Analysis

  • max time kernel
    150s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2022, 10:02

General

  • Target

    a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe

  • Size

    886KB

  • MD5

    0a348b7fdfbf352cb88d90d7f9a51130

  • SHA1

    1ce66ddab94692f7417bd39c8d8716b16ceed429

  • SHA256

    a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1

  • SHA512

    251eb18ded8d1621fb47de568004799919fc494f1ff94e7330e289ef07ca4a05146eb4d71e070fa0f1413200c87c1446aadaf70a1d75febdb4db0a8b78a0ded5

  • SSDEEP

    12288:Wat0EAH49n8BOM81CPJZG3t2mPFeCekSoyZc5/glTka9J01WPbU7NI51u/33EhfX:Bt24NM8AP2vFuBZOglLJ9z1CwoltK

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.4

Botnet

DSCR_SPR_220214

C2

clippico.zapto.org:33881

Mutex

38N85GEQ100N2E

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    FlashPlayerPlugin_11_9_900_175.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    27042704

  • regkey_hkcu

    FlashPlayerPlugin

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe
        "C:\Users\Admin\AppData\Local\Temp\a5eaed6b92a4a4ac732686d03bb7ee8084c52e1c66ddc5364c081555bd9e1ee1.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
          "C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
            4⤵
            • Adds policy Run key to start application
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1824
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
              • Modifies Installed Components in the registry
              PID:1820
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
                PID:1520
              • C:\Windows\SysWOW64\explorer.exe
                explorer.exe
                5⤵
                • Drops startup file
                • Suspicious use of AdjustPrivilegeToken
                PID:1292
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"
              4⤵
              • Loads dropped DLL
              PID:1312
              • C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
                "C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx
                5⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Executes dropped EXE
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1668
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                  6⤵
                    PID:1996
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"
                    6⤵
                    • Loads dropped DLL
                    PID:1800
                    • C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
                      "C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx
                      7⤵
                      • Modifies visiblity of hidden/system files in Explorer
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Checks whether UAC is enabled
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1932
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                        8⤵
                          PID:108
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\542A49~1\run.vbs"
                          8⤵
                          • Loads dropped DLL
                          PID:828
                          • C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com
                            "C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com" eFZsGeMgsklx
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1624

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\542A49~1\IUfBHT.VPT

                  Filesize

                  202B

                  MD5

                  9c160bfbdb99f4fce6e270936b46b7d0

                  SHA1

                  a250c33e8f5e590a369b5406a8462817ee11d14d

                  SHA256

                  449ad064deabcd2cc96e131527accadafe685103724c4365127468a58ef81bbc

                  SHA512

                  36afa7693e648d954ccc72c423dc7c3fa9c05503c6eb3632410ae566897f60192bae87c8933875954e6f3baba28284e29d260fd90fbe1f8accec5bc6168932ae

                • C:\Users\Admin\542A49~1\RRBJLL~1.ALR

                  Filesize

                  277KB

                  MD5

                  a397e3dfaf6c4df090004c47d2e29d22

                  SHA1

                  8e76f79d34c2498c761fbaa00eb6fc14d56ea813

                  SHA256

                  991a74e23f24d62660ff47b72435145fcfc438b5e69c14ae5d1c518ecfd83eb4

                  SHA512

                  8bbc17fe03c9060a32773590169684249a6d035fa0f976c10de4f07f3bfdb60e09261be7d548ac5b2dab8f0054cbcd7c43d9ec3d79778d137e1c5ee919c6d89c

                • C:\Users\Admin\542A49~1\run.vbs

                  Filesize

                  95B

                  MD5

                  c735bed0f11b2aa8c978be1417eb4503

                  SHA1

                  b46cbc79b2dee40c44c72fe3eca7d45e001e2eb6

                  SHA256

                  cf87f1aa3122701b50570303d6663bf313c9dc5b1418785c0c44eb2d4409510a

                  SHA512

                  8255176e00ab93d1765b3ed4197c5a7e17cd87b62b57bca458068df2d7d3ba5510b0e0673373605cce4ad53168bcbcb7ca5744ba276267a64473250a71b7706e

                • C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • C:\Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • C:\Users\Admin\542a49tpb3b73\eFZsGeMgsklx

                  Filesize

                  35.9MB

                  MD5

                  70150e173740fe5fe9b00285b47b60de

                  SHA1

                  91b7699f142f5d41bbda9c24468c0cf4b75d7426

                  SHA256

                  dc9e977713016621a4d09cbac7809ca1b9d6c3c2fb63100f6b8857f01bcd1196

                  SHA512

                  e225d4c24b07b8b43a72b369efbe22085991114a5c3ee33fed65d017b8ef9c1c9b3ae75be0701c4283681aa311a09f26bf378c7f23cc1f5f777319874453e833

                • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

                  Filesize

                  234KB

                  MD5

                  91480253b7d1de28ccde41e8cbb1da10

                  SHA1

                  4f0db59cf4cfc47e6518fa8a79900c01708fb326

                  SHA256

                  b3a07e078667558994034ecce19b995c583b45c6332008e7f466f53ad42ea38b

                  SHA512

                  99341ac9e688b1b33d9358481d22c87c22bfede820ad8fe4f7587dc7d6b3b5732e78555a1c52454c84392285e90001c77ec07d3acd4d9f3b8f0f51b6e5ad0d4b

                • C:\install\FlashPlayerPlugin_11_9_900_175.exe

                  Filesize

                  32KB

                  MD5

                  d79f070423fdd3f01ce8c2ba3fbbc8ed

                  SHA1

                  2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

                  SHA256

                  97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

                  SHA512

                  47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

                • \Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • \Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • \Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • \Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • \Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • \Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • \Users\Admin\542a49tpb3b73\KcAxPTFELm.com

                  Filesize

                  732KB

                  MD5

                  71d8f6d5dc35517275bc38ebcc815f9f

                  SHA1

                  cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

                  SHA256

                  fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

                  SHA512

                  4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

                • memory/108-152-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/108-153-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1204-81-0x0000000010410000-0x0000000010480000-memory.dmp

                  Filesize

                  448KB

                • memory/1292-120-0x0000000010560000-0x00000000105D0000-memory.dmp

                  Filesize

                  448KB

                • memory/1292-110-0x0000000010560000-0x00000000105D0000-memory.dmp

                  Filesize

                  448KB

                • memory/1292-109-0x0000000010560000-0x00000000105D0000-memory.dmp

                  Filesize

                  448KB

                • memory/1764-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

                  Filesize

                  8KB

                • memory/1820-95-0x0000000010480000-0x00000000104F0000-memory.dmp

                  Filesize

                  448KB

                • memory/1820-92-0x0000000010480000-0x00000000104F0000-memory.dmp

                  Filesize

                  448KB

                • memory/1820-86-0x0000000074761000-0x0000000074763000-memory.dmp

                  Filesize

                  8KB

                • memory/1824-78-0x0000000010410000-0x0000000010480000-memory.dmp

                  Filesize

                  448KB

                • memory/1824-111-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1824-97-0x00000000104F0000-0x0000000010560000-memory.dmp

                  Filesize

                  448KB

                • memory/1824-69-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1824-65-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1824-104-0x0000000010560000-0x00000000105D0000-memory.dmp

                  Filesize

                  448KB

                • memory/1824-67-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1824-76-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1824-87-0x0000000010480000-0x00000000104F0000-memory.dmp

                  Filesize

                  448KB

                • memory/1824-75-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1824-73-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1824-71-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1996-133-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB

                • memory/1996-132-0x0000000000090000-0x00000000000DB000-memory.dmp

                  Filesize

                  300KB