Overview
overview
10Static
static
12014-12-22...b2.exe
windows7-x64
82014-12-22...b2.exe
windows10-2004-x64
82014-12-22...48.exe
windows7-x64
72014-12-22...48.exe
windows10-2004-x64
72014-12-22...ce.exe
windows7-x64
12014-12-22...ce.exe
windows10-2004-x64
12014-12-22...a4.exe
windows7-x64
32014-12-22...a4.exe
windows10-2004-x64
32014-12-22...35.exe
windows7-x64
82014-12-22...35.exe
windows10-2004-x64
72014-12-22...bb.exe
windows7-x64
102014-12-22...bb.exe
windows10-2004-x64
102014-12-22...76.exe
windows7-x64
82014-12-22...76.exe
windows10-2004-x64
82014-12-22...57.exe
windows7-x64
62014-12-22...57.exe
windows10-2004-x64
62014-12-22...8c.exe
windows7-x64
102014-12-22...8c.exe
windows10-2004-x64
102014-12-22...6a.exe
windows7-x64
82014-12-22...6a.exe
windows10-2004-x64
82014-12-22...d0.exe
windows7-x64
102014-12-22...d0.exe
windows10-2004-x64
102014-12-22...ee.exe
windows7-x64
82014-12-22...ee.exe
windows10-2004-x64
82014-12-22...7d.exe
windows7-x64
82014-12-22...7d.exe
windows10-2004-x64
102014-12-22...c3.exe
windows7-x64
82014-12-22...c3.exe
windows10-2004-x64
82014-12-22...12.exe
windows7-x64
82014-12-22...12.exe
windows10-2004-x64
82014-12-22...76.exe
windows7-x64
62014-12-22...76.exe
windows10-2004-x64
6General
-
Target
b0352074c6f0556acf2215aa41e485085b1c7561f645f1d314a570acd31ccc1b
-
Size
6.9MB
-
Sample
221126-nx33rsbg55
-
MD5
59fe496c72aacee9dc5f5e5d8ae63e9f
-
SHA1
5705f38f6b4057eed6c15d87b60088300e9a2161
-
SHA256
b0352074c6f0556acf2215aa41e485085b1c7561f645f1d314a570acd31ccc1b
-
SHA512
6715264219de0972cb9465843c194176d4bc5a7588b2d793ca6cbe8d8c50a6519ac02290b4cc4422db68dbbc5055f1ed85771d6cb046cf881af02f73cfcb4bab
-
SSDEEP
98304:YP5OkE6dDbCR7FuC+CmFt2rwsq3UvKGq1kHOsbLnL8zW2TWUUijZb0NtRS3Ge:YP5OESNFL+H8ws/HpLHl6Zb0NU
Static task
static1
Behavioral task
behavioral1
Sample
2014-12-22 #32/12923268c928f103f7f0164be1985cb2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2014-12-22 #32/12923268c928f103f7f0164be1985cb2.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
2014-12-22 #32/143821c328d1e9cb4d0d9e0389d85848.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
2014-12-22 #32/143821c328d1e9cb4d0d9e0389d85848.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
2014-12-22 #32/1952f6f1225202929d7be4217473e7ce.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
2014-12-22 #32/1952f6f1225202929d7be4217473e7ce.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
2014-12-22 #32/1b19dc758fc785466abfd973f125e0a4.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
2014-12-22 #32/1b19dc758fc785466abfd973f125e0a4.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
2014-12-22 #32/1c5f3bf4ddc6f255a71788deeb052435.exe
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
