Analysis
-
max time kernel
157s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
08-11-2022 12:26
General
-
Target
bf427b56169ec00dca1063e9018a27928dd7bda540802467dc4a0286ea9b919a.exe
-
Size
613KB
-
MD5
01f796e012b4eb1e558618de023d4e20
-
SHA1
ba494c7fb58e3762bd49e4e21c200f71cf330735
-
SHA256
bf427b56169ec00dca1063e9018a27928dd7bda540802467dc4a0286ea9b919a
-
SHA512
58ec3d910309d35d19b47863d3d2f2567dd037a470f2527768080a8b7467e6294516b461715eb6d728e5e3b53527dedda568ec434b6c1c26d036ca1eaedd37a4
-
SSDEEP
12288:MQXy90YiNitwFR5VC8rPYlDSSYVyTU3Gnq0l7nLaZ/XXi56:MQXy+N9R5VxrP+kVyTGGnq0ZLs/HJ
Malware Config
Extracted
cybergate
2.6
Victima
192.168.0.11:2000
212.198.55.2:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
speed
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 8 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bf427b56169ec00dca1063e9018a27928dd7bda540802467dc4a0286ea9b919a.exe"C:\Users\Admin\AppData\Local\Temp\bf427b56169ec00dca1063e9018a27928dd7bda540802467dc4a0286ea9b919a.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exe"4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies Installed Components in the registry
-
C:\Windows\SysWOW64\speed\server.exe"C:\Windows\system32\speed\server.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\speed\server.exe"C:\Windows\SysWOW64\speed\server.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 5768⤵
- Program crash
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\speed\server.exe"C:\Windows\system32\speed\server.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\speed\server.exe"C:\Windows\SysWOW64\speed\server.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 5328⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HABBOS~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HABBOS~1.EXE3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2520 -ip 25201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4192 -ip 41921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HABBOS~1.EXEFilesize
774KB
MD5a51160ab62a801c57b4883163ec5762d
SHA19cd7dff0337a450f9e8879c3cf4ce20895360bb0
SHA25636e0a3532af0e46a393f40718a2dd40f26d684be1388597c6a8a59a7567a539e
SHA5121d74da356a5255f66981287fe3a252f607cdee03ee1b9d39aef01a8fd80eb7bb3c0ba28cc31fd6e38706a7eee77853e9ab80c79628e5d8a55f956d7a91140766
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HABBOS~1.EXEFilesize
774KB
MD5a51160ab62a801c57b4883163ec5762d
SHA19cd7dff0337a450f9e8879c3cf4ce20895360bb0
SHA25636e0a3532af0e46a393f40718a2dd40f26d684be1388597c6a8a59a7567a539e
SHA5121d74da356a5255f66981287fe3a252f607cdee03ee1b9d39aef01a8fd80eb7bb3c0ba28cc31fd6e38706a7eee77853e9ab80c79628e5d8a55f956d7a91140766
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exeFilesize
378KB
MD5e3b9e4270e8e573533bec521547b72e3
SHA171716aed99b4b322042aaa59480e7057a66f7865
SHA2568cd410b0b5b4fedf823747af91e56bb42703ba16390269775e8e5dcbbe051e90
SHA51214970e4cb30986047352560a0144485552e5468220eb971b965fefe02b22d7d39768f3cf19e910fcfd46c0dcd03da0adc5665a76fc29237ad166ffa6974579ca
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exeFilesize
378KB
MD5e3b9e4270e8e573533bec521547b72e3
SHA171716aed99b4b322042aaa59480e7057a66f7865
SHA2568cd410b0b5b4fedf823747af91e56bb42703ba16390269775e8e5dcbbe051e90
SHA51214970e4cb30986047352560a0144485552e5468220eb971b965fefe02b22d7d39768f3cf19e910fcfd46c0dcd03da0adc5665a76fc29237ad166ffa6974579ca
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exeFilesize
378KB
MD5e3b9e4270e8e573533bec521547b72e3
SHA171716aed99b4b322042aaa59480e7057a66f7865
SHA2568cd410b0b5b4fedf823747af91e56bb42703ba16390269775e8e5dcbbe051e90
