Analysis
-
max time kernel
177s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
24-11-2022 02:13
General
-
Target
aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
-
Size
639KB
-
MD5
1d12caac9cf70f982331c1bc4461783e
-
SHA1
1249e8a0ac9f83b619bf376abf089821b15ed79f
-
SHA256
aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21
-
SHA512
2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057
-
SSDEEP
12288:AlmOKxg09ePyOT94iVGDOMHS5VtIVQWaglJLobyQqVtQhU7:+KxlER48sOR7WaMNYyQqV5
Malware Config
Extracted
cybergate
v3.4.2.2
l4ru
brosto.strangled.net:81
brosto.strangled.net:4123
brosto.strangled.net:6745
brosto.strangled.net:7534
brosto.strangled.net:7653
sasaze.chickenkiller.com:7875
sasaze.chickenkiller.com:8545
sasaze.chickenkiller.com:8642
sasaze.chickenkiller.com:8742
sasaze.chickenkiller.com:8954
brostod.jumpingcrab.com:9647
brostod.jumpingcrab.com:9743
brostod.jumpingcrab.com:9866
brostod.jumpingcrab.com:10535
brostod.jumpingcrab.com:10877
1844205166:53575
1844205166:58656
1844205166:59534
1844205166:59642
HN6MPGL8C6B6K0
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
interface
-
install_file
csrsc.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
a123123123
-
regkey_hkcu
exploruse
-
regkey_hklm
exploruse
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 18 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe"C:\Users\Admin\AppData\Local\Temp\aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
234KB
MD5b26bbcfb276900a1eed8ba68446a2d06
SHA11969dcdfde0ef2f9a47db4e722f591b50e980b59
SHA256e7290f0d95c5b4508b722a8e2c79ff4073bf33a82f63fbf9c5f692667e79cd33
SHA51267c475f3efb03e90e4fa06b79945a9169b22d4f31202d0ebbb62cff428ce2a6330ef459a8bfb6f3133f29dfa51cca9561835eeaf1e8a7b044373fbaa4ab49e9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD5f8bc8d1ca96a71ae8e1e94a16c2b0b7f
SHA1fc70099b050befc0d3912c9ecdc234d967fc22a5
SHA2567038d8b4a9eab84047cbf60f68fd47d5192592c57b69f3ec2480dc95c561803f
SHA51218b4ea3c0bdf8e1e64bf8f8b3f74dbd34f652f3d1c6850a194d8372f23bd0b2621b751ef9bd4a6a5d7959192aeac4b4ad130cb12f7d690599e4b1a666410c1f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD5f8bc8d1ca96a71ae8e1e94a16c2b0b7f
SHA1fc70099b050befc0d3912c9ecdc234d967fc22a5
SHA2567038d8b4a9eab84047cbf60f68fd47d5192592c57b69f3ec2480dc95c561803f
SHA51218b4ea3c0bdf8e1e64bf8f8b3f74dbd34f652f3d1c6850a194d8372f23bd0b2621b751ef9bd4a6a5d7959192aeac4b4ad130cb12f7d690599e4b1a666410c1f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
639KB
MD51d12caac9cf70f982331c1bc4461783e
SHA11249e8a0ac9f83b619bf376abf089821b15ed79f
SHA256aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21
SHA5122a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057
-
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
639KB
MD51d12caac9cf70f982331c1bc4461783e
SHA11249e8a0ac9f83b619bf376abf089821b15ed79f
SHA256aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21
SHA5122a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057
-
\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD5f8bc8d1ca96a71ae8e1e94a16c2b0b7f
SHA1fc70099b050befc0d3912c9ecdc234d967fc22a5
SHA2567038d8b4a9eab84047cbf60f68fd47d5192592c57b69f3ec2480dc95c561803f
SHA51218b4ea3c0bdf8e1e64bf8f8b3f74dbd34f652f3d1c6850a194d8372f23bd0b2621b751ef9bd4a6a5d7959192aeac4b4ad130cb12f7d690599e4b1a666410c1f8
-
\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exeFilesize
639KB
MD51d12caac9cf70f982331c1bc4461783e
SHA11249e8a0ac9f83b619bf376abf089821b15ed79f
SHA256aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21
SHA5122a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057
-
memory/568-172-0x0000000000409860-mapping.dmp
-
memory/568-180-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/568-181-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/608-104-0x0000000000409860-mapping.dmp
-
memory/608-112-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/608-113-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/652-343-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/652-342-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/652-334-0x0000000000409860-mapping.dmp
-
memory/672-83-0x0000000000000000-mapping.dmp
-
memory/672-88-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/672-140-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/672-91-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/672-90-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/680-161-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/680-160-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/680-152-0x0000000000409860-mapping.dmp
-
memory/764-402-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/764-403-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/764-394-0x0000000000409860-mapping.dmp
-
memory/816-442-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/816-434-0x0000000000409860-mapping.dmp
-
memory/856-283-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/856-282-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/856-274-0x0000000000409860-mapping.dmp
-
memory/920-241-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/920-233-0x0000000000409860-mapping.dmp
-
memory/920-243-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/956-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/956-56-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/956-223-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/956-55-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/956-354-0x0000000000409860-mapping.dmp
-
memory/956-363-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/956-362-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/992-201-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/992-202-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/992-193-0x0000000000409860-mapping.dmp
-
memory/1052-302-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1052-303-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1052-294-0x0000000000409860-mapping.dmp
-
memory/1160-139-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/1160-182-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/1160-136-0x0000000000000000-mapping.dmp
-
memory/1192-423-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1192-414-0x0000000000409860-mapping.dmp
-
memory/1192-422-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1520-262-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1520-263-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1520-254-0x0000000000409860-mapping.dmp
-
memory/1524-213-0x0000000000409860-mapping.dmp
-
memory/1524-229-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1524-242-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1532-132-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/1532-80-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB
-
memory/1532-72-0x0000000000000000-mapping.dmp
-
memory/1644-141-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1644-124-0x0000000000409860-mapping.dmp
-
memory/1644-133-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-85-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/1700-61-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-57-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-58-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-92-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-70-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-68-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-67-0x0000000000409860-mapping.dmp
-
memory/1700-66-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-64-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-63-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-81-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-79-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-77-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-62-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1700-60-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1952-323-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1952-322-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1952-314-0x0000000000409860-mapping.dmp
-
memory/2032-383-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2032-382-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2032-374-0x0000000000409860-mapping.dmp