Overview

overview

10

Static

static

7b91902e17...c9.exe

windows7-x64

10

7b91902e17...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2022, 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe

  • Size

    479KB

  • MD5

    a17e4519a6e005f7fd867703639a15a7

  • SHA1

    23e6bc4906b190a33203cd489ede1d499e819cad

  • SHA256

    7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9

  • SHA512

    e47a3eae65661119b7900d95c1a8f5edc80d55a6d1110aea53d13aaf408447eef73165e866ee74907ad1483c53396835143c1534a956b933fe224f3da4d28a04

  • SSDEEP

    12288:tzPC0M438po70VxFFVJYCNp18mXxt2p7mOEvdwmQEd7bOuf+eube:hFs+ITxtK46Ywh

Score
10/10
cybergatevictimepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Trial version

Botnet

Victime

C2

tarik775.no-ip.org:81

Mutex

XO6853ER546413

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    BOOT

  • install_file

    msnmsgr.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    008

  • regkey_hkcu

    Windows Live Messenger

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe
    "C:\Users\Admin\AppData\Local\Temp\7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:988
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
          3⤵
          • Drops startup file
          • Suspicious use of AdjustPrivilegeToken
          PID:440
        • C:\Program Files (x86)\BOOT\msnmsgr.exe
          "C:\Program Files (x86)\BOOT\msnmsgr.exe"
          3⤵
          • Executes dropped EXE
          PID:1264
      • C:\Users\Admin\AppData\Local\Temp\7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe
        "C:\Users\Admin\AppData\Local\Temp\7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
            PID:1344

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\BOOT\msnmsgr.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • C:\Program Files (x86)\BOOT\msnmsgr.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        236KB

        MD5

        f4b4d5e12e248fcd38e4d19d6a2f6de8

        SHA1

        e4755580568a279d033badbe70ec74a118282914

        SHA256

        5f64d8a67c42f227bcac19d4d341fd4bfcd10bdf2660e145fa8c316a7ff00fa3

        SHA512

        10f72b11ed3c67991b726642cbd51ace2f66da738adfc77aaffe8fe41ae455a5682b2371b75eb4756f94a33f0f2fe8732a224fff5b16825932308a09468cd03f

        Download Submit

      • \Program Files (x86)\BOOT\msnmsgr.exe
        Filesize

        1.1MB

        MD5

        34aa912defa18c2c129f1e09d75c1d7e

        SHA1

        9c3046324657505a30ecd9b1fdb46c05bde7d470

        SHA256

        6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

        SHA512

        d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

        Download Submit

      • memory/440-101-0x0000000010490000-0x0000000010502000-memory.dmp

        Filesize

        456KB

        Download

      • memory/440-98-0x0000000010490000-0x0000000010502000-memory.dmp

        Filesize

        456KB

        Download

      • memory/440-96-0x0000000010490000-0x0000000010502000-memory.dmp

        Filesize

        456KB

        Download

      • memory/1108-93-0x0000000010490000-0x0000000010502000-memory.dmp

        Filesize

        456KB

        Download

      • memory/1108-61-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-63-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-57-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-56-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-107-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-59-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-62-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-84-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-87-0x0000000010410000-0x0000000010482000-memory.dmp

        Filesize

        456KB

        Download

      • memory/1108-65-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-68-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-60-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1108-67-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1344-85-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1344-103-0x0000000000400000-0x000000000044D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/1676-54-0x0000000000200000-0x000000000027E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/1676-55-0x00000000004F0000-0x00000000004FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1676-69-0x00000000753C1000-0x00000000753C3000-memory.dmp

        Filesize

        8KB

        Download