2014-12-22 #32/1c5f3bf4ddc6f255a71788deeb052435.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
2014-12-22 #32/362a366e1bb65d96b8c0eda30c3599bb.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
2014-12-22 #32/362a366e1bb65d96b8c0eda30c3599bb.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
2014-12-22 #32/39ba57532da96906e6ddbe8669011e76.exe
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
2014-12-22 #32/39ba57532da96906e6ddbe8669011e76.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
2014-12-22 #32/409541f2ca9bc08e528a05970e278e57.exe
Resource
win7-20220901-en
Behavioral task
behavioral16
Sample
2014-12-22 #32/409541f2ca9bc08e528a05970e278e57.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral17
Sample
2014-12-22 #32/41378f6611e67fca821266bd8d84698c.exe
Resource
win7-20221111-en
Behavioral task
behavioral18
Sample
2014-12-22 #32/41378f6611e67fca821266bd8d84698c.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
2014-12-22 #32/439dce6b40c39157a046563bcb5e3a6a.exe
Resource
win7-20221111-en
Behavioral task
behavioral20
Sample
2014-12-22 #32/439dce6b40c39157a046563bcb5e3a6a.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
2014-12-22 #32/639d9e895b7e220be010b3c90432b6d0.exe
Resource
win7-20221111-en
Behavioral task
behavioral22
Sample
2014-12-22 #32/639d9e895b7e220be010b3c90432b6d0.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral23
Sample
2014-12-22 #32/64fbde6dd4ddff6293c9e71c9fb23cee.exe
Resource
win7-20221111-en
Behavioral task
behavioral24
Sample
2014-12-22 #32/64fbde6dd4ddff6293c9e71c9fb23cee.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral25
Sample
2014-12-22 #32/7203e66c5a6aa9a0be7162b05151dc7d.exe
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
2014-12-22 #32/7203e66c5a6aa9a0be7162b05151dc7d.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral27
Sample
2014-12-22 #32/7d6cbda928ce43eb520730a94c4f33c3.exe
Resource
win7-20221111-en
Behavioral task
behavioral28
Sample
2014-12-22 #32/7d6cbda928ce43eb520730a94c4f33c3.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral29
Sample
2014-12-22 #32/8164856e9e00ff929e519b7f4ed2df12.exe
Resource
win7-20221111-en
Behavioral task
behavioral30
Sample
2014-12-22 #32/8164856e9e00ff929e519b7f4ed2df12.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral31
Sample
2014-12-22 #32/864f15a5f814d374bd36992bea448276.exe
Resource
win7-20220901-en
Behavioral task
behavioral32
Sample
2014-12-22 #32/864f15a5f814d374bd36992bea448276.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
cybergate
v1.07.5
PC
winserver.dlinkddns.com:447
winserver.dlinkddns.com:777
flashplayer
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
smss.exe
-
install_dir
flashplayer
-
install_file
