Analysis

  • max time kernel
    154s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 12:37

General

  • Target

    444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe

  • Size

    2.4MB

  • MD5

    8809a4a1ea93bd00e285537b667be695

  • SHA1

    e188033f765e93fd006bbf7d24df90558c9b4e45

  • SHA256

    444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e

  • SHA512

    17d1606a8deaf0e5b27aa2ac79fba47ebd5c972f0675537ad8b4e90839b394f346cb0266382f6520e3a94c2735bbd001cd104f68e1961cf5c22d986cb665915a

  • SSDEEP

    49152:+moLw7thjaodvMM+ZizIHcamGI+YJ3gYju9SFw5u:PoytA4UM+ZizIHcBGUJQg0+h

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

KI

C2

rhkrdlf.codns.com:8000

Mutex

T574NUUW0H2LS1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2640
      • C:\Users\Admin\AppData\Local\Temp\444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe
        "C:\Users\Admin\AppData\Local\Temp\444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4800
        • C:\windows.exe
          "C:\windows.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Suspicious use of AdjustPrivilegeToken
            PID:4924
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3608
            • C:\directory\CyberGate\install\server.exe
              "C:\directory\CyberGate\install\server.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:5092
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 772
                6⤵
                • Program crash
                PID:756
        • C:\foxserver.exe
          "C:\foxserver.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5092 -ip 5092
      1⤵
        PID:2440

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

        Filesize

        224KB

        MD5

        7c7261023415d682b52e200532aa2f24

        SHA1

        312010f4675054e6fccf9a8beda19b42e34ad59d

        SHA256

        4ea8a9572a8d02df1b899b285bf6c5aaf254bb393c37ed04301b42b195e020c3

        SHA512

        d3a07fbcda8769623524e630e75c599e42bb09871c887898751b1548ee66b7347145b333fc4592e77c623e758a00d4ffb8884148b761c9c62f2b623679af8fb3

      • C:\directory\CyberGate\install\server.exe

        Filesize

        1.0MB

        MD5

        ee6444ed154169c95dbc9a7eb23e2f44

        SHA1

        1e78051c1a8312573b96685fd4b3b51b5733bc1a

        SHA256

        74ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4

        SHA512

        c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c

      • C:\foxserver.exe

        Filesize

        3.3MB

        MD5

        21771115fc06f673950bc12c8af47b10

        SHA1

        208c2b72cf3295fe2607bfde8082daee38a24ed3

        SHA256

        ce9bae3731cb8398bccdeb7ea83b006ad2a1b8ec632d9c432fab0724583250c3

        SHA512

        8b49408e41c7d5708e99900a79bbdbf7b042e84875b0b397c4691f73b0b4b3577babb6bec8a676454d197b1004fda804bf8625997a280a2a02a69ca5a437484a

      • C:\foxserver.exe

        Filesize

        3.3MB

        MD5

        21771115fc06f673950bc12c8af47b10

        SHA1

        208c2b72cf3295fe2607bfde8082daee38a24ed3

        SHA256

        ce9bae3731cb8398bccdeb7ea83b006ad2a1b8ec632d9c432fab0724583250c3

        SHA512

        8b49408e41c7d5708e99900a79bbdbf7b042e84875b0b397c4691f73b0b4b3577babb6bec8a676454d197b1004fda804bf8625997a280a2a02a69ca5a437484a

      • C:\windows.exe

        Filesize

        1.0MB

        MD5

        ee6444ed154169c95dbc9a7eb23e2f44

        SHA1

        1e78051c1a8312573b96685fd4b3b51b5733bc1a

        SHA256

        74ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4

        SHA512

        c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c

      • C:\windows.exe

        Filesize

        1.0MB

        MD5

        ee6444ed154169c95dbc9a7eb23e2f44

        SHA1

        1e78051c1a8312573b96685fd4b3b51b5733bc1a

        SHA256

        74ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4

        SHA512

        c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c

      • \??\c:\directory\CyberGate\install\server.exe

        Filesize

        1.0MB

        MD5

        ee6444ed154169c95dbc9a7eb23e2f44

        SHA1

        1e78051c1a8312573b96685fd4b3b51b5733bc1a

        SHA256

        74ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4

        SHA512

        c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c

      • memory/2028-140-0x0000000000400000-0x0000000000612000-memory.dmp

        Filesize

        2.1MB

      • memory/2028-156-0x00000000104F0000-0x0000000010555000-memory.dmp

        Filesize

        404KB

      • memory/2028-142-0x0000000010410000-0x0000000010475000-memory.dmp

        Filesize

        404KB

      • memory/2028-139-0x0000000077090000-0x0000000077233000-memory.dmp

        Filesize

        1.6MB

      • memory/2028-147-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/2028-161-0x0000000077090000-0x0000000077233000-memory.dmp

        Filesize

        1.6MB

      • memory/2028-160-0x0000000000400000-0x0000000000612000-memory.dmp

        Filesize

        2.1MB

      • memory/2028-138-0x0000000000400000-0x0000000000612000-memory.dmp

        Filesize

        2.1MB

      • memory/2028-132-0x0000000000000000-mapping.dmp

      • memory/2232-135-0x0000000000000000-mapping.dmp

      • memory/3608-155-0x0000000000000000-mapping.dmp

      • memory/3608-165-0x00000000104F0000-0x0000000010555000-memory.dmp

        Filesize

        404KB

      • memory/3608-170-0x00000000104F0000-0x0000000010555000-memory.dmp

        Filesize

        404KB

      • memory/3608-159-0x00000000104F0000-0x0000000010555000-memory.dmp

        Filesize

        404KB

      • memory/4924-168-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/4924-146-0x0000000000000000-mapping.dmp

      • memory/4924-150-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/4924-151-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/5092-164-0x0000000000400000-0x0000000000612000-memory.dmp

        Filesize

        2.1MB

      • memory/5092-162-0x0000000000000000-mapping.dmp

      • memory/5092-166-0x0000000077090000-0x0000000077233000-memory.dmp

        Filesize

        1.6MB

      • memory/5092-167-0x0000000000400000-0x0000000000612000-memory.dmp

        Filesize

        2.1MB

      • memory/5092-169-0x0000000000400000-0x0000000000612000-memory.dmp

        Filesize

        2.1MB

      • memory/5092-171-0x0000000000400000-0x0000000000612000-memory.dmp

        Filesize

        2.1MB

      • memory/5092-172-0x0000000077090000-0x0000000077233000-memory.dmp

        Filesize

        1.6MB