Overview

overview

10

Static

static

8

458cdba55c...f8.exe

windows7-x64

10

458cdba55c...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2022 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8.exe

  • Size

    397KB

  • MD5

    9356c56374eed0fe79bd4772eaf7b6c0

  • SHA1

    bfeea518e5673da831c383e14424b60f1e8153c5

  • SHA256

    458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8

  • SHA512

    2120e1b12959d0f92f8421984b84a9320919105f8c1ca66f878fd1b24c2c91e2ed02bbd3843554092373b376ca0536cd6a6f2ff9523ae10d26e149fe749c2975

  • SSDEEP

    6144:Uk4qmzFrq5uOshWGPYBY3EEHKVJyAtTcAF/ST6E0uvr4MFKWG8aTv/ZN1sH7zCXi:39UqQxhQmEYyJCARK6PPM1aTHZNU7R

Score
10/10
cybergatesalitymicrosoftbackdoorevasionpersistencestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

cybergate

Version

2.6

Botnet

Microsoft

C2

jackerjumper.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    system32

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Modifies firewall policy service 2 TTPs 9 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 37 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1188
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1216
        • C:\Users\Admin\AppData\Local\Temp\458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8.exe
          "C:\Users\Admin\AppData\Local\Temp\458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Enumerates connected drives
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:916
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            3⤵
            • Modifies Installed Components in the registry
            PID:1272
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
              PID:1996
            • C:\Users\Admin\AppData\Local\Temp\458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8.exe
              "C:\Users\Admin\AppData\Local\Temp\458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8.exe"
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:976
              • C:\Windows\SysWOW64\system32\svchost.exe
                "C:\Windows\system32\system32\svchost.exe"
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Suspicious behavior: EnumeratesProcesses
                • System policy modification
                PID:576
              • C:\Users\Admin\AppData\Local\Temp\Voice Activated.exe
                "C:\Users\Admin\AppData\Local\Temp\Voice Activated.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1628
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          1⤵
            PID:1128

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Replication Through Removable Media

          1
          T1091

          Execution

          Persistence

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          3
          T1060

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Modify Registry

          8
          T1112

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Credential Access

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Replication Through Removable Media

          1
          T1091

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8.exe
            Filesize

            397KB

            MD5

            9356c56374eed0fe79bd4772eaf7b6c0

            SHA1

            bfeea518e5673da831c383e14424b60f1e8153c5

            SHA256

            458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8

            SHA512

            2120e1b12959d0f92f8421984b84a9320919105f8c1ca66f878fd1b24c2c91e2ed02bbd3843554092373b376ca0536cd6a6f2ff9523ae10d26e149fe749c2975

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Voice Activated.exe
            Filesize

            88KB

            MD5

            f51000d5b84b88248e65ef64437f750c

            SHA1

            f2ad34140c390d2b01afe7185f4f2fb63f025a78

            SHA256

            25739cc18bed2bddcd315bab9e621072a06e897a7def515e4dcd7bd2ed3fd3b9

            SHA512

            51aa5fe4f9322b6f4eb64541413d12f280148668c228ba5b8c64451e84f529dfabe3048415c5d6bc0792b6950636d8d4eb76cc19996d305a950738864c989617

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
            Filesize

            317KB

            MD5

            fc92151802d15968b1de0986a9ecc9a6

            SHA1

            4cf6e5d952eb9bb10fb830076ca55a00e9560451

            SHA256

            1a7123b825bca9eb9c803ddee0776894d7f57a4855db1b542889b861bf04779a

            SHA512

            f9231edd69078f0d38c562b16c3c0700e1c357ad2621e8e451b56fcdab834f96d9e1988ed3824c361e080bd913ea9985f608a691474e2fc5424228e5c935c8d8

            Download Submit
          • C:\Windows\SYSTEM.INI
            Filesize

            255B

            MD5

            679af3e196fbee5ec3c7bed195336e62

            SHA1

            9ec2a8a292615481e069ef42570e6039f649d2d5

            SHA256

            d3fa1d3c059345d195bfe88c931373793b4d36f46f913a4b25e0fca129b36480

            SHA512

            7cf1d300436d1f628c90def226f3c62ae9fff185666309d64d31127e65f6a3c6c9584315123a3934fb07a12bf8b60e6790905f8f3a592e30b16175a37cb62d3b

