Overview

overview

10

Static

static

1

2014-12-22...b2.exe

windows7-x64

8

2014-12-22...b2.exe

windows10-2004-x64

8

2014-12-22...48.exe

windows7-x64

7

2014-12-22...48.exe

windows10-2004-x64

7

2014-12-22...ce.exe

windows7-x64

1

2014-12-22...ce.exe

windows10-2004-x64

1

2014-12-22...a4.exe

windows7-x64

3

2014-12-22...a4.exe

windows10-2004-x64

3

2014-12-22...35.exe

windows7-x64

8

2014-12-22...35.exe

windows10-2004-x64

7

2014-12-22...bb.exe

windows7-x64

10

2014-12-22...bb.exe

windows10-2004-x64

10

2014-12-22...76.exe

windows7-x64

8

2014-12-22...76.exe

windows10-2004-x64

8

2014-12-22...57.exe

windows7-x64

6

2014-12-22...57.exe

windows10-2004-x64

6

2014-12-22...8c.exe

windows7-x64

10

2014-12-22...8c.exe

windows10-2004-x64

10

2014-12-22...6a.exe

windows7-x64

8

2014-12-22...6a.exe

windows10-2004-x64

8

2014-12-22...d0.exe

windows7-x64

10

2014-12-22...d0.exe

windows10-2004-x64

10

2014-12-22...ee.exe

windows7-x64

8

2014-12-22...ee.exe

windows10-2004-x64

8

2014-12-22...7d.exe

windows7-x64

8

2014-12-22...7d.exe

windows10-2004-x64

10

2014-12-22...c3.exe

windows7-x64

8

2014-12-22...c3.exe

windows10-2004-x64

8

2014-12-22...12.exe

windows7-x64

8

2014-12-22...12.exe

windows10-2004-x64

8

2014-12-22...76.exe

windows7-x64

6

2014-12-22...76.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b0352074c6f0556acf2215aa41e485085b1c7561f645f1d314a570acd31ccc1b

  • Size

    6.9MB

  • Sample

    221126-nx33rsbg55

  • MD5

    59fe496c72aacee9dc5f5e5d8ae63e9f

  • SHA1

    5705f38f6b4057eed6c15d87b60088300e9a2161

  • SHA256

    b0352074c6f0556acf2215aa41e485085b1c7561f645f1d314a570acd31ccc1b

  • SHA512

    6715264219de0972cb9465843c194176d4bc5a7588b2d793ca6cbe8d8c50a6519ac02290b4cc4422db68dbbc5055f1ed85771d6cb046cf881af02f73cfcb4bab

  • SSDEEP

    98304:YP5OkE6dDbCR7FuC+CmFt2rwsq3UvKGq1kHOsbLnL8zW2TWUUijZb0NtRS3Ge:YP5OESNFL+H8ws/HpLHl6Zb0NU

Score
10/10
cybergatehawkeyenjratpccollectionevasionkeyloggerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

PC

C2

winserver.dlinkddns.com:447

winserver.dlinkddns.com:777
Mutex

flashplayer

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    smss.exe

  • install_dir

    flashplayer

  • install_file

    flashplayer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    Admin

  • regkey_hkcu

    flashplayer

  • regkey_hklm

    flashplayer

Targets

    • Target

      2014-12-22 #32/12923268c928f103f7f0164be1985cb2

    • Size

      515KB

    • MD5

      12923268c928f103f7f0164be1985cb2

    • SHA1

      41639e6149ca574291ce3e3efaefa4e6f8f57ade

    • SHA256

      693527e991f70f27827eabad1a49886a1009055061e39ca1c9a5557dcc10e56c

    • SHA512

      455237c02d69c535e7ac0db8580d1e4029fba185839f9fc828ced61ce338aaf7d2fe460869049680cca9cd8701721e5b360a3901c818faf0a1ad327debf071ff

    • SSDEEP

      3072:8nrRqBYMmJ6ZL4ueKhhf74xzSSxLGOr9iehVhybyGRO+3sPBnQ79JqUT:8SD9ZL4utwzSe9GROnBQKs

    Score
    8/10

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      2014-12-22 #32/143821c328d1e9cb4d0d9e0389d85848

    • Size

      218KB

    • MD5

      143821c328d1e9cb4d0d9e0389d85848

    • SHA1

      c381509fc45093fed42757a18719e11e3e407cee

    • SHA256

      a30e46454ebd7526a9bd65706d48e96092cebc90bc275c7d29cd2764f6ffd5e7

    • SHA512

      38a4c89cd5680f882ee51a627217dd52ac119a31463b558809ca1b8241571a5abac5b07b04d3b53d6bd8f0c8962f8b23d5f88ed449447eca6932fca323420a52

