Overview

overview

10

Static

static

813d544ed8...42.exe

windows7-x64

10

813d544ed8...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe

  • Size

    431KB

  • MD5

    e0bb084cee8de5d16f817283ad8c799f

  • SHA1

    7d1ae37b26406bf03b39b3b35da4fd2c897f5b1e

  • SHA256

    813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242

  • SHA512

    fac101a5592bbb53e37062057321a08d3a0b931f244dcebf9cfdb26fd6023effd258cc2d77697798635ede9ababf1867b7dda3f54411a0220570fb23890f07e6

  • SSDEEP

    12288:OAarz4BkDPQqeJLHAY4m7Bszl15WyN6ehat/F:Xarz4BGQBt4BfWq6MG

Score
10/10
cybergateremotepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

wwc.ddns.net:81

Mutex

U11R10TOVBKO35

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
        "C:\Users\Admin\AppData\Local\Temp\813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4308
        • C:\Users\Admin\AppData\Local\Temp\813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
          C:\Users\Admin\AppData\Local\Temp\813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3364
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:5108
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
            4⤵
              PID:3416
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4444
            • C:\directory\CyberGate\install\server.exe
              "C:\directory\CyberGate\install\server.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:3452
              • C:\directory\CyberGate\install\server.exe
                C:\directory\CyberGate\install\server.exe
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:508

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        385KB

        MD5

        37586b75bce43253652b6dc2c155368e

        SHA1

        c7ea946db305085fb12ef82cfee9985a07f7e6cc

        SHA256

        7dea84488916afec00db65ff9e1b28f4862cd52bd7ddc6011ae84be89dbafde9

        SHA512

        fb3f5ee53c2b7879a904764f92907747272ed99f5d487699cd36c9872a2113a2e9e05c21cd4649b91ff5a1afb441211ab00b3e469642677fa110d1507347e6d6

        Download Submit
      • C:\directory\CyberGate\install\server.exe
        Filesize

        431KB

        MD5

        e0bb084cee8de5d16f817283ad8c799f

        SHA1

        7d1ae37b26406bf03b39b3b35da4fd2c897f5b1e

        SHA256

        813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242

        SHA512

        fac101a5592bbb53e37062057321a08d3a0b931f244dcebf9cfdb26fd6023effd258cc2d77697798635ede9ababf1867b7dda3f54411a0220570fb23890f07e6

        Download Submit
      • C:\directory\CyberGate\install\server.exe
        Filesize

        431KB

        MD5

        e0bb084cee8de5d16f817283ad8c799f

        SHA1

        7d1ae37b26406bf03b39b3b35da4fd2c897f5b1e

        SHA256

        813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242

        SHA512

        fac101a5592bbb53e37062057321a08d3a0b931f244dcebf9cfdb26fd6023effd258cc2d77697798635ede9ababf1867b7dda3f54411a0220570fb23890f07e6

        Download Submit
      • \??\c:\directory\CyberGate\install\server.exe
        Filesize

        431KB

        MD5

        e0bb084cee8de5d16f817283ad8c799f

        SHA1

        7d1ae37b26406bf03b39b3b35da4fd2c897f5b1e

        SHA256

        813d544ed8db4d772355747dedfe28985ffb1a8d4fce3b0a8844ad9eea781242

        SHA512

        fac101a5592bbb53e37062057321a08d3a0b931f244dcebf9cfdb26fd6023effd258cc2d77697798635ede9ababf1867b7dda3f54411a0220570fb23890f07e6

        Download Submit
      • memory/508-176-0x0000000000400000-0x0000000000471000-memory.dmp
        Filesize

        452KB

        Download
      • memory/508-175-0x0000000000400000-0x0000000000471000-memory.dmp
        Filesize

        452KB

        Download
      • memory/508-169-0x0000000000000000-mapping.dmp
        Download
      • memory/3364-140-0x0000000010410000-0x0000000010480000-memory.dmp
        Filesize

        448KB

        Download
      • memory/3364-145-0x0000000000400000-0x0000000000471000-memory.dmp
        Filesize

        452KB

        Download
      • memory/3364-146-0x0000000010480000-0x00000000104F0000-memory.dmp
        Filesize

        448KB

        Download
      • memory/3364-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3364-134-0x0000000000400000-0x0000000000471000-memory.dmp
        Filesize

        452KB

        Download
      • memory/3364-138-0x0000000000400000-0x0000000000471000-memory.dmp
        Filesize

        452KB

        Download
      • memory/3364-154-0x00000000104F0000-0x0000000010560000-memory.dmp
        Filesize

        448KB

        Download
      • memory/3364-135-0x0000000000400000-0x0000000000471000-memory.dmp
        Filesize

        452KB

        Download
      • memory/3364-159-0x0000000010560000-0x00000000105D0000-memory.dmp
        Filesize

        448KB

        Download
      • memory/3364-168-0x0000000000400000-0x0000000000471000-memory.dmp
        Filesize

        452KB

        Download
      • memory/3364-136-0x0000000000400000-0x0000000000471000-memory.dmp
        Filesize

        452KB

        Download
      • memory/3452-166-0x0000000000000000-mapping.dmp
        Download
      • memory/3452-174-0x0000000072FA0000-0x0000000073551000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4308-132-0x0000000074FF0000-0x00000000755A1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4308-137-0x0000000074FF0000-0x00000000755A1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4444-165-0x0000000010560000-0x00000000105D0000-memory.dmp
        Filesize

        448KB

        Download
      • memory/4444-163-0x0000000010560000-0x00000000105D0000-memory.dmp
        Filesize

        448KB

        Download
      • memory/4444-162-0x0000000010560000-0x00000000105D0000-memory.dmp
        Filesize

        448KB

        Download
      • memory/4444-158-0x0000000000000000-mapping.dmp
        Download
      • memory/5108-164-0x0000000010480000-0x00000000104F0000-memory.dmp
        Filesize

        448KB

        Download
      • memory/5108-144-0x0000000000000000-mapping.dmp
        Download
      • memory/5108-150-0x0000000010480000-0x00000000104F0000-memory.dmp
        Filesize

        448KB

        Download
      • memory/5108-149-0x0000000010480000-0x00000000104F0000-memory.dmp
        Filesize

        448KB

        Download