            Download Submit
          • C:\Windows\SysWOW64\system32\svchost.exe
            Filesize

            397KB

            MD5

            9356c56374eed0fe79bd4772eaf7b6c0

            SHA1

            bfeea518e5673da831c383e14424b60f1e8153c5

            SHA256

            458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8

            SHA512

            2120e1b12959d0f92f8421984b84a9320919105f8c1ca66f878fd1b24c2c91e2ed02bbd3843554092373b376ca0536cd6a6f2ff9523ae10d26e149fe749c2975

            Download Submit
          • C:\Windows\SysWOW64\system32\svchost.exe
            Filesize

            397KB

            MD5

            9356c56374eed0fe79bd4772eaf7b6c0

            SHA1

            bfeea518e5673da831c383e14424b60f1e8153c5

            SHA256

            458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8

            SHA512

            2120e1b12959d0f92f8421984b84a9320919105f8c1ca66f878fd1b24c2c91e2ed02bbd3843554092373b376ca0536cd6a6f2ff9523ae10d26e149fe749c2975

            Download Submit
          • \Users\Admin\AppData\Local\Temp\458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8.exe
            Filesize

            397KB

            MD5

            9356c56374eed0fe79bd4772eaf7b6c0

            SHA1

            bfeea518e5673da831c383e14424b60f1e8153c5

            SHA256

            458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8

            SHA512

            2120e1b12959d0f92f8421984b84a9320919105f8c1ca66f878fd1b24c2c91e2ed02bbd3843554092373b376ca0536cd6a6f2ff9523ae10d26e149fe749c2975

            Download Submit
          • \Users\Admin\AppData\Local\Temp\Voice Activated.exe
            Filesize

            88KB

            MD5

            f51000d5b84b88248e65ef64437f750c

            SHA1

            f2ad34140c390d2b01afe7185f4f2fb63f025a78

            SHA256

            25739cc18bed2bddcd315bab9e621072a06e897a7def515e4dcd7bd2ed3fd3b9

            SHA512

            51aa5fe4f9322b6f4eb64541413d12f280148668c228ba5b8c64451e84f529dfabe3048415c5d6bc0792b6950636d8d4eb76cc19996d305a950738864c989617

            Download Submit
          • \Users\Admin\AppData\Local\Temp\Voice Activated.exe
            Filesize

            88KB

            MD5

            f51000d5b84b88248e65ef64437f750c

            SHA1

            f2ad34140c390d2b01afe7185f4f2fb63f025a78

            SHA256

            25739cc18bed2bddcd315bab9e621072a06e897a7def515e4dcd7bd2ed3fd3b9

            SHA512

            51aa5fe4f9322b6f4eb64541413d12f280148668c228ba5b8c64451e84f529dfabe3048415c5d6bc0792b6950636d8d4eb76cc19996d305a950738864c989617

            Download Submit
          • \Windows\SysWOW64\system32\svchost.exe
            Filesize

            397KB

            MD5

            9356c56374eed0fe79bd4772eaf7b6c0

            SHA1

            bfeea518e5673da831c383e14424b60f1e8153c5

            SHA256

            458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8

            SHA512

            2120e1b12959d0f92f8421984b84a9320919105f8c1ca66f878fd1b24c2c91e2ed02bbd3843554092373b376ca0536cd6a6f2ff9523ae10d26e149fe749c2975

            Download Submit
          • \Windows\SysWOW64\system32\svchost.exe
            Filesize

            397KB

            MD5

            9356c56374eed0fe79bd4772eaf7b6c0

            SHA1

            bfeea518e5673da831c383e14424b60f1e8153c5

            SHA256

            458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8

            SHA512

            2120e1b12959d0f92f8421984b84a9320919105f8c1ca66f878fd1b24c2c91e2ed02bbd3843554092373b376ca0536cd6a6f2ff9523ae10d26e149fe749c2975

            Download Submit
          • memory/576-122-0x0000000000400000-0x0000000000480000-memory.dmp
            Filesize

            512KB

            Download
          • memory/576-106-0x0000000000000000-mapping.dmp
            Download
          • memory/576-116-0x0000000001DC0000-0x0000000002E4E000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/576-125-0x00000000003F0000-0x00000000003F2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/576-127-0x0000000000400000-0x0000000000480000-memory.dmp
            Filesize