flashplayer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
Admin
-
regkey_hkcu
flashplayer
-
regkey_hklm
flashplayer
Targets
-
-
Target
2014-12-22 #32/12923268c928f103f7f0164be1985cb2
-
Size
515KB
-
MD5
12923268c928f103f7f0164be1985cb2
-
SHA1
41639e6149ca574291ce3e3efaefa4e6f8f57ade
-
SHA256
693527e991f70f27827eabad1a49886a1009055061e39ca1c9a5557dcc10e56c
-
SHA512
455237c02d69c535e7ac0db8580d1e4029fba185839f9fc828ced61ce338aaf7d2fe460869049680cca9cd8701721e5b360a3901c818faf0a1ad327debf071ff
-
SSDEEP
3072:8nrRqBYMmJ6ZL4ueKhhf74xzSSxLGOr9iehVhybyGRO+3sPBnQ79JqUT:8SD9ZL4utwzSe9GROnBQKs
Score8/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
2014-12-22 #32/143821c328d1e9cb4d0d9e0389d85848
-
Size
218KB
-
MD5
143821c328d1e9cb4d0d9e0389d85848
-
SHA1
c381509fc45093fed42757a18719e11e3e407cee
-
SHA256
a30e46454ebd7526a9bd65706d48e96092cebc90bc275c7d29cd2764f6ffd5e7
-
SHA512
38a4c89cd5680f882ee51a627217dd52ac119a31463b558809ca1b8241571a5abac5b07b04d3b53d6bd8f0c8962f8b23d5f88ed449447eca6932fca323420a52
-
SSDEEP
6144:8pXUj3CoFJnDA4PTr/aRjGZ7FJ+aWubsMeXiAuO6MP:8m3CeDZTggKKHAiZv
Score7/10-
Drops startup file
-
-
-
Target
2014-12-22 #32/1952f6f1225202929d7be4217473e7ce
-
Size
139KB
-
MD5
1952f6f1225202929d7be4217473e7ce
-
SHA1
5b3f201727e5942164c808d2afa35224fd9af939
-
SHA256
9ed4b6fda9fe81a90363674243da3a172c381e3af83f2985d1763d171e7a9467
-
SHA512
fd43b89bff8aa2b266a7758f0bc44588978ba42757535af2a58c4def08fea001590cb374c406486daebc8cb8599e76b988be1cd1bf189da8de4046a5256da421
-
SSDEEP
3072:/wPmh/CRyZ5aawYsA/mgLPLQ5HBLiu81+Owv6A9t1h:/wVUD1samgLPLq81+59B
Score1/10 -
-
-
Target
2014-12-22 #32/1b19dc758fc785466abfd973f125e0a4
-
Size
656KB
-
MD5
1b19dc758fc785466abfd973f125e0a4
-
SHA1
b48b5f7f750f6d928a033f77d416a15dc28bef5f
-
SHA256
7f3b9ed4a789a7ebc110f722765e7339f7fde4f411248a2a506756871433790c
-
SHA512
6b0ffc3dc1380810b793dfcf3596762f19af85d20420e95c3fb2fb708ca7ee1a0415c736347b5ffd6288da64fe2927ea73cf32f1111205d2cf7c67c620ee64c1
-
SSDEEP
12288:BhkV+PsrufpggsDu8r3UyzxMtsuLbyMgaUE3cmLybn6btYw7bvnx4YenoUo/4wzn:4GvlfsuOeEoeo/c9
Score3/10 -
-
-
Target
2014-12-22 #32/1c5f3bf4ddc6f255a71788deeb052435
-
Size
187KB
-
MD5
1c5f3bf4ddc6f255a71788deeb052435
-
SHA1
4edbcc122517bbd8b3cbcfc736d7ccac9a6f94a3
-
SHA256
e010549bbe7901cde65a1f1c4d6b9e1d5075803c536f2c40f6a52ba30e268289
-
SHA512
185cf6566dd3682c5f07c269bbf56cb69e69a05b952beae43c3506d1f4a975cf5656ede14713ad97338ab798369ed919f0550a23e129f5898abb2e03596f223d
-
SSDEEP
3072:oDQkrZoosbIfXJ7GNW3Xf7+Os3s6OH7ej8MBzlnsMpUBfvNgWndV1lCkH3LS/og:oDpoeJGM/7tH6mej8uBfAHhb1lCICp
Score8/10-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
2014-12-22 #32/362a366e1bb65d96b8c0eda30c3599bb
-
Size
397KB
-
MD5
362a366e1bb65d96b8c0eda30c3599bb
-
SHA1
