Analysis
-
max time kernel
154s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
23-11-2022 13:50
General
-
Target
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe
-
Size
1.0MB
-
MD5
501beaec545972571ca743ff468cae5b
-
SHA1
4e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
-
SHA256
815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
-
SHA512
2f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
SSDEEP
12288:EjkArEN249AyE/rbaMct4bO2/Vf0cCoFmZv07A6IdSlloroY30wnqomLskYtI:nFE//Tct4bOsyczmydI8lycOqdcI
Malware Config
Extracted
cybergate
v1.04.8
hottrod
d16.no-ip.biz:3178
L7471Y70V2WVK3
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
m2340440
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Drops file in Drivers directory 4 IoCs
-
Executes dropped EXE 8 IoCs
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 8 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe"C:\Users\Admin\AppData\Local\Temp\815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
-
C:\Users\Admin\AppData\Roaming\svzhost.exeC:\Users\Admin\AppData\Roaming\svzhost.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- Gathers network information
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\directory\CyberGate\install\server.exe"C:\directory\CyberGate\install\server.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns6⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns6⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
-
C:\Users\Admin\AppData\Roaming\svzhost.exeC:\Users\Admin\AppData\Roaming\svzhost.exe6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns7⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns8⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns7⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns8⤵
- Gathers network information
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txtFilesize
222KB
MD5550521ce5ba350ce99d58374af03c63d
SHA16e7d81228d5d4cf44b75155300ddf2240062da15
SHA2566798037a33eccaffe4e8515388019ee992345238b84c78b37eda0f770d31feba
SHA51286a63c10b9673e34774bac960bd15d70e756e8fd42f98ac4b1178b151004bb96f3e222f342c3e5f316ee35357dec6f5a57d228185283235babaad480726cd0bd
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD59b71207872dbbfb3984cb57044abe52d
SHA1b512b2c02879f5d5941e17792610129f1b7472fe
SHA25627798836cb4f45f83d5f4d6d803ba85fdd37ff09df034a11145089ea5ed6ad6e
SHA5120df692714a1ed3956f7fcc62cd9aae0fb61aab0d4950bbe03b651395bc0bbf857378979372f389c7de79e6cbcc9fe8a446f986ffdc6161762580b0b43221c370
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5fd69dad4fad066cf3a0473284811838b
SHA11d4b03450f8275002c1ab73bb04d324ea03c1cb4
SHA25664d405dba5ec60265b8828bbd670c7abb741b5cee0cc6007e89163df5fdfe08d
SHA5124f63e044d0df24a24b913e264476b2999792c0e5d4be73ea2766d81a25aa7e7bc9f6055a1baaa03c1e6f970a63577c28c27dd16368dd93e8fb1e940f55994411
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD55629a402bc6bf921087b479738c25ca9
SHA14c4c4f1aa313b2a5ae856722010cd88baf4c6be6
SHA256c023fba5f54e63cb099d948f2213fe2578c352d4096d3924d5b460ceac0bcea7
SHA512e95fcf29f7a8c7a46340e087e0ae6bb119c1bbebd8e96aabf0b516c4799726e37c28e98fa6d32bb2192ab35bf430f01b248befa74e820a84f4f62f2ea1630fb8
-
C:\directory\CyberGate\install\server.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
C:\directory\CyberGate\install\server.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
\Users\Admin\AppData\Roaming\svzhost.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
\directory\CyberGate\install\server.exeFilesize
1.0MB
MD5501beaec545972571ca743ff468cae5b
SHA14e8b4f91d4e5eed8c6ff4632ffcf2d5feb2aeb8c
SHA256815fa7b14be7c747ef6574e5c8bb6519f5177111b47b2d5a20709d10aeaf90b6
SHA5122f9d2faead9b2f4a872bd0ce107e1e9cae657ce2d3333545198c04b748269cfcd056d42d41fd5e587a67fc0b6b00a8fc3d305c1c7061cb98a0656755b04dee6a
-
memory/284-118-0x0000000000000000-mapping.dmp
-
memory/468-112-0x0000000000000000-mapping.dmp
-
memory/536-123-0x000000000041F960-mapping.dmp
-
memory/536-128-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/536-122-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/536-129-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/536-120-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/536-164-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/536-127-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/972-55-0x0000000000000000-mapping.dmp
-
memory/980-162-0x00000000000C0000-0x000000000010E000-memory.dmpFilesize
312KB
-
memory/980-145-0x00000000000CBBCC-mapping.dmp
-
memory/980-149-0x00000000000C0000-0x000000000010E000-memory.dmpFilesize
312KB
-
memory/980-150-0x00000000000C0000-0x000000000010E000-memory.dmpFilesize
312KB
-
memory/1012-93-0x0000000000000000-mapping.dmp
-
memory/1012-114-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1012-100-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1012-111-0x0000000009B40000-0x0000000009C25000-memory.dmpFilesize
916KB
-
memory/1012-102-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1012-96-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1012-163-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1056-59-0x0000000000000000-mapping.dmp
-
memory/1364-117-0x0000000000000000-mapping.dmp
-
memory/1400-110-0x0000000000000000-mapping.dmp
-
memory/1508-80-0x00000000000C0000-0x000000000010E000-memory.dmpFilesize
312KB
-
memory/1508-81-0x00000000000CBBCC-mapping.dmp
-
memory/1508-103-0x00000000000C0000-0x000000000010E000-memory.dmpFilesize
312KB
-
memory/1508-78-0x00000000000C0000-0x000000000010E000-memory.dmpFilesize
312KB
-
memory/1508-97-0x0000000010480000-0x00000000104E1000-memory.dmpFilesize
388KB
-
memory/1508-89-0x0000000010410000-0x0000000010471000-memory.dmpFilesize
388KB
-
memory/1508-86-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1508-87-0x00000000000C0000-0x000000000010E000-memory.dmpFilesize
312KB
-
memory/1508-85-0x00000000000C0000-0x000000000010E000-memory.dmpFilesize
312KB
-
memory/1508-83-0x00000000000C0000-0x000000000010E000-memory.dmpFilesize
312KB
-
memory/1556-133-0x0000000000000000-mapping.dmp
-
memory/1584-64-0x0000000000000000-mapping.dmp
-
memory/1584-69-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1584-141-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1668-71-0x0000000000000000-mapping.dmp
-
memory/1672-107-0x0000000000000000-mapping.dmp
-
memory/1672-151-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1672-57-0x0000000000000000-mapping.dmp
-
memory/1672-113-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1724-74-0x0000000000000000-mapping.dmp
-
memory/1736-75-0x0000000000000000-mapping.dmp
-
memory/1740-161-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1740-155-0x000000000041F960-mapping.dmp
-
memory/1760-165-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1760-134-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1760-130-0x0000000000000000-mapping.dmp
-
memory/1908-60-0x0000000000000000-mapping.dmp
-
memory/1912-70-0x0000000000000000-mapping.dmp
-
memory/1976-138-0x0000000000000000-mapping.dmp
-
memory/1980-139-0x0000000000000000-mapping.dmp
-
memory/2044-68-0x00000000038D0000-0x00000000039B5000-memory.dmpFilesize
916KB
-
memory/2044-62-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/2044-77-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/2044-56-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/2044-135-0x0000000000000000-mapping.dmp
-
memory/2044-54-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB