Overview

overview

10

Static

static

aea54560b7...21.exe

windows7-x64

10

aea54560b7...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe

  • Size

    639KB

  • MD5

    1d12caac9cf70f982331c1bc4461783e

  • SHA1

    1249e8a0ac9f83b619bf376abf089821b15ed79f

  • SHA256

    aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

  • SHA512

    2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057

  • SSDEEP

    12288:AlmOKxg09ePyOT94iVGDOMHS5VtIVQWaglJLobyQqVtQhU7:+KxlER48sOR7WaMNYyQqV5

Score
10/10
cybergatel4ruagilenetpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

l4ru

C2

brosto.strangled.net:81

brosto.strangled.net:4123

brosto.strangled.net:6745

brosto.strangled.net:7534

brosto.strangled.net:7653

sasaze.chickenkiller.com:7875

sasaze.chickenkiller.com:8545

sasaze.chickenkiller.com:8642

sasaze.chickenkiller.com:8742

sasaze.chickenkiller.com:8954

brostod.jumpingcrab.com:9647

brostod.jumpingcrab.com:9743

brostod.jumpingcrab.com:9866

brostod.jumpingcrab.com:10535

brostod.jumpingcrab.com:10877

1844205166:53575

1844205166:58656

1844205166:59534

1844205166:59642
Mutex

HN6MPGL8C6B6K0

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    interface

  • install_file

    csrsc.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    a123123123

  • regkey_hkcu

    exploruse

  • regkey_hklm

    exploruse

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Obfuscated with Agile.Net obfuscator 3 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe
    "C:\Users\Admin\AppData\Local\Temp\aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:556
    • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
      • C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        PID:1132
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          4⤵
            PID:4320
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            4⤵
              PID:3312
            • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
              4⤵
              • Executes dropped EXE
              PID:4292
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          2⤵
            PID:3396
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            2⤵
              PID:3512
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
                PID:1404
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                  PID:3916
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                  2⤵
                    PID:1732
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                    2⤵
                      PID:2064

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.log
                    Filesize

                    496B

                    MD5

                    cb76b18ebed3a9f05a14aed43d35fba6

                    SHA1

                    836a4b4e351846fca08b84149cb734cb59b8c0d6

                    SHA256

                    8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

                    SHA512

                    7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
                    Filesize

                    234KB

                    MD5

                    b26bbcfb276900a1eed8ba68446a2d06

                    SHA1

                    1969dcdfde0ef2f9a47db4e722f591b50e980b59

                    SHA256

                    e7290f0d95c5b4508b722a8e2c79ff4073bf33a82f63fbf9c5f692667e79cd33

                    SHA512

                    67c475f3efb03e90e4fa06b79945a9169b22d4f31202d0ebbb62cff428ce2a6330ef459a8bfb6f3133f29dfa51cca9561835eeaf1e8a7b044373fbaa4ab49e9f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
                    Filesize

                    11KB

                    MD5

                    f8bc8d1ca96a71ae8e1e94a16c2b0b7f

                    SHA1

                    fc70099b050befc0d3912c9ecdc234d967fc22a5

                    SHA256

                    7038d8b4a9eab84047cbf60f68fd47d5192592c57b69f3ec2480dc95c561803f

                    SHA512

                    18b4ea3c0bdf8e1e64bf8f8b3f74dbd34f652f3d1c6850a194d8372f23bd0b2621b751ef9bd4a6a5d7959192aeac4b4ad130cb12f7d690599e4b1a666410c1f8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
                    Filesize

                    11KB

                    MD5

                    f8bc8d1ca96a71ae8e1e94a16c2b0b7f

                    SHA1

                    fc70099b050befc0d3912c9ecdc234d967fc22a5

                    SHA256

                    7038d8b4a9eab84047cbf60f68fd47d5192592c57b69f3ec2480dc95c561803f

                    SHA512

                    18b4ea3c0bdf8e1e64bf8f8b3f74dbd34f652f3d1c6850a194d8372f23bd0b2621b751ef9bd4a6a5d7959192aeac4b4ad130cb12f7d690599e4b1a666410c1f8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
                    Filesize

                    11KB

                    MD5

                    f8bc8d1ca96a71ae8e1e94a16c2b0b7f

                    SHA1

                    fc70099b050befc0d3912c9ecdc234d967fc22a5

                    SHA256

                    7038d8b4a9eab84047cbf60f68fd47d5192592c57b69f3ec2480dc95c561803f

                    SHA512

                    18b4ea3c0bdf8e1e64bf8f8b3f74dbd34f652f3d1c6850a194d8372f23bd0b2621b751ef9bd4a6a5d7959192aeac4b4ad130cb12f7d690599e4b1a666410c1f8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
                    Filesize

                    639KB

                    MD5

                    1d12caac9cf70f982331c1bc4461783e

                    SHA1

                    1249e8a0ac9f83b619bf376abf089821b15ed79f

                    SHA256

                    aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

                    SHA512

                    2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
                    Filesize

                    639KB

                    MD5

                    1d12caac9cf70f982331c1bc4461783e

                    SHA1

                    1249e8a0ac9f83b619bf376abf089821b15ed79f

                    SHA256

                    aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

                    SHA512

                    2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057

                    Download Submit

                  • memory/556-147-0x0000000000000000-mapping.dmp

                    Download

                  • memory/556-158-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/556-155-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/1132-165-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1404-180-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/1404-179-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/1404-175-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1728-132-0x00000000746C0000-0x0000000074C71000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1728-133-0x00000000746C0000-0x0000000074C71000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1728-198-0x00000000746C0000-0x0000000074C71000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/1732-192-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/1732-191-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/1732-187-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2064-199-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/2064-197-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/2064-193-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2236-137-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/2236-146-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/2236-135-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/2236-138-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/2236-141-0x0000000010410000-0x0000000010480000-memory.dmp

                    Filesize

                    448KB

                    Download

                  • memory/2236-136-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/2236-134-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2800-145-0x0000000010410000-0x0000000010480000-memory.dmp

                    Filesize

                    448KB

                    Download

                  • memory/2800-140-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2800-144-0x0000000010410000-0x0000000010480000-memory.dmp

                    Filesize

                    448KB

                    Download

                  • memory/2800-157-0x0000000010410000-0x0000000010480000-memory.dmp

                    Filesize

                    448KB

                    Download

                  • memory/3396-160-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3396-168-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/3396-167-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/3512-174-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/3512-173-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/3512-169-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3916-186-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/3916-185-0x0000000000400000-0x000000000044B000-memory.dmp

                    Filesize

                    300KB

                    Download

                  • memory/3916-181-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4292-203-0x00000000746C0000-0x0000000074C71000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/4864-156-0x00000000746C0000-0x0000000074C71000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/4864-152-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4864-200-0x00000000746C0000-0x0000000074C71000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/4864-159-0x00000000746C0000-0x0000000074C71000-memory.dmp

                    Filesize

                    5.7MB

                    Download