SHA51214970e4cb30986047352560a0144485552e5468220eb971b965fefe02b22d7d39768f3cf19e910fcfd46c0dcd03da0adc5665a76fc29237ad166ffa6974579ca
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Heart.exeFilesize
378KB
MD5e3b9e4270e8e573533bec521547b72e3
SHA171716aed99b4b322042aaa59480e7057a66f7865
SHA2568cd410b0b5b4fedf823747af91e56bb42703ba16390269775e8e5dcbbe051e90
SHA51214970e4cb30986047352560a0144485552e5468220eb971b965fefe02b22d7d39768f3cf19e910fcfd46c0dcd03da0adc5665a76fc29237ad166ffa6974579ca
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
229KB
MD5a22f57b73184a59d38a0eb5bddd4886a
SHA104eb5d90a513853213ebc1d1089bb46c1a303f5e
SHA25619ec9c1d7f145b229538783ce4054175fe0e088b4c2713ec0d6a4fdc5667b0a2
SHA512e06db4325778759b2bb6bc1017d474e1ab72261d0eedd9629e645d6a413b6e74a0d8f54eb930af62fbad52e19a07715e3a867b5157dbde6687c0778e17779129
-
C:\Windows\SysWOW64\speed\server.exeFilesize
378KB
MD5e3b9e4270e8e573533bec521547b72e3
SHA171716aed99b4b322042aaa59480e7057a66f7865
SHA2568cd410b0b5b4fedf823747af91e56bb42703ba16390269775e8e5dcbbe051e90
SHA51214970e4cb30986047352560a0144485552e5468220eb971b965fefe02b22d7d39768f3cf19e910fcfd46c0dcd03da0adc5665a76fc29237ad166ffa6974579ca
-
C:\Windows\SysWOW64\speed\server.exeFilesize
378KB
MD5e3b9e4270e8e573533bec521547b72e3
SHA171716aed99b4b322042aaa59480e7057a66f7865
SHA2568cd410b0b5b4fedf823747af91e56bb42703ba16390269775e8e5dcbbe051e90
SHA51214970e4cb30986047352560a0144485552e5468220eb971b965fefe02b22d7d39768f3cf19e910fcfd46c0dcd03da0adc5665a76fc29237ad166ffa6974579ca
-
C:\Windows\SysWOW64\speed\server.exeFilesize
378KB
MD5e3b9e4270e8e573533bec521547b72e3
SHA171716aed99b4b322042aaa59480e7057a66f7865
SHA2568cd410b0b5b4fedf823747af91e56bb42703ba16390269775e8e5dcbbe051e90
SHA51214970e4cb30986047352560a0144485552e5468220eb971b965fefe02b22d7d39768f3cf19e910fcfd46c0dcd03da0adc5665a76fc29237ad166ffa6974579ca
-
C:\Windows\SysWOW64\speed\server.exeFilesize
378KB
MD5e3b9e4270e8e573533bec521547b72e3
SHA171716aed99b4b322042aaa59480e7057a66f7865
SHA2568cd410b0b5b4fedf823747af91e56bb42703ba16390269775e8e5dcbbe051e90
SHA51214970e4cb30986047352560a0144485552e5468220eb971b965fefe02b22d7d39768f3cf19e910fcfd46c0dcd03da0adc5665a76fc29237ad166ffa6974579ca
-
C:\Windows\SysWOW64\speed\server.exeFilesize
378KB
MD5e3b9e4270e8e573533bec521547b72e3
SHA171716aed99b4b322042aaa59480e7057a66f7865
SHA2568cd410b0b5b4fedf823747af91e56bb42703ba16390269775e8e5dcbbe051e90
SHA51214970e4cb30986047352560a0144485552e5468220eb971b965fefe02b22d7d39768f3cf19e910fcfd46c0dcd03da0adc5665a76fc29237ad166ffa6974579ca
-
memory/996-214-0x00000000005E0000-0x00000000005F0000-memory.dmpFilesize
64KB
-
memory/996-204-0x00000000005A0000-0x00000000005B0000-memory.dmpFilesize
64KB
-
memory/996-207-0x00000000005B0000-0x00000000005C0000-memory.dmpFilesize
64KB
-
memory/996-203-0x0000000000580000-0x0000000000590000-memory.dmpFilesize
64KB
-
memory/996-211-0x00000000005D0000-0x00000000005E0000-memory.dmpFilesize
64KB
-
memory/996-201-0x0000000000000000-mapping.dmp
-
memory/996-210-0x00000000005C0000-0x00000000005D0000-memory.dmpFilesize
64KB
-
memory/996-217-0x0000000000610000-0x0000000000620000-memory.dmpFilesize
64KB
-
memory/996-216-0x0000000000600000-0x0000000000610000-memory.dmpFilesize
64KB
-
memory/996-215-0x00000000005F0000-0x0000000000600000-memory.dmpFilesize
64KB
-
memory/996-223-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1236-152-0x0000000000000000-mapping.dmp
-
memory/1236-156-0x0000000004B00000-0x0000000004B9C000-memory.dmpFilesize
624KB
-
memory/1236-158-0x0000000005160000-0x0000000005704000-memory.dmpFilesize
5.6MB
-
