Analysis
-
max time kernel
92s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 05:11
Behavioral task
behavioral1
Sample
e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e.dll
Resource
win7-20220901-en
General
-
Target
e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e.dll
-
Size
612KB
-
MD5
4c135164ab221e6cfd8290800578432f
-
SHA1
bfdf17d55112c9b331a442f44c0a1b3a95bf3859
-
SHA256
e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e
-
SHA512
35822292fb8a3e9535a571d68a899803136da15eeb72d11dfa1822abdf1b50054ffe8de6d10596fee37e4a7827e18471f670b63822cd9851126187550b541368
-
SSDEEP
12288:2U5GLE0kuGnESBW+8H9u6vRHO/UUCruWVz/:2U4MtnES78HPuWVz
Malware Config
Extracted
cybergate
v1.04.8
hack
sss.servepics.com:53320
K2GHPW524P62M8
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
1
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4912 1568 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2448 wrote to memory of 1568 2448 rundll32.exe rundll32.exe PID 2448 wrote to memory of 1568 2448 rundll32.exe rundll32.exe PID 2448 wrote to memory of 1568 2448 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 6163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1568 -ip 15681⤵