a0fbb1a4c37cac0359752ee9a8caa075a8da3e9a053cb3

            SHA512

            46ecc1005d57c41410ea18051ee0bef7f03e1549697b6a8ebe2906373db0492faf37763bc2570177386b0b381dcb0f0ee2ea39cbd8596a31c72bc225efaf8d91

            Download Submit

          • C:\Windows\SysWOW64\Antivirus\Avira Et Node.exe
            Filesize

            343KB

            MD5

            7a6786b94b63b769789f7ff20c597181

            SHA1

            d13c1a6e8e02f4f8ee57ba8de437ac5eeeeb6e28

            SHA256

            4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b

            SHA512

            977befc7113e00cce98606428c4d250cb27c434c0912106d85365582bcdd4a45e929a86005c733fd606c8597b693ea2112b6fcf3079cdfc9ceb3d97b4d2077d3

            Download Submit

          • C:\Windows\SysWOW64\Antivirus\Avira Et Node.exe
            Filesize

            343KB

            MD5

            7a6786b94b63b769789f7ff20c597181

            SHA1

            d13c1a6e8e02f4f8ee57ba8de437ac5eeeeb6e28

            SHA256

            4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b

            SHA512

            977befc7113e00cce98606428c4d250cb27c434c0912106d85365582bcdd4a45e929a86005c733fd606c8597b693ea2112b6fcf3079cdfc9ceb3d97b4d2077d3

            Download Submit

          • C:\Windows\SysWOW64\Antivirus\Avira Et Node.exe
            Filesize

            343KB

            MD5

            7a6786b94b63b769789f7ff20c597181

            SHA1

            d13c1a6e8e02f4f8ee57ba8de437ac5eeeeb6e28

            SHA256

            4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b

            SHA512

            977befc7113e00cce98606428c4d250cb27c434c0912106d85365582bcdd4a45e929a86005c733fd606c8597b693ea2112b6fcf3079cdfc9ceb3d97b4d2077d3

            Download Submit

          • \Windows\SysWOW64\Antivirus\Avira Et Node.exe
            Filesize

            343KB

            MD5

            7a6786b94b63b769789f7ff20c597181

            SHA1

            d13c1a6e8e02f4f8ee57ba8de437ac5eeeeb6e28

            SHA256

            4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b

            SHA512

            977befc7113e00cce98606428c4d250cb27c434c0912106d85365582bcdd4a45e929a86005c733fd606c8597b693ea2112b6fcf3079cdfc9ceb3d97b4d2077d3

            Download Submit

          • \Windows\SysWOW64\Antivirus\Avira Et Node.exe
            Filesize

            343KB

            MD5

            7a6786b94b63b769789f7ff20c597181

            SHA1

            d13c1a6e8e02f4f8ee57ba8de437ac5eeeeb6e28

            SHA256

            4c4395c3da6325982750f0c4df9297618285b82eeebc0765bdd97d60be90c09b

            SHA512

            977befc7113e00cce98606428c4d250cb27c434c0912106d85365582bcdd4a45e929a86005c733fd606c8597b693ea2112b6fcf3079cdfc9ceb3d97b4d2077d3

            Download Submit

          • memory/632-83-0x0000000024080000-0x00000000240E2000-memory.dmp

            Filesize

            392KB

            Download

          • memory/632-74-0x00000000749C1000-0x00000000749C3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/632-80-0x0000000024080000-0x00000000240E2000-memory.dmp

            Filesize

            392KB

            Download

          • memory/1284-69-0x0000000024010000-0x0000000024072000-memory.dmp

            Filesize

            392KB

            Download

          • memory/1928-110-0x00000000240F0000-0x0000000024152000-memory.dmp

            Filesize

            392KB

            Download

          • memory/1928-93-0x00000000240F0000-0x0000000024152000-memory.dmp

            Filesize

            392KB

            Download

          • memory/1928-95-0x00000000240F0000-0x0000000024152000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2032-107-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2032-108-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2032-106-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2032-109-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2032-105-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2036-75-0x0000000024080000-0x00000000240E2000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2036-56-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2036-94-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2036-88-0x00000000240F0000-0x0000000024152000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2036-62-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2036-60-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2036-66-0x0000000024010000-0x0000000024072000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2036-64-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2036-63-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

            Download