Overview

overview

10

Static

static

8

7320512d45...01.exe

windows7-x64

10

7320512d45...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 00:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201.exe

  • Size

    620KB

  • MD5

    0656b340fca2fe665ac265ff8efd8740

  • SHA1

    70602176970e4dc1ab12067b38b13c7022968b6f

  • SHA256

    7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201

  • SHA512

    21ba4a9fb7799589ad2a4699bed8333a5f9e11eeda72103ef124881e5dd00b23d2a419e7c5682a53301f44b0e6ea7c369a5fa00d7b757d33fb99ad6846d8f8cc

  • SSDEEP

    12288:MwpHwhDYnWPu2Ek6gxRNgifsQffUBJK7HCdA8K79HLq6XhMj8ofG0erj6W:qhD3PwgVmdAzbXadfGv

Score
10/10
cybergateöííépersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

mr1mo0om.no-ip.biz:288

mr1mo0om.no-ip.biz:81
Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    1122

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\system32\sppsvc.exe
          C:\Windows\system32\sppsvc.exe
          2⤵
            PID:752
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
            2⤵
              PID:1796
            • C:\Windows\system32\taskhost.exe
              "taskhost.exe"
              2⤵
                PID:1128
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                2⤵
                  PID:1056
                • C:\Windows\System32\spoolsv.exe
                  C:\Windows\System32\spoolsv.exe
                  2⤵
                    PID:1028
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k NetworkService
                    2⤵
                      PID:292
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                        PID:880
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:856
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:816
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                              PID:768
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:676
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:600
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:420
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:384
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:372
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:488
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:332
                                        • C:\Windows\System32\smss.exe
                                          \SystemRoot\System32\smss.exe
                                          1⤵
                                            PID:260
                                          • C:\Windows\system32\Dwm.exe
                                            "C:\Windows\system32\Dwm.exe"
                                            1⤵
                                              PID:1204
                                            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                              wmiadap.exe /F /T /R
                                              1⤵
                                                PID:1940
                                              • C:\Windows\Explorer.EXE
                                                C:\Windows\Explorer.EXE
                                                1⤵
                                                  PID:1268
                                                  • C:\Users\Admin\AppData\Local\Temp\7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201.exe"
                                                    2⤵
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of SetWindowsHookEx
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:360
                                                    • C:\Users\Admin\AppData\Local\Temp\7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201.exe"
                                                      3⤵
                                                      • Adds policy Run key to start application
                                                      • Modifies Installed Components in the registry
                                                      • Adds Run key to start application
                                                      • Drops file in System32 directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1800
                                                      • C:\Windows\SysWOW64\explorer.exe
                                                        explorer.exe
                                                        4⤵
                                                        • Modifies Installed Components in the registry
                                                        PID:1240
                                                      • C:\Users\Admin\AppData\Local\Temp\7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201.exe"
                                                        4⤵
                                                        • Loads dropped DLL
                                                        • Drops file in System32 directory
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1084
                                                        • C:\windows\SysWOW64\microsoft\windows.exe
                                                          "C:\windows\system32\microsoft\windows.exe"
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1848
                                                          • C:\windows\SysWOW64\microsoft\windows.exe
                                                            "C:\windows\SysWOW64\microsoft\windows.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:704

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
                                                  Filesize

                                                  240KB

                                                  MD5

                                                  ba44f055911dc014a97deccee5786393

                                                  SHA1

                                                  e4edee33bab234dd108be32e3a7b2dea8a857049

                                                  SHA256

                                                  5ffcf5f2e1e13c579980c61db0d766adb3743716e1370d2942eb4891ad2e791c

                                                  SHA512

                                                  32aee8127b2f155b2cff53db8c8ec7198424ef85a897abbfd55c00c342b6175b63f4e6b48028c156c59ad375602e28f09f5e5ee5da79263e56f17b2a31c82956

                                                  Download Submit

                                                • C:\Windows\SysWOW64\microsoft\windows.exe
                                                  Filesize

                                                  620KB

                                                  MD5

                                                  0656b340fca2fe665ac265ff8efd8740

                                                  SHA1

                                                  70602176970e4dc1ab12067b38b13c7022968b6f

                                                  SHA256

                                                  7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201

                                                  SHA512

                                                  21ba4a9fb7799589ad2a4699bed8333a5f9e11eeda72103ef124881e5dd00b23d2a419e7c5682a53301f44b0e6ea7c369a5fa00d7b757d33fb99ad6846d8f8cc

                                                  Download Submit

                                                • C:\Windows\SysWOW64\microsoft\windows.exe
                                                  Filesize

                                                  620KB

                                                  MD5

                                                  0656b340fca2fe665ac265ff8efd8740

                                                  SHA1

                                                  70602176970e4dc1ab12067b38b13c7022968b6f

                                                  SHA256

                                                  7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201

                                                  SHA512

                                                  21ba4a9fb7799589ad2a4699bed8333a5f9e11eeda72103ef124881e5dd00b23d2a419e7c5682a53301f44b0e6ea7c369a5fa00d7b757d33fb99ad6846d8f8cc

