Overview

overview

10

Static

static

7a3af6e2ac...54.exe

windows7-x64

10

7a3af6e2ac...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2022 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54.exe

  • Size

    612KB

  • MD5

    330a12dc5136edb89642a6a56c3a592b

  • SHA1

    85583ce41f417fca8f6f16d0e5a3ded1a6c56b59

  • SHA256

    7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54

  • SHA512

    4341ef67cd6df477915be6f6fbebaaba5822a7cb6c49e34fdabf10d793e194d91e18c7fdf85b63a8a71df85b6aff2c08e368114082ae2c51e4cc14c03e09a287

  • SSDEEP

    12288:BzUlr7Ecomkz4Yd5nZxwZUNDUJw6MsiAP1:9mUDJ0YTjwi4wk

Score
10/10
cybergatevictempersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

Victem

C2

5rfan.no-ip.biz:999

Mutex

3QR57BFCJE2BUQ

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    h8oor

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54.exe
        "C:\Users\Admin\AppData\Local\Temp\7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1236
        • C:\Users\Admin\AppData\Local\Temp\7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54.exe
          "C:\Users\Admin\AppData\Local\Temp\7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1552
        • C:\Windows\SysWOW64\install\server.exe
          "C:\Windows\system32\install\server.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:876

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      236KB

      MD5

      68d1da5197757372619a1e978ac01f49

      SHA1

      932c5a7b6ec32b625cd8a0ad1f183fa108ec4dbd

      SHA256

      e33da735f266bdc34ba49fdd98e28f016ba8a04d3009ccf21b52aa760247b5d6

      SHA512

      d622a1565f4f7143d3f74d387b282224036591d2e0a3aea6805a4e9c6357c2c980dc755e7ad1a8438724d6fd1333983be84e029b250e8034b5614cf4f2dfdf88

      Download Submit

    • C:\Windows\SysWOW64\install\server.exe
      Filesize

      612KB

      MD5

      330a12dc5136edb89642a6a56c3a592b

      SHA1

      85583ce41f417fca8f6f16d0e5a3ded1a6c56b59

      SHA256

      7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54

      SHA512

      4341ef67cd6df477915be6f6fbebaaba5822a7cb6c49e34fdabf10d793e194d91e18c7fdf85b63a8a71df85b6aff2c08e368114082ae2c51e4cc14c03e09a287

      Download Submit

    • C:\Windows\SysWOW64\install\server.exe
      Filesize

      612KB

      MD5

      330a12dc5136edb89642a6a56c3a592b

      SHA1

      85583ce41f417fca8f6f16d0e5a3ded1a6c56b59

      SHA256

      7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54

      SHA512

      4341ef67cd6df477915be6f6fbebaaba5822a7cb6c49e34fdabf10d793e194d91e18c7fdf85b63a8a71df85b6aff2c08e368114082ae2c51e4cc14c03e09a287

      Download Submit

    • \Windows\SysWOW64\install\server.exe
      Filesize

      612KB

      MD5

      330a12dc5136edb89642a6a56c3a592b

      SHA1

      85583ce41f417fca8f6f16d0e5a3ded1a6c56b59

      SHA256

      7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54

      SHA512

      4341ef67cd6df477915be6f6fbebaaba5822a7cb6c49e34fdabf10d793e194d91e18c7fdf85b63a8a71df85b6aff2c08e368114082ae2c51e4cc14c03e09a287

      Download Submit

    • \Windows\SysWOW64\install\server.exe
      Filesize

      612KB

      MD5

      330a12dc5136edb89642a6a56c3a592b

      SHA1

      85583ce41f417fca8f6f16d0e5a3ded1a6c56b59

      SHA256

      7a3af6e2ac6075f9e9edf7783290f0999838d74966161ddb7b6f12bdbeaf4a54

      SHA512

      4341ef67cd6df477915be6f6fbebaaba5822a7cb6c49e34fdabf10d793e194d91e18c7fdf85b63a8a71df85b6aff2c08e368114082ae2c51e4cc14c03e09a287

      Download Submit

    • memory/876-102-0x0000000000260000-0x0000000000299000-memory.dmp

      Filesize

      228KB

      Download

    • memory/876-101-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/876-100-0x0000000000260000-0x0000000000299000-memory.dmp

      Filesize

      228KB

      Download

    • memory/876-99-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/876-96-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/876-94-0x0000000000000000-mapping.dmp

      Download

    • memory/1236-66-0x0000000000000000-mapping.dmp

      Download

    • memory/1236-68-0x0000000075431000-0x0000000075433000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1236-77-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1236-67-0x00000000766F1000-0x00000000766F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1236-74-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1272-63-0x0000000010410000-0x0000000010482000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1284-84-0x0000000010510000-0x0000000010582000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1284-60-0x0000000010410000-0x0000000010482000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1284-55-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/1284-58-0x0000000001D51000-0x0000000001D55000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1284-54-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/1284-69-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1284-97-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/1284-57-0x0000000000640000-0x0000000000679000-memory.dmp

      Filesize

      228KB

      Download

    • memory/1284-98-0x0000000000640000-0x0000000000679000-memory.dmp

      Filesize

      228KB

      Download

    • memory/1284-56-0x00000000001B0000-0x00000000001B4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1552-90-0x0000000010510000-0x0000000010582000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1552-82-0x0000000000000000-mapping.dmp

      Download

    • memory/1552-89-0x0000000010510000-0x0000000010582000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1552-103-0x0000000010510000-0x0000000010582000-memory.dmp

      Filesize

      456KB

      Download