Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2022, 06:40

General

  • Target

    cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe

  • Size

    337KB

  • MD5

    55ef9dab56221dc72b4d6406f756e2ab

  • SHA1

    7a535f948980df42bca05ee2d6ada088aa151dd2

  • SHA256

    cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68

  • SHA512

    75a95e3bda4fa067f42d4e96225958c2a08e3f76633b1df026127c1b88abec4b992a07aecdd14c0017b6f77eb5b06199fec1d3eacd695ed3f7e9694555402521

  • SSDEEP

    6144:Ad0llEnjIE+Bv7fwi8ifkQjZE9xqd8fj13iem+pksz:k0QnjIBLwFX9xA8xnk

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

light

C2

l1ght.no-ip.org:82

Mutex

76XBSQG80O08T3

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    .//public_html/vacation/

  • ftp_interval

    20

  • ftp_password

    pedro1

  • ftp_port

    21

  • ftp_server

    marc.comuf.com

  • ftp_username

    a7505506

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    light

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe
    "C:\Users\Admin\AppData\Local\Temp\cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:972
        • C:\Windows\SysWOW64\install\server.exe
          "C:\Windows\system32\install\server.exe"
          4⤵
          • Executes dropped EXE
          PID:1988
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Users\Admin\AppData\Local\Temp\bcdprov.exe
        "C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:768
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          4⤵
            PID:1736

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

            Filesize

            224KB

            MD5

            24d14743f72fe40babbb20a22afe12e7

            SHA1

            7c22498a522dc954d746882fc214b703ed6e7d6f

            SHA256

            383b9f1ec304eaf54d8cc9fb7a211641ce4f7d325aad55d72b6b48385f1fcc93

            SHA512

            4921d74d93454b5046016fb51c0847afc1cf98ef20cd9b491e41422a35540a0209b3ff455d1fb144b7f8defb9011fb6fef6ebbfb8152b781250ce784fefff975

          • C:\Users\Admin\AppData\Local\Temp\bcdprov.exe

            Filesize

            337KB

            MD5

            55ef9dab56221dc72b4d6406f756e2ab

            SHA1

            7a535f948980df42bca05ee2d6ada088aa151dd2

            SHA256

            cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68

            SHA512

            75a95e3bda4fa067f42d4e96225958c2a08e3f76633b1df026127c1b88abec4b992a07aecdd14c0017b6f77eb5b06199fec1d3eacd695ed3f7e9694555402521

          • C:\Users\Admin\AppData\Local\Temp\bcdprov.exe

            Filesize

            337KB

            MD5

            55ef9dab56221dc72b4d6406f756e2ab

            SHA1

            7a535f948980df42bca05ee2d6ada088aa151dd2

            SHA256

            cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68

            SHA512

            75a95e3bda4fa067f42d4e96225958c2a08e3f76633b1df026127c1b88abec4b992a07aecdd14c0017b6f77eb5b06199fec1d3eacd695ed3f7e9694555402521

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe

            Filesize

            10KB

            MD5

            ea196209244297c543ec542109c9a9b9

            SHA1

            48a843f194b89c8ccd547ea4ab7e1a24898c6cd9

            SHA256

            644e2a74e866baaffe2cf3ac6107547769ff77614b5ffeacb64245b114d9870b

            SHA512

            6e38603ce3718f85c29417aa232a22323a121155bd69599b2587e7b68214ecbd4138f2ab748083e44534abc4ae8a0fdc5cfa451332a36fca9fbf8acdc6fef2d2

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe

            Filesize

            10KB

            MD5

            ea196209244297c543ec542109c9a9b9

            SHA1

            48a843f194b89c8ccd547ea4ab7e1a24898c6cd9

            SHA256

            644e2a74e866baaffe2cf3ac6107547769ff77614b5ffeacb64245b114d9870b

            SHA512

            6e38603ce3718f85c29417aa232a22323a121155bd69599b2587e7b68214ecbd4138f2ab748083e44534abc4ae8a0fdc5cfa451332a36fca9fbf8acdc6fef2d2

