Overview

overview

10

Static

static

38ed48106c...b8.exe

windows7-x64

10

38ed48106c...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    226s
  • max time network
    239s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe

  • Size

    328KB

  • MD5

    de3c1b8ca015d37518796e5df25900b0

  • SHA1

    33f77379ce18355332806ba63137201c38794e3e

  • SHA256

    38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

  • SHA512

    c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

  • SSDEEP

    6144:5kh54k8aN4wAtZ6FMT5sbpKTtetxHEJzvjnJecyqlGXtWrqO5L1t:m5BlNbigM+bpWE3HWLJfynWpBD

Score
10/10
cybergatecoderpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Coder

C2

assistitvonline24.ddns.net:1338

Mutex

5408e94e23211dd

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Steaml

  • install_file

    juschedlll..exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Upgrade your windows

  • message_box_title

    Upgrade system

  • password

    123

  • regkey_hkcu

    HRV

  • regkey_hklm

    HCR

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2644
      • C:\Users\Admin\AppData\Local\Temp\38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe
        "C:\Users\Admin\AppData\Local\Temp\38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Users\Admin\AppData\Local\Temp\38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE
          "C:\Users\Admin\AppData\Local\Temp\38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8.EXE"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4448
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:2996
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:932
            • C:\Windows\SysWOW64\Steaml\juschedlll..exe
              "C:\Windows\system32\Steaml\juschedlll..exe"
              5⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:4784
              • C:\Windows\SysWOW64\Steaml\juschedlll..EXE
                "C:\Windows\SysWOW64\Steaml\juschedlll..EXE"
                6⤵
                • Executes dropped EXE
                PID:3136
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 564
                  7⤵
                  • Program crash
                  PID:2020
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 564
                  7⤵
                  • Program crash
                  PID:540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 3136
      1⤵
        PID:3420

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        229KB

        MD5

        2349dee9318e1f911fcf329e455f33d0

        SHA1

        288dd6b27d19b45fba9dcc41284986aed55405f6

        SHA256

        835b291d3d62b0c9f3861010c3cad166ac4d2544620e159afa3e6bb2b2a39c77

        SHA512

        1a56e7cfbf87336035e983798ae649be04a7c02e08e7e7bd7e7a2819c311304511b579315d1033fb180d296915da6b575fee5c08a484b9e2d163344667603fff

        Download Submit

      • C:\Windows\SysWOW64\Steaml\juschedlll..exe
        Filesize

        328KB

        MD5

        de3c1b8ca015d37518796e5df25900b0

        SHA1

        33f77379ce18355332806ba63137201c38794e3e

        SHA256

        38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

        SHA512

        c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

        Download Submit

      • C:\Windows\SysWOW64\Steaml\juschedlll..exe
        Filesize

        328KB

        MD5

        de3c1b8ca015d37518796e5df25900b0

        SHA1

        33f77379ce18355332806ba63137201c38794e3e

        SHA256

        38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

        SHA512

        c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

        Download Submit

      • C:\Windows\SysWOW64\Steaml\juschedlll..exe
        Filesize

        328KB

        MD5

        de3c1b8ca015d37518796e5df25900b0

        SHA1

        33f77379ce18355332806ba63137201c38794e3e

        SHA256

        38ed48106c0a60bec5ae9476efdd28a19f8727589cb5cd41dbe87cc69e8ae6b8

        SHA512

        c9d1352f5ef4a757296ab2fcbe3feaf9acfacfa762c00d220518956f552ab8834f49299a5bea0be080f7eaa2294011693693cf97dd2aac5ceee70620d784104a

        Download Submit

      • memory/932-155-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/932-151-0x0000000000000000-mapping.dmp

        Download

      • memory/932-171-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/932-157-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2020-172-0x0000000000000000-mapping.dmp

        Download

      • memory/2996-144-0x0000000000000000-mapping.dmp

        Download

      • memory/2996-148-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2996-149-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2996-170-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3136-164-0x0000000000000000-mapping.dmp

        Download

      • memory/3136-173-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3136-169-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3136-168-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4448-138-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4448-136-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4448-135-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4448-137-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4448-140-0x0000000024010000-0x0000000024072000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4448-156-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4448-134-0x0000000000000000-mapping.dmp

        Download

      • memory/4448-152-0x00000000240F0000-0x0000000024152000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4448-145-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4784-160-0x0000000000000000-mapping.dmp

        Download