Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

a7a95e0a73...62.exe

windows7-x64

10

a7a95e0a73...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 18:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7a95e0a73a84c3a4b7a315f4f8ef884cc1c754183fdfcb00cc274496e2aa462.exe

  • Size

    276KB

  • MD5

    0ba9a3418c7731d775b2edd321e54f99

  • SHA1

    b10fad1b22fbd334f1cea203f69e3ae90237361e

  • SHA256

    a7a95e0a73a84c3a4b7a315f4f8ef884cc1c754183fdfcb00cc274496e2aa462

  • SHA512

    7aa892292c837c147fc3dcb55ec7a9b82fbf003f4d4301c1b206585a5d37f884e11abf5c5147d0e4386f8d6f43ec50573945f1036b9036cce36687e267ec95a6

  • SSDEEP

    6144:0k4qmO1y+E1WWxgKMBG2p9fWfU/foUSn/3oG50Nr3q:X9hyX1WWxgNp9u0N

Score
10/10
cybergatevítimapersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

127.0.0.1:82

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2520
      • C:\Users\Admin\AppData\Local\Temp\a7a95e0a73a84c3a4b7a315f4f8ef884cc1c754183fdfcb00cc274496e2aa462.exe
        "C:\Users\Admin\AppData\Local\Temp\a7a95e0a73a84c3a4b7a315f4f8ef884cc1c754183fdfcb00cc274496e2aa462.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          PID:4408
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:224
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Executes dropped EXE
            PID:3708
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 564
              5⤵
              • Program crash
              PID:1256
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3708 -ip 3708
      1⤵
        PID:2112

      Network

        No results found
      • 8.252.118.126:80
        260 B
         5
      • 8.252.118.126:80
        260 B
         5
      • 127.0.0.1:82
        explorer.exe
      • 13.69.239.74:443
        322 B
         7
      • 127.0.0.1:82
        explorer.exe
      • 8.252.118.126:80
        260 B
         5
      • 127.0.0.1:82
        explorer.exe
      • 93.184.220.29:80
        322 B
         7
      • 127.0.0.1:82
        explorer.exe
      • 8.252.118.126:80
        322 B
         7
      • 8.252.118.126:80
        322 B
         7
      • 8.252.118.126:80
        322 B
         7
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      • 93.184.221.240:80
        322 B
         7
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      • 104.80.225.205:443
        322 B
         7
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      • 127.0.0.1:82
        explorer.exe
      No results found

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        229KB

        MD5

        c285ce933cceaa2e70cbb19546045f2a

        SHA1

        14d7fd17870aeb632223ef4a8dfdf25dce13fe25

        SHA256

        10d4bfd2b4f39a8f025cbfed67e20e185f4d37b450c78ffbfc0de96b8be75a2c

        SHA512

        a6b484de2365fa78941e7eeb9c54ea69ea443c1c9a465f0115f182e2dbd4b89896719c779ef17b6e2a758937ce0f8d2a37e0d2bcae19b79529f2320f5f12301d

        Download Submit

      • C:\Windows\SysWOW64\install\server.exe
        Filesize

        276KB

        MD5

        0ba9a3418c7731d775b2edd321e54f99

        SHA1

        b10fad1b22fbd334f1cea203f69e3ae90237361e

        SHA256

        a7a95e0a73a84c3a4b7a315f4f8ef884cc1c754183fdfcb00cc274496e2aa462

        SHA512

        7aa892292c837c147fc3dcb55ec7a9b82fbf003f4d4301c1b206585a5d37f884e11abf5c5147d0e4386f8d6f43ec50573945f1036b9036cce36687e267ec95a6

        Download Submit

      • C:\Windows\SysWOW64\install\server.exe
        Filesize

        276KB

        MD5

        0ba9a3418c7731d775b2edd321e54f99

        SHA1

        b10fad1b22fbd334f1cea203f69e3ae90237361e

        SHA256

        a7a95e0a73a84c3a4b7a315f4f8ef884cc1c754183fdfcb00cc274496e2aa462

        SHA512

        7aa892292c837c147fc3dcb55ec7a9b82fbf003f4d4301c1b206585a5d37f884e11abf5c5147d0e4386f8d6f43ec50573945f1036b9036cce36687e267ec95a6

        Download Submit

      • memory/224-153-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/224-157-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/224-151-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3708-156-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4104-148-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4104-152-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4104-132-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4104-134-0x0000000024010000-0x0000000024072000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4104-139-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4408-145-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4408-142-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.