          • C:\Windows\SysWOW64\install\server.exe

            Filesize

            54KB

            MD5

            0f01571a3e4c71eb4313175aae86488e

            SHA1

            2ba648afe2cd52edf5f25e304f77d457abf7ac0e

            SHA256

            8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

            SHA512

            159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

          • C:\Windows\SysWOW64\install\server.exe

            Filesize

            54KB

            MD5

            0f01571a3e4c71eb4313175aae86488e

            SHA1

            2ba648afe2cd52edf5f25e304f77d457abf7ac0e

            SHA256

            8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

            SHA512

            159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

          • \Users\Admin\AppData\Local\Temp\bcdprov.exe

            Filesize

            337KB

            MD5

            55ef9dab56221dc72b4d6406f756e2ab

            SHA1

            7a535f948980df42bca05ee2d6ada088aa151dd2

            SHA256

            cd6b6eaa5001a7dbdaaa542466c801dab48073fd5eee469b9a8a5ffe6da5ac68

            SHA512

            75a95e3bda4fa067f42d4e96225958c2a08e3f76633b1df026127c1b88abec4b992a07aecdd14c0017b6f77eb5b06199fec1d3eacd695ed3f7e9694555402521

          • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe

            Filesize

            10KB

            MD5

            ea196209244297c543ec542109c9a9b9

            SHA1

            48a843f194b89c8ccd547ea4ab7e1a24898c6cd9

            SHA256

            644e2a74e866baaffe2cf3ac6107547769ff77614b5ffeacb64245b114d9870b

            SHA512

            6e38603ce3718f85c29417aa232a22323a121155bd69599b2587e7b68214ecbd4138f2ab748083e44534abc4ae8a0fdc5cfa451332a36fca9fbf8acdc6fef2d2

          • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe

            Filesize

            10KB

            MD5

            ea196209244297c543ec542109c9a9b9

            SHA1

            48a843f194b89c8ccd547ea4ab7e1a24898c6cd9

            SHA256

            644e2a74e866baaffe2cf3ac6107547769ff77614b5ffeacb64245b114d9870b

            SHA512

            6e38603ce3718f85c29417aa232a22323a121155bd69599b2587e7b68214ecbd4138f2ab748083e44534abc4ae8a0fdc5cfa451332a36fca9fbf8acdc6fef2d2

          • \Windows\SysWOW64\install\server.exe

            Filesize

            54KB

            MD5

            0f01571a3e4c71eb4313175aae86488e

            SHA1

            2ba648afe2cd52edf5f25e304f77d457abf7ac0e

            SHA256

            8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

            SHA512

            159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

          • memory/768-106-0x00000000741F0000-0x000000007479B000-memory.dmp

            Filesize

            5.7MB

          • memory/768-88-0x00000000741F0000-0x000000007479B000-memory.dmp

            Filesize

            5.7MB

          • memory/972-95-0x0000000010410000-0x0000000010475000-memory.dmp

            Filesize

            404KB

          • memory/972-97-0x0000000010410000-0x0000000010475000-memory.dmp

            Filesize

            404KB

          • memory/972-104-0x0000000010410000-0x0000000010475000-memory.dmp

            Filesize

            404KB

          • memory/972-107-0x0000000010410000-0x0000000010475000-memory.dmp

            Filesize

            404KB

          • memory/1324-105-0x00000000741F0000-0x000000007479B000-memory.dmp

            Filesize

            5.7MB

          • memory/1324-87-0x00000000741F0000-0x000000007479B000-memory.dmp

            Filesize

            5.7MB

          • memory/1616-61-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-66-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-58-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-86-0x0000000000401000-0x000000000040F000-memory.dmp

            Filesize

            56KB

          • memory/1616-60-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-75-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-62-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-78-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-92-0x0000000010410000-0x0000000010475000-memory.dmp

            Filesize

            404KB

          • memory/1616-70-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-63-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-64-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-68-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1616-57-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1736-121-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1736-123-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1736-125-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

          • memory/1760-55-0x00000000741F0000-0x000000007479B000-memory.dmp

            Filesize

            5.7MB

          • memory/1760-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

            Filesize

            8KB

          • memory/1760-56-0x00000000741F0000-0x000000007479B000-memory.dmp

            Filesize

            5.7MB