Overview

overview

10

Static

static

1ffeb24245...2f.exe

windows7-x64

10

1ffeb24245...2f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    199s
  • max time network
    209s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ffeb2424534a4512c7494113f4ff3c33c30da42cc9a614c7ffbfa1e0146632f.exe

  • Size

    931KB

  • MD5

    ebeefe34d85cc36dff078ee50c3ed82b

  • SHA1

    2516399edee81f906aa1750ffe2b34f36c4b6348

  • SHA256

    1ffeb2424534a4512c7494113f4ff3c33c30da42cc9a614c7ffbfa1e0146632f

  • SHA512

    6d9692c7edd72a100a519647fcdb8446a154d77cdc775c2e7703157ee6f1a1188aae02861e2490800ce104a7d1880e0cdc73c79e6cfbd6775f1ae77fb5c9015c

  • SSDEEP

    24576:hYMrMImtsYgc0FgjGli6Zx7ZBvV+LLmDLwhe/9YmaDn6rr/qKoS:hT1mtsYr0VZBvgYLhYmaDnoqKoS

Score
10/10
cybergateclientspersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Clients

C2

abapaul.ddns.net:3450

Mutex

MQ17T531JROJ0H

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    MUI

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345678A

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2648
      • C:\Users\Admin\AppData\Local\Temp\1ffeb2424534a4512c7494113f4ff3c33c30da42cc9a614c7ffbfa1e0146632f.exe
        "C:\Users\Admin\AppData\Local\Temp\1ffeb2424534a4512c7494113f4ff3c33c30da42cc9a614c7ffbfa1e0146632f.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3728
        • C:\Users\Admin\AppData\Roaming\tmp.exe
          "C:\Users\Admin\AppData\Roaming\tmp.exe"
          3⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:5116
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Suspicious use of AdjustPrivilegeToken
            PID:5100
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:4240
            • C:\Users\Admin\AppData\Roaming\tmp.exe
              "C:\Users\Admin\AppData\Roaming\tmp.exe"
              4⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:4960
              • C:\Windows\MUI\svchost.exe
                "C:\Windows\MUI\svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:5012
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 592
                  6⤵
                  • Program crash
                  PID:3568
          • C:\Users\Admin\AppData\Local\Temp\#folder#\notepad .exe
            "C:\Users\Admin\AppData\Local\Temp\#folder#\notepad .exe"
            3⤵
            • Executes dropped EXE
            PID:4548
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 5012 -ip 5012
        1⤵
          PID:2976

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\#folder#\notepad .exe
          Filesize

          57KB

          MD5

          454501a66ad6e85175a6757573d79f8b

          SHA1

          8ca96c61f26a640a5b1b1152d055260b9d43e308

          SHA256

          7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

          SHA512

          9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\#folder#\notepad .exe
          Filesize

          57KB

          MD5

          454501a66ad6e85175a6757573d79f8b

          SHA1

          8ca96c61f26a640a5b1b1152d055260b9d43e308

          SHA256

          7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

          SHA512

          9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
          Filesize

          224KB

          MD5

          253682f5e6f8e6d2731f167d2ecd36f1

          SHA1

          db6bdbda1a19498fb458f428ee98c7237e4624f3

          SHA256

          020a6a58906e8798e4503d1d039be815711cc091f49e7dadb8f31bf08d399e81

          SHA512

          5ab903bb87f2ccb3a351eedc3abb111fb73ea7effa0a3d78a2e1f269a7698b61e638f7d2d5adc597f97fb941eccf265e9b541da0da605a0ee9433c37fe72c657

          Download Submit
        • C:\Users\Admin\AppData\Roaming\tmp.exe
          Filesize

          289KB

          MD5

          f3bf34fbcc5d4d8238c81080feba57c1

          SHA1

          0c9c5500054b5e8c90f1e781730a8eee69fc6fb3

          SHA256

          95f8ed76dee24539a80d5e7bc1c16b3cb553e4eff97bf7aeb265e507edbf36ca

          SHA512

          b3142958210017056f06e10db8f32840aff12a2aa36068735614cf818cf6fde7cb0c4a2f67d73996605672467058b064a2b4532acdc1e77020078075e2ea59b3

          Download Submit
        • C:\Users\Admin\AppData\Roaming\tmp.exe
          Filesize

          289KB

          MD5

          f3bf34fbcc5d4d8238c81080feba57c1

          SHA1

          0c9c5500054b5e8c90f1e781730a8eee69fc6fb3

          SHA256

          95f8ed76dee24539a80d5e7bc1c16b3cb553e4eff97bf7aeb265e507edbf36ca

          SHA512

          b3142958210017056f06e10db8f32840aff12a2aa36068735614cf818cf6fde7cb0c4a2f67d73996605672467058b064a2b4532acdc1e77020078075e2ea59b3

          Download Submit
        • C:\Users\Admin\AppData\Roaming\tmp.exe
          Filesize

          289KB

          MD5

          f3bf34fbcc5d4d8238c81080feba57c1

          SHA1

          0c9c5500054b5e8c90f1e781730a8eee69fc6fb3

          SHA256

          95f8ed76dee24539a80d5e7bc1c16b3cb553e4eff97bf7aeb265e507edbf36ca

          SHA512

          b3142958210017056f06e10db8f32840aff12a2aa36068735614cf818cf6fde7cb0c4a2f67d73996605672467058b064a2b4532acdc1e77020078075e2ea59b3

          Download Submit
        • C:\Windows\MUI\svchost.exe
          Filesize

          289KB

          MD5

          f3bf34fbcc5d4d8238c81080feba57c1

          SHA1

          0c9c5500054b5e8c90f1e781730a8eee69fc6fb3

          SHA256

          95f8ed76dee24539a80d5e7bc1c16b3cb553e4eff97bf7aeb265e507edbf36ca

          SHA512

          b3142958210017056f06e10db8f32840aff12a2aa36068735614cf818cf6fde7cb0c4a2f67d73996605672467058b064a2b4532acdc1e77020078075e2ea59b3

          Download Submit
        • C:\Windows\MUI\svchost.exe
          Filesize

          289KB

          MD5

          f3bf34fbcc5d4d8238c81080feba57c1

          SHA1

          0c9c5500054b5e8c90f1e781730a8eee69fc6fb3

          SHA256

          95f8ed76dee24539a80d5e7bc1c16b3cb553e4eff97bf7aeb265e507edbf36ca

          SHA512

          b3142958210017056f06e10db8f32840aff12a2aa36068735614cf818cf6fde7cb0c4a2f67d73996605672467058b064a2b4532acdc1e77020078075e2ea59b3

          Download Submit
        • memory/3728-171-0x0000000075160000-0x0000000075711000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/3728-133-0x0000000075160000-0x0000000075711000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/3728-132-0x0000000075160000-0x0000000075711000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/4548-137-0x0000000000000000-mapping.dmp
          Download
        • memory/4548-170-0x0000000000400000-0x000000000044F000-memory.dmp
          Filesize

          316KB

          Download
        • memory/4548-169-0x0000000000400000-0x000000000044F000-memory.dmp
          Filesize

          316KB

          Download
        • memory/4548-165-0x0000000000400000-0x000000000044F000-memory.dmp
          Filesize

          316KB

          Download
        • memory/4960-156-0x0000000000000000-mapping.dmp
          Download
        • memory/4960-161-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

          Download
        • memory/4960-162-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

          Download
        • memory/4960-166-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

          Download
        • memory/5012-163-0x0000000000000000-mapping.dmp
          Download
        • memory/5100-150-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

          Download
        • memory/5100-147-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

          Download
        • memory/5100-143-0x0000000000000000-mapping.dmp
          Download
        • memory/5116-158-0x0000000010560000-0x00000000105C5000-memory.dmp
          Filesize

          404KB

          Download
        • memory/5116-152-0x00000000104F0000-0x0000000010555000-memory.dmp
          Filesize

          404KB

          Download
        • memory/5116-144-0x0000000010480000-0x00000000104E5000-memory.dmp
          Filesize

          404KB

          Download
        • memory/5116-139-0x0000000010410000-0x0000000010475000-memory.dmp
          Filesize

          404KB

          Download
        • memory/5116-134-0x0000000000000000-mapping.dmp
          Download