Overview

overview

10

Static

static

10073dda4d...23.exe

windows7-x64

10

10073dda4d...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10073dda4ddc18b9a0862a37f949e62dae1c843db24c4307714cb4169bfe4623.exe

  • Size

    281KB

  • MD5

    6d73cf602757a2a9b9a3f25150af28f6

  • SHA1

    20da2b27125138a63e6cc67ecea3721df77dacec

  • SHA256

    10073dda4ddc18b9a0862a37f949e62dae1c843db24c4307714cb4169bfe4623

  • SHA512

    dd978f8e49b1d9a8d793b0b725b30c7de7a769e5816173c07ca7f31b1b1237aa76b57f0d54f680bca6ea32931024bba86b8bdba84063251c740845c19eac7db6

  • SSDEEP

    6144:nzTskuajC5bMMTbx3lwKL818+8FSRbrKCGW29bwpXsDuSJ3ySEX:fuHTbRlwK0nBGXbZuMiS6

Score
10/10
cybergatevítimapersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

vítima

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10073dda4ddc18b9a0862a37f949e62dae1c843db24c4307714cb4169bfe4623.exe
    "C:\Users\Admin\AppData\Local\Temp\10073dda4ddc18b9a0862a37f949e62dae1c843db24c4307714cb4169bfe4623.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\AppData\Local\Temp\10073dda4ddc18b9a0862a37f949e62dae1c843db24c4307714cb4169bfe4623.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:1328
        • C:\Users\Admin\AppData\Local\Temp\10073dda4ddc18b9a0862a37f949e62dae1c843db24c4307714cb4169bfe4623.exe
          "C:\Users\Admin\AppData\Local\Temp\10073dda4ddc18b9a0862a37f949e62dae1c843db24c4307714cb4169bfe4623.exe"
          3⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1380

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      189KB

      MD5

      a25696edcf7ba149ffcf4dbabbaf5a59

      SHA1

      b7b802539b567a6a74a9611b086a040996848807

      SHA256

      e8a98338afddf449b6705dbb8f7d1f21a52a7038b1264970b055e2544d29e8e8

      SHA512

      0ff98cbbf06d2fc99ba21878af6b8ff2a5d3bfe9d78fb6b745eef619d5607b3e518e3ec4c691e5b4cbeab59dd951d254d788e27706120e42e66d59b484128ac4

      Download Submit

    • memory/1380-83-0x0000000024060000-0x00000000240A2000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1380-82-0x0000000024060000-0x00000000240A2000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1380-79-0x0000000024060000-0x00000000240A2000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1380-77-0x0000000024060000-0x00000000240A2000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1696-65-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1696-66-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1696-68-0x0000000024010000-0x0000000024052000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1696-63-0x0000000075B51000-0x0000000075B53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1696-74-0x0000000024060000-0x00000000240A2000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1696-64-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1696-56-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1696-80-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1696-60-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1696-59-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1696-57-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download