                                                  Download Submit

                                                • \??\c:\windows\SysWOW64\microsoft\windows.exe
                                                  Filesize

                                                  620KB

                                                  MD5

                                                  0656b340fca2fe665ac265ff8efd8740

                                                  SHA1

                                                  70602176970e4dc1ab12067b38b13c7022968b6f

                                                  SHA256

                                                  7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201

                                                  SHA512

                                                  21ba4a9fb7799589ad2a4699bed8333a5f9e11eeda72103ef124881e5dd00b23d2a419e7c5682a53301f44b0e6ea7c369a5fa00d7b757d33fb99ad6846d8f8cc

                                                  Download Submit

                                                • \Windows\SysWOW64\microsoft\windows.exe
                                                  Filesize

                                                  620KB

                                                  MD5

                                                  0656b340fca2fe665ac265ff8efd8740

                                                  SHA1

                                                  70602176970e4dc1ab12067b38b13c7022968b6f

                                                  SHA256

                                                  7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201

                                                  SHA512

                                                  21ba4a9fb7799589ad2a4699bed8333a5f9e11eeda72103ef124881e5dd00b23d2a419e7c5682a53301f44b0e6ea7c369a5fa00d7b757d33fb99ad6846d8f8cc

                                                  Download Submit

                                                • \Windows\SysWOW64\microsoft\windows.exe
                                                  Filesize

                                                  620KB

                                                  MD5

                                                  0656b340fca2fe665ac265ff8efd8740

                                                  SHA1

                                                  70602176970e4dc1ab12067b38b13c7022968b6f

                                                  SHA256

                                                  7320512d456f767189b89c76bcf6adaeab8b0ebf2716046bb14ff36646365201

                                                  SHA512

                                                  21ba4a9fb7799589ad2a4699bed8333a5f9e11eeda72103ef124881e5dd00b23d2a419e7c5682a53301f44b0e6ea7c369a5fa00d7b757d33fb99ad6846d8f8cc

                                                  Download Submit

                                                • memory/0-60-0x0000000000400000-0x0000000000458000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/260-102-0x0000000031770000-0x000000003177D000-memory.dmp

                                                  Filesize

                                                  52KB

                                                  Download

                                                • memory/360-56-0x0000000000400000-0x000000000057C000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/360-61-0x0000000000400000-0x000000000057C000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/704-173-0x0000000000400000-0x0000000000458000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/704-174-0x0000000031900000-0x000000003190D000-memory.dmp

                                                  Filesize

                                                  52KB

                                                  Download

                                                • memory/704-175-0x0000000000400000-0x0000000000458000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/704-176-0x0000000031900000-0x000000003190D000-memory.dmp

                                                  Filesize

                                                  52KB

                                                  Download

                                                • memory/1084-151-0x00000000240F0000-0x0000000024152000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1084-100-0x00000000240F0000-0x0000000024152000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1084-179-0x00000000240F0000-0x0000000024152000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1084-150-0x0000000006980000-0x0000000006AFC000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/1084-93-0x0000000000400000-0x000000000057C000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/1084-177-0x0000000006980000-0x0000000006AFC000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/1240-178-0x00000000318E0000-0x00000000318ED000-memory.dmp

                                                  Filesize

                                                  52KB

                                                  Download

                                                • memory/1240-82-0x0000000024080000-0x00000000240E2000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1240-85-0x0000000024080000-0x00000000240E2000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1240-76-0x00000000745A1000-0x00000000745A3000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/1240-147-0x00000000318E0000-0x00000000318ED000-memory.dmp

                                                  Filesize

                                                  52KB

                                                  Download

                                                • memory/1268-71-0x0000000024010000-0x0000000024072000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1800-95-0x00000000240F0000-0x0000000024152000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1800-77-0x0000000024080000-0x00000000240E2000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1800-68-0x0000000024010000-0x0000000024072000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1800-66-0x0000000000400000-0x0000000000458000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/1800-101-0x0000000000400000-0x0000000000458000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/1800-87-0x00000000002D0000-0x0000000000332000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1800-65-0x0000000000400000-0x0000000000458000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/1800-64-0x0000000000400000-0x0000000000458000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/1800-92-0x0000000001E60000-0x0000000001FDC000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/1800-57-0x0000000000400000-0x0000000000458000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/1800-63-0x0000000075771000-0x0000000075773000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/1800-62-0x0000000000400000-0x0000000000458000-memory.dmp

                                                  Filesize

                                                  352KB

                                                  Download

                                                • memory/1848-158-0x0000000000400000-0x000000000057C000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/1848-168-0x00000000318F0000-0x00000000318FD000-memory.dmp

                                                  Filesize

                                                  52KB

                                                  Download

                                                • memory/1848-166-0x0000000000400000-0x000000000057C000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/1848-159-0x00000000318F0000-0x00000000318FD000-memory.dmp

                                                  Filesize

                                                  52KB

                                                  Download