Overview

overview

10

Static

static

9225418474...8b.exe

windows7-x64

10

9225418474...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2022 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe

  • Size

    762KB

  • MD5

    61100d43a149d129dd54142600e34ed8

  • SHA1

    140d028670022775807e7817cf5e1c1e95eb5c1b

  • SHA256

    9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b

  • SHA512

    a55478437bea7a253031d2de0e055b835f9af5c2f396644cd98e5184e562db6911a7ed94944e688cbc6a6f3fa5fa0e7ea68d817b2619918c0046575cb0dca3a9

  • SSDEEP

    12288:A0KcgjVIgfgbn2dHPXjbUTGc4PvLLc5Un5G6QoamvlHsL1Zf69xA2MfKliPP3kUb:ACVi/zPDHKhGu2K3l

Score
10/10
cybergatezombiepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Zombie

C2

amdzone.no-ip.info:3086

Mutex

06I43WDM5B044Q

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    PrivateSW87

  • regkey_hklm

    Windows Live Messenger

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe
        "C:\Users\Admin\AppData\Local\Temp\9225418474c03496346e93e894496c4f59948bc13e23d50387069c8e0eaf498b.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          3⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2016
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Suspicious use of AdjustPrivilegeToken
            PID:1600
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1152
            • C:\Users\Admin\AppData\Roaming\svchost.exe
              "C:\Users\Admin\AppData\Roaming\svchost.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of AdjustPrivilegeToken
              PID:1456
              • C:\Windows\SysWOW64\install\server.exe
                "C:\Windows\system32\install\server.exe"
                5⤵
                • Executes dropped EXE
                PID:984

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      3
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        babfa55af0a3b9fa5275c7f093620ab3

        SHA1

        4100c4cefe41ccbd4d36d045d1cf28e642fad6f0

        SHA256

        c7df2f153afcd05e185592caae6bed62c9e765536b6b1330a20ad7279604759c

        SHA512

        953722890d0ba9cef5e5fdadc21759010aba0f99dd112cd6271d48f1fbaa74bbd5d65b2688de4b1e480137d1bc134b58ec730136fedf79aaf73f8b377dfbd496

        Download Submit
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

        Download Submit
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

        Download Submit
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

        Download Submit
      • C:\Windows\SysWOW64\install\server.exe
        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

        Download Submit
      • C:\Windows\SysWOW64\install\server.exe
        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

        Download Submit
      • \Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

        Download Submit
      • \Windows\SysWOW64\install\server.exe
        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

        Download Submit
      • memory/984-109-0x0000000000000000-mapping.dmp
        Download
      • memory/1380-76-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1456-107-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1456-105-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1456-97-0x0000000000000000-mapping.dmp
        Download
      • memory/1456-111-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1480-65-0x0000000075000000-0x00000000755AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1480-55-0x0000000075000000-0x00000000755AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1480-54-0x0000000076831000-0x0000000076833000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1600-88-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1600-80-0x0000000000000000-mapping.dmp
        Download
      • memory/1600-82-0x0000000075421000-0x0000000075423000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1600-91-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/2016-93-0x00000000104F0000-0x0000000010555000-memory.dmp
        Filesize

        404KB

        Download
      • memory/2016-100-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/2016-68-0x0000000000400000-0x0000000000456000-memory.dmp
        Filesize

        344KB

        Download
      • memory/2016-83-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/2016-73-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/2016-67-0x0000000000400000-0x0000000000456000-memory.dmp
        Filesize

        344KB

        Download
      • memory/2016-78-0x0000000000411000-0x0000000000455000-memory.dmp
        Filesize

        272KB

        Download
      • memory/2016-69-0x0000000000400000-0x0000000000456000-memory.dmp
        Filesize

        344KB

        Download
      • memory/2016-62-0x0000000000454030-mapping.dmp
        Download
      • memory/2016-106-0x0000000000411000-0x0000000000455000-memory.dmp
        Filesize

        272KB

        Download
      • memory/2016-61-0x0000000000400000-0x0000000000456000-memory.dmp
        Filesize

        344KB

        Download
      • memory/2016-60-0x0000000000400000-0x0000000000456000-memory.dmp
        Filesize

        344KB

        Download
      • memory/2016-58-0x0000000000400000-0x0000000000456000-memory.dmp
        Filesize

        344KB

        Download
      • memory/2016-57-0x0000000000400000-0x0000000000456000-memory.dmp
        Filesize

        344KB

        Download
      • memory/2016-70-0x0000000000411000-0x0000000000455000-memory.dmp
        Filesize

        272KB

        Download