Overview

overview

10

Static

static

1abef2e31a...61.exe

windows7-x64

10

1abef2e31a...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2022 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1abef2e31a34cee723d7ab5ca564f3287634d53f5a13f8d875161800ebeb7261.exe

  • Size

    534KB

  • MD5

    848d53251359f988de7587c9e53ab860

  • SHA1

    0f389b6cf4b1f68760dce27f62250303fee10e7b

  • SHA256

    1abef2e31a34cee723d7ab5ca564f3287634d53f5a13f8d875161800ebeb7261

  • SHA512

    62777b701f6b8a6d4e22f896ac7fab38751e5f3a8e1bb01fe8c395c0036d11199d54f2fe78c166781904a6469b23f003dffdcd5eb52c54518bbf5d152c0a803d

  • SSDEEP

    12288:Kojv+5Do4cYgaDRBPJ4cXSXL9LVCuI3l+vk:7+5nPMESXL9RCuI3lf

Score
10/10
cybergatefuck youevasionpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

fuck you

C2

khaled25.no-ip.biz:81

khaled25.no-ip.biz:80

khaled25.no-ip.biz:82

khaled25.no-ip.biz:83

khaled25.no-ip.biz:84

khaled25.no-ip.biz:85
Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    spynet

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    123123

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:776
      • C:\Users\Admin\AppData\Local\Temp\1abef2e31a34cee723d7ab5ca564f3287634d53f5a13f8d875161800ebeb7261.exe
        "C:\Users\Admin\AppData\Local\Temp\1abef2e31a34cee723d7ab5ca564f3287634d53f5a13f8d875161800ebeb7261.exe"
        2⤵
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\SysWOW64\win.exe
          "C:\Users\Admin\AppData\Local\Temp\1abef2e31a34cee723d7ab5ca564f3287634d53f5a13f8d875161800ebeb7261.exe"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1884
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:3056
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:4776
            • C:\Windows\SysWOW64\win.exe
              "C:\Windows\SysWOW64\win.exe"
              4⤵
              • Checks computer location settings
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:4524
              • C:\Windows\SysWOW64\spynet\server.exe
                "C:\Windows\system32\spynet\server.exe"
                5⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Suspicious use of SetThreadContext
                PID:1352
                • C:\Windows\SysWOW64\win.exe
                  "C:\Windows\system32\spynet\server.exe"
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3484

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        229KB

        MD5

        4d366b4df7c41236d8100a2fa3730f53

        SHA1

        1f3bdf329dcd97f0de6ef42a9b7b696b227f5d6a

        SHA256

        3b94b7555c535b879c026e2b1e9201543f467445fbc96a5228fe3857b7a9b3f9

        SHA512

        3fc107ae992863bc3ea73a3e822e5bea7c0710ae4341c77bf2b0619a2c210046d38e4af8bb65c5c4f081171289616b5fff5a76f5d1e7dd5ac08330efacc4bf15

        Download Submit

      • C:\Windows\SysWOW64\spynet\server.exe
        Filesize

        534KB

        MD5

        848d53251359f988de7587c9e53ab860

        SHA1

        0f389b6cf4b1f68760dce27f62250303fee10e7b

        SHA256

        1abef2e31a34cee723d7ab5ca564f3287634d53f5a13f8d875161800ebeb7261

        SHA512

        62777b701f6b8a6d4e22f896ac7fab38751e5f3a8e1bb01fe8c395c0036d11199d54f2fe78c166781904a6469b23f003dffdcd5eb52c54518bbf5d152c0a803d

        Download Submit

      • C:\Windows\SysWOW64\spynet\server.exe
        Filesize

        534KB

        MD5

        848d53251359f988de7587c9e53ab860

        SHA1

        0f389b6cf4b1f68760dce27f62250303fee10e7b

        SHA256

        1abef2e31a34cee723d7ab5ca564f3287634d53f5a13f8d875161800ebeb7261

        SHA512

        62777b701f6b8a6d4e22f896ac7fab38751e5f3a8e1bb01fe8c395c0036d11199d54f2fe78c166781904a6469b23f003dffdcd5eb52c54518bbf5d152c0a803d

        Download Submit

      • memory/1884-152-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1884-161-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/1884-133-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/1884-144-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1884-135-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/1884-139-0x0000000024010000-0x0000000024072000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1884-137-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/1884-136-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/1884-157-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3056-147-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3056-148-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3056-165-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3484-170-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/3484-171-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/3484-172-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/3484-173-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/4524-162-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4524-160-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4524-166-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

        Download