memory/1236-159-0x0000000004BB0000-0x0000000004C42000-memory.dmpFilesize
584KB
-
memory/1236-155-0x0000000000080000-0x0000000000148000-memory.dmpFilesize
800KB
-
memory/1236-164-0x0000000004C50000-0x0000000004C5A000-memory.dmpFilesize
40KB
-
memory/1236-165-0x0000000004CC0000-0x0000000004D16000-memory.dmpFilesize
344KB
-
memory/2520-205-0x0000000000000000-mapping.dmp
-
memory/2520-212-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2520-227-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2520-218-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3032-228-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3032-181-0x0000000000000000-mapping.dmp
-
memory/3032-200-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3032-186-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3932-175-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3932-183-0x0000000024160000-0x00000000241C2000-memory.dmpFilesize
392KB
-
memory/3932-177-0x00000000240F0000-0x0000000024152000-memory.dmpFilesize
392KB
-
memory/3932-187-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3932-151-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3932-157-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3932-168-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/3932-145-0x0000000000000000-mapping.dmp
-
memory/3932-161-0x0000000024010000-0x0000000024072000-memory.dmpFilesize
392KB
-
memory/3932-146-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3932-150-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/4192-219-0x0000000000000000-mapping.dmp
-
memory/4192-226-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/4496-143-0x0000000002800000-0x0000000002810000-memory.dmpFilesize
64KB
-
memory/4496-137-0x0000000000580000-0x0000000000590000-memory.dmpFilesize
64KB
-
memory/4496-135-0x0000000000420000-0x0000000000430000-memory.dmpFilesize
64KB
-
memory/4496-136-0x0000000000570000-0x0000000000580000-memory.dmpFilesize
64KB
-
memory/4496-132-0x0000000000000000-mapping.dmp
-
memory/4496-138-0x0000000002060000-0x0000000002070000-memory.dmpFilesize
64KB
-
memory/4496-148-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4496-139-0x0000000002070000-0x0000000002080000-memory.dmpFilesize
64KB
-
memory/4496-140-0x0000000002080000-0x0000000002090000-memory.dmpFilesize
64KB
-
memory/4496-141-0x0000000002090000-0x00000000020A0000-memory.dmpFilesize
64KB
-
memory/4496-144-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4496-142-0x00000000027F0000-0x0000000002800000-memory.dmpFilesize
64KB
-
memory/4576-190-0x00000000004B0000-0x00000000004C0000-memory.dmpFilesize
64KB
-
memory/4576-191-0x00000000004D0000-0x00000000004E0000-memory.dmpFilesize
64KB
-
memory/4576-213-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4576-192-0x00000000004F0000-0x0000000000500000-memory.dmpFilesize
64KB
-
memory/4576-193-0x0000000000500000-0x0000000000510000-memory.dmpFilesize
64KB
-
memory/4576-194-0x0000000000520000-0x0000000000530000-memory.dmpFilesize
64KB
-
memory/4576-195-0x0000000000530000-0x0000000000540000-memory.dmpFilesize
64KB
-
memory/4576-197-0x0000000000550000-0x0000000000560000-memory.dmpFilesize
64KB
-
memory/4576-188-0x0000000000000000-mapping.dmp
-
memory/4576-196-0x0000000000540000-0x0000000000550000-memory.dmpFilesize
64KB
-
memory/4576-199-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/4576-198-0x0000000000560000-0x0000000000570000-memory.dmpFilesize
64KB
-
memory/4800-174-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4800-171-0x0000000024080000-0x00000000240E2000-memory.dmpFilesize
392KB
-
memory/4800-167-0x0000000000000000-mapping.dmp