            512KB

            Download
          • memory/576-128-0x0000000001DC0000-0x0000000002E4E000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/916-76-0x0000000024080000-0x00000000240E2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/916-71-0x0000000001E30000-0x0000000002EBE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/916-55-0x0000000001E30000-0x0000000002EBE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/916-54-0x0000000076091000-0x0000000076093000-memory.dmp
            Filesize

            8KB

            Download
          • memory/916-86-0x00000000240F0000-0x0000000024152000-memory.dmp
            Filesize

            392KB

            Download
          • memory/916-56-0x0000000000400000-0x0000000000480000-memory.dmp
            Filesize

            512KB

            Download
          • memory/916-57-0x0000000001E30000-0x0000000002EBE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/916-73-0x0000000003D30000-0x0000000003D32000-memory.dmp
            Filesize

            8KB

            Download
          • memory/916-94-0x0000000005170000-0x00000000051F0000-memory.dmp
            Filesize

            512KB

            Download
          • memory/916-58-0x0000000000320000-0x0000000000322000-memory.dmp
            Filesize

            8KB

            Download
          • memory/916-96-0x0000000024160000-0x00000000241C2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/916-60-0x0000000024010000-0x0000000024072000-memory.dmp
            Filesize

            392KB

            Download
          • memory/916-102-0x0000000000400000-0x0000000000480000-memory.dmp
            Filesize

            512KB

            Download
          • memory/916-103-0x0000000001E30000-0x0000000002EBE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/916-69-0x0000000003D30000-0x0000000003D32000-memory.dmp
            Filesize

            8KB

            Download
          • memory/916-70-0x0000000000400000-0x0000000000480000-memory.dmp
            Filesize

            512KB

            Download
          • memory/916-72-0x0000000000320000-0x0000000000322000-memory.dmp
            Filesize

            8KB

            Download
          • memory/976-101-0x0000000024160000-0x00000000241C2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/976-117-0x0000000004EB0000-0x0000000004EC6000-memory.dmp
            Filesize

            88KB

            Download
          • memory/976-107-0x0000000004EB0000-0x0000000004F30000-memory.dmp
            Filesize

            512KB

            Download
          • memory/976-136-0x0000000004E80000-0x0000000005ACA000-memory.dmp
            Filesize

            12.3MB

            Download
          • memory/976-135-0x0000000003E10000-0x0000000003E12000-memory.dmp
            Filesize

            8KB

            Download
          • memory/976-112-0x0000000004EB0000-0x0000000004F30000-memory.dmp
            Filesize

            512KB

            Download
          • memory/976-134-0x0000000024160000-0x00000000241C2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/976-124-0x0000000003E10000-0x0000000003E12000-memory.dmp
            Filesize

            8KB

            Download
          • memory/976-114-0x0000000004EB0000-0x0000000004EC6000-memory.dmp
            Filesize

            88KB

            Download
          • memory/976-118-0x0000000024160000-0x00000000241C2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/976-91-0x0000000000000000-mapping.dmp
            Download
          • memory/976-133-0x0000000004EB0000-0x0000000004F30000-memory.dmp
            Filesize

            512KB

            Download
          • memory/976-95-0x0000000000400000-0x0000000000480000-memory.dmp
            Filesize

            512KB

            Download
          • memory/976-131-0x0000000004E80000-0x0000000005ACA000-memory.dmp
            Filesize

            12.3MB

            Download
          • memory/1216-63-0x0000000024010000-0x0000000024072000-memory.dmp
            Filesize

            392KB

            Download
          • memory/1272-129-0x0000000000500000-0x0000000000502000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1272-75-0x00000000004E0000-0x00000000004E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1272-81-0x0000000024080000-0x00000000240E2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/1272-74-0x0000000000500000-0x0000000000502000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1272-130-0x00000000004E0000-0x00000000004E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1272-132-0x0000000024080000-0x00000000240E2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/1272-82-0x0000000024080000-0x00000000240E2000-memory.dmp
            Filesize

            392KB

            Download
          • memory/1272-66-0x0000000000000000-mapping.dmp
            Download
          • memory/1272-68-0x00000000748F1000-0x00000000748F3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1628-123-0x0000000000400000-0x0000000000416000-memory.dmp
            Filesize

            88KB

            Download
          • memory/1628-126-0x0000000000020000-0x0000000000022000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1628-111-0x0000000000000000-mapping.dmp
            Download