Overview

overview

10

Static

static

5

f181bf31f9...f5.exe

windows7-x64

8

f181bf31f9...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5.exe

  • Size

    1.1MB

  • MD5

    40162efe8b87462998c769fa5aa1e99e

  • SHA1

    fad71527956d5cc44601a681a5d92e9e459565c8

  • SHA256

    f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5

  • SHA512

    ef41c6c8a72fa2b1f203f5cf73648df359cf39cedebabf20801dc492fde06550cf8bed05fca1e16b1543017e8db4774a25ea7922471d4b0b3608583e271afbb7

  • SSDEEP

    24576:mtb20pkaCqT5TBWgNQ7azb7Lh3i0GzxmCTHUWlI7L6A:TVg5tQ7an7LsDBJS5

Score
10/10
cybergateknielerpersistencestealertrojan

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

knieler

C2

cybergaat.ddns.net:16203

Mutex

N3AH6065VEWHV2

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Win32

  • install_file

    windate

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    .123456

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5.exe
    "C:\Users\Admin\AppData\Local\Temp\f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5.exe"
    1⤵
    • Checks computer location settings
    • NTFS ADS
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Users\Admin\AppData\Roaming\96595.exe
      "C:\Users\Admin\AppData\Roaming\96595.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • NTFS ADS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
          PID:5032
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 12
            4⤵
            • Program crash
            PID:1108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5032 -ip 5032
      1⤵
        PID:3668

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\rr
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\96595.exe
        Filesize

        1.1MB

        MD5

        40162efe8b87462998c769fa5aa1e99e

        SHA1

        fad71527956d5cc44601a681a5d92e9e459565c8

        SHA256

        f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5

        SHA512

        ef41c6c8a72fa2b1f203f5cf73648df359cf39cedebabf20801dc492fde06550cf8bed05fca1e16b1543017e8db4774a25ea7922471d4b0b3608583e271afbb7

        Download Submit
      • C:\Users\Admin\AppData\Roaming\96595.exe
        Filesize

        1.1MB

        MD5

        40162efe8b87462998c769fa5aa1e99e

        SHA1

        fad71527956d5cc44601a681a5d92e9e459565c8

        SHA256

        f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5

        SHA512

        ef41c6c8a72fa2b1f203f5cf73648df359cf39cedebabf20801dc492fde06550cf8bed05fca1e16b1543017e8db4774a25ea7922471d4b0b3608583e271afbb7

        Download Submit
      • memory/4500-132-0x0000000000000000-mapping.dmp
        Download
      • memory/5032-136-0x0000000000000000-mapping.dmp
        Download
      • memory/5032-137-0x0000000000400000-0x000000000044B000-memory.dmp
        Filesize

        300KB

        Download