6d411063c79f133174d392994d253324215c72f5
-
SHA256
5ce1cbbe1ab33a7ede2b8559306cbd73fdce59d2d63fa0aa18ac1d5442714f1e
-
SHA512
1309a703bb9dbe99cda3fe0cabb7ac2d158fd7bdb4668a1c1091f783d4c04aea702e34c8bdd1ef8e5b7b3a5b98a6b618837cc495799bd480b32fd85fcfb4a0fd
-
SSDEEP
6144:nSA3yoYjSQ7NM+eag1M8Mn9ymc91qhgW15E5/1osTr0J:SkYjSQ30Y9yTgtsPo5J
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
2014-12-22 #32/39ba57532da96906e6ddbe8669011e76
-
Size
136KB
-
MD5
39ba57532da96906e6ddbe8669011e76
-
SHA1
36188c577a00f77814932f440bb53888c0a5829d
-
SHA256
d200f44c86db4773993473537f2ea254dd1f29f12d4fb3fc594662eb67d0bab8
-
SHA512
f8060093a3f4f75b998fde4b4e9abb0dd55f6cb1889fdd511afc194a06e712c2ac2e7150e68aec5b453ab41f03fd4706d3df741f65a71b07de9f03d854a8457d
-
SSDEEP
1536:5ju/Zx4SGUCjwsTYsUpA/MaVlMPiQHqN7jiojy4ftroTAkIESzV1QeIw98Bk0OAp:iZWlCpMQHIu6yaFZkIECQeIQ8Bk2p
Score8/10-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
2014-12-22 #32/409541f2ca9bc08e528a05970e278e57
-
Size
233KB
-
MD5
409541f2ca9bc08e528a05970e278e57
-
SHA1
f74fa666a8ef14232a6c61da9e5ae47caaabb5a7
-
SHA256
5148d95eb0c32118ae904534cb1c1098c8cf48a79941f320f8433f76fd78e91b
-
SHA512
311f819fca707b4f22b68cd68a15f7105a45e388b0cd68de345418a158f1eb407b9ee26735be2b2018e8210007d442bc7f3aad2e9692e4db525b8cd4c23e04f8
-
SSDEEP
3072:w1le6UqAYN076conxfvnM9dtQOGDzoiKxAdgbDxNyqStBZ0XEHKUCdBbD:Ae6UqpU4ZvM5QLDNKqs9gVtf0XOCdVD
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
2014-12-22 #32/41378f6611e67fca821266bd8d84698c
-
Size
1.4MB
-
MD5
41378f6611e67fca821266bd8d84698c
-
SHA1
a58b71aebb697170d778d4bef79f0b3df308a930
-
SHA256
4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8
-
SHA512
ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2
-
SSDEEP
12288:4cGjcPsHfoxY5JBNVQ6QL5fDgA1FsHFGjzSU7ucK0rxEwYN6u04XX4ZSBrOZzsmB:hPkPvS3uGkQxEwYzTVFsfyU97GYxa
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
2014-12-22 #32/439dce6b40c39157a046563bcb5e3a6a
-
Size
664KB
-
MD5
439dce6b40c39157a046563bcb5e3a6a
-
SHA1
bd05604e465336df74df40bef6b6fbc3b360573a
-
SHA256
d72393d84be2be8fd53c5172a88327f47dee3c5276ca2a193b403ccc90308236
-
SHA512
f37e5e5c535284537b1f819da586c3166bd0e2e85c962b361f8e8c96f05958092cd1c093899683ad8d18121727e30d60ddbfab302e281f8cf90e1d068bfceb3a
-
SSDEEP
12288:ZK2mhAMJ/cPl+zyeuW/xcznRZ6Ko1JL7ffM2HRmQmxx/w:Y2O/Gl+GVW5clMJL7ffdH0Q0/w
Score8/10-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
2014-12-22 #32/639d9e895b7e220be010b3c90432b6d0
-
Size
1.4MB
-
MD5
639d9e895b7e220be010b3c90432b6d0
-
SHA1
fdf9ea893a647f80481968c103a9285907f07af7
-
SHA256
86a96daccfc0cce3214bf87fd935cbdaaf7db855b6a79bde2050277851329b25
-
SHA512
a89f0c47ba2cf47ee8f391e36f74e678756d6f10cd55d26e0d4e296e7de3b4a468670306927a85bd669fc047eb068847118c13e974ff1b010d288fe776d55f9c
