Overview

overview

10

Static

static

7b91902e17...c9.exe

windows7-x64

10

7b91902e17...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe

  • Size

    479KB

  • MD5

    a17e4519a6e005f7fd867703639a15a7

  • SHA1

    23e6bc4906b190a33203cd489ede1d499e819cad

  • SHA256

    7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9

  • SHA512

    e47a3eae65661119b7900d95c1a8f5edc80d55a6d1110aea53d13aaf408447eef73165e866ee74907ad1483c53396835143c1534a956b933fe224f3da4d28a04

  • SSDEEP

    12288:tzPC0M438po70VxFFVJYCNp18mXxt2p7mOEvdwmQEd7bOuf+eube:hFs+ITxtK46Ywh

Score
10/10
cybergatevictimepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Trial version

Botnet

Victime

C2

tarik775.no-ip.org:81

Mutex

XO6853ER546413

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    BOOT

  • install_file

    msnmsgr.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    008

  • regkey_hkcu

    Windows Live Messenger

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe
    "C:\Users\Admin\AppData\Local\Temp\7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2308
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
          3⤵
          • Drops startup file
          • Suspicious use of AdjustPrivilegeToken
          PID:2132
        • C:\Program Files (x86)\BOOT\msnmsgr.exe
          "C:\Program Files (x86)\BOOT\msnmsgr.exe"
          3⤵
          • Executes dropped EXE
          PID:5096
      • C:\Users\Admin\AppData\Local\Temp\7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe
        "C:\Users\Admin\AppData\Local\Temp\7b91902e1732e68a968eada5bb219dbffa319899c7c09435e3090693260d77c9.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:3532
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4732
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1028
                5⤵
                • Program crash
                PID:4532
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1036
                5⤵
                • Program crash
                PID:3560
            • C:\Users\Admin\AppData\Roaming\BOOT\msnmsgr.exe
              "C:\Users\Admin\AppData\Roaming\BOOT\msnmsgr.exe"
              4⤵
              • Executes dropped EXE
              PID:1748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4732 -ip 4732
        1⤵
          PID:2592
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4732 -ip 4732
          1⤵
            PID:3556

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\BOOT\msnmsgr.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit

          • C:\Program Files (x86)\BOOT\msnmsgr.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
            Filesize

            236KB

            MD5

            66bf50f7037bdfe47fd8dabd64acb269

            SHA1

            a622bf7f740036200013e537b69b4cd91c5f10fe

            SHA256

            3b918d55f1a7536ceeb045cdcb21265dae18cced81acbe1adfb4665317cba050

            SHA512

            58752fc14cbbb382c47b3340a81db6febe7e26e9ccff3c621951b3c67685052c42507ff46f411f6fa9d27678c57de625c81cf8d38fc446046bf0f456e136565f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\BOOT\msnmsgr.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit

          • C:\Users\Admin\AppData\Roaming\BOOT\msnmsgr.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit

          • memory/444-137-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/444-174-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/444-143-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/444-135-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/444-136-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/444-160-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB

            Download

          • memory/444-157-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/2132-166-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB

            Download

          • memory/2132-170-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB

            Download

          • memory/2820-132-0x0000000000870000-0x00000000008EE000-memory.dmp

            Filesize

            504KB

            Download

          • memory/2820-133-0x00000000052A0000-0x000000000533C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4732-165-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB

            Download

          • memory/4732-169-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB

            Download

          • memory/4896-159-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB

            Download

          • memory/4896-158-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/4896-147-0x0000000010410000-0x0000000010482000-memory.dmp

            Filesize

            456KB

            Download

          • memory/4896-177-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download

          • memory/4896-144-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

            Download