-
SSDEEP
24576:W1U1se/YFeAgAI/y8YsAm85tKgB68IU86OpjY3g2+rKQfzFsFfknVPpeEtjYF+:J/YFxI/cw8P1sjfHrHzFLj
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
2014-12-22 #32/64fbde6dd4ddff6293c9e71c9fb23cee
-
Size
218KB
-
MD5
64fbde6dd4ddff6293c9e71c9fb23cee
-
SHA1
3bd80fa12fd339eb536d861ec76790aad04b2e71
-
SHA256
85f0679a2d00bb7faff75e65e874502afe421337ce2269af51b36a7620e01af6
-
SHA512
875645a31a1b821945f51396ae407019d5eb1a6f0dfe023dc958f1b299167e385c8964d64e8b52cfb6c130381cdaf3bbaaea9e1d53acbf83636d212224c5c69d
-
SSDEEP
3072:/+cBr/UnL7HgAp6PbjdZ3Pf+ZO4bGD1oVupD0ADvg:WWYLbPp6ndZXJ4bfupDLDv
Score8/10-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
2014-12-22 #32/7203e66c5a6aa9a0be7162b05151dc7d
-
Size
451KB
-
MD5
7203e66c5a6aa9a0be7162b05151dc7d
-
SHA1
572b932565334b97736f25bb3a92b49917db6c2a
-
SHA256
2eab200f3227e5174fd85f16f303785d5cd3fda52ae53b08685ace3287c88651
-
SHA512
e769cf17f339cde58296cbffe850972f9f62dd260ec3626b210c634d38e102d1980bd93bb8697c1281498097aa1d7909e687caff70475aaf95f69067de690715
-
SSDEEP
3072:0yNxrONdDt+iVR3VqDe3+YjYk/bRrA0Uf51rGWCWm59IUafckvNYWFfkz25W8pyI:BNxqR+YR4TYJoLASQN8
Score10/10-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
2014-12-22 #32/7d6cbda928ce43eb520730a94c4f33c3
-
Size
616KB
-
MD5
7d6cbda928ce43eb520730a94c4f33c3
-
SHA1
6a7404e85164adbec1d729b6fa857d2871df71f5
-
SHA256
44796f576bbab4d1d450af8f867bb52e909e09d4001c9bcf4b0738a3018ea0f6
-
SHA512
7b0b826fb9147eaadffbbaa5185d7a8e61764a171f11b1a713105b27f0cc62327eefdbb06925d3a284b6e153193899c831dcc9d1c3bb62ec4f955b668013e244
-
SSDEEP
12288:HGO8Us6ZQWp2DuVb9oj+hTRbUbiqIhqql+o8A3e:1xsuQ4VVZtEGqI2Au
Score8/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
-
-
Target
2014-12-22 #32/8164856e9e00ff929e519b7f4ed2df12
-
Size
84KB
-
MD5
8164856e9e00ff929e519b7f4ed2df12
-
SHA1
1da6fca2ffc1e0aa7044f2dc768eadda92559075
-
SHA256
be2a83f224392823ca6fc698d6473ec9ae6c75608bad711bafa0c918b7b7a2e8
-
SHA512
26b2cb8747b2ef93f4ab02ed9719ef883f1b7e9b4ba9cf8ab2a75e2ffbefd3284e6cb8b79652efa0fa4cf8ff083e291104ad4ed3d2ee4eeae7a8a70b1ea79cc8
-
SSDEEP
1536:K9W4/LoYbkV1gSLXJ9RRh1A/srQNZJ7w+F7jLqMHfYOGJ9ZnyBfU:K9W40vVjnRCsrzOypyBfU
Score8/10-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
2014-12-22 #32/864f15a5f814d374bd36992bea448276
-
Size
251KB
-
MD5
864f15a5f814d374bd36992bea448276
-
SHA1
87d5a371d967cfa068777bdea879539120b749fc
-
SHA256
8d1f926f80c53da9ea1ca7ab9d62cd06b49a46ee94d43f37309f951395455927
-
SHA512
36fbbe2568685e95bf3988994c7bba624f22d8c100fe89b9d6829ba87bd17a76a3f38a26dc2fa345a8335a9466578a24d855292d4502596ad50ab089fe328bb5
-
SSDEEP
3072:M1le6UqAYN076conxfvnM9dtQOGDzoiKxAdgbDxNyqStBZ0XyVivp9D:Ue6UqpU4ZvM5QLDNKqs9gVtf0XUivp9
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-