    • SSDEEP

      6144:8pXUj3CoFJnDA4PTr/aRjGZ7FJ+aWubsMeXiAuO6MP:8m3CeDZTggKKHAiZv

    Score
    7/10

    • Drops startup file

    behavioral3behavioral4

    • Target

      2014-12-22 #32/1952f6f1225202929d7be4217473e7ce

    • Size

      139KB

    • MD5

      1952f6f1225202929d7be4217473e7ce

    • SHA1

      5b3f201727e5942164c808d2afa35224fd9af939

    • SHA256

      9ed4b6fda9fe81a90363674243da3a172c381e3af83f2985d1763d171e7a9467

    • SHA512

      fd43b89bff8aa2b266a7758f0bc44588978ba42757535af2a58c4def08fea001590cb374c406486daebc8cb8599e76b988be1cd1bf189da8de4046a5256da421

    • SSDEEP

      3072:/wPmh/CRyZ5aawYsA/mgLPLQ5HBLiu81+Owv6A9t1h:/wVUD1samgLPLq81+59B

    Score
    1/10
    behavioral5behavioral6

    • Target

      2014-12-22 #32/1b19dc758fc785466abfd973f125e0a4

    • Size

      656KB

    • MD5

      1b19dc758fc785466abfd973f125e0a4

    • SHA1

      b48b5f7f750f6d928a033f77d416a15dc28bef5f

    • SHA256

      7f3b9ed4a789a7ebc110f722765e7339f7fde4f411248a2a506756871433790c

    • SHA512

      6b0ffc3dc1380810b793dfcf3596762f19af85d20420e95c3fb2fb708ca7ee1a0415c736347b5ffd6288da64fe2927ea73cf32f1111205d2cf7c67c620ee64c1

    • SSDEEP

      12288:BhkV+PsrufpggsDu8r3UyzxMtsuLbyMgaUE3cmLybn6btYw7bvnx4YenoUo/4wzn:4GvlfsuOeEoeo/c9

    Score
    3/10
    behavioral7behavioral8

    • Target

      2014-12-22 #32/1c5f3bf4ddc6f255a71788deeb052435

    • Size

      187KB

    • MD5

      1c5f3bf4ddc6f255a71788deeb052435

    • SHA1

      4edbcc122517bbd8b3cbcfc736d7ccac9a6f94a3

    • SHA256

      e010549bbe7901cde65a1f1c4d6b9e1d5075803c536f2c40f6a52ba30e268289

    • SHA512

      185cf6566dd3682c5f07c269bbf56cb69e69a05b952beae43c3506d1f4a975cf5656ede14713ad97338ab798369ed919f0550a23e129f5898abb2e03596f223d

    • SSDEEP

      3072:oDQkrZoosbIfXJ7GNW3Xf7+Os3s6OH7ej8MBzlnsMpUBfvNgWndV1lCkH3LS/og:oDpoeJGM/7tH6mej8uBfAHhb1lCICp

    Score
    8/10
    persistence

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      2014-12-22 #32/362a366e1bb65d96b8c0eda30c3599bb

    • Size

      397KB

    • MD5

      362a366e1bb65d96b8c0eda30c3599bb

    • SHA1

      6d411063c79f133174d392994d253324215c72f5

    • SHA256

      5ce1cbbe1ab33a7ede2b8559306cbd73fdce59d2d63fa0aa18ac1d5442714f1e

    • SHA512

      1309a703bb9dbe99cda3fe0cabb7ac2d158fd7bdb4668a1c1091f783d4c04aea702e34c8bdd1ef8e5b7b3a5b98a6b618837cc495799bd480b32fd85fcfb4a0fd

    • SSDEEP

      6144:nSA3yoYjSQ7NM+eag1M8Mn9ymc91qhgW15E5/1osTr0J:SkYjSQ30Y9yTgtsPo5J

    Score
    10/10
    cybergatepcpersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      2014-12-22 #32/39ba57532da96906e6ddbe8669011e76

    • Size

      136KB

    • MD5

      39ba57532da96906e6ddbe8669011e76

    • SHA1

      36188c577a00f77814932f440bb53888c0a5829d

    • SHA256

      d200f44c86db4773993473537f2ea254dd1f29f12d4fb3fc594662eb67d0bab8

    • SHA512

      f8060093a3f4f75b998fde4b4e9abb0dd55f6cb1889fdd511afc194a06e712c2ac2e7150e68aec5b453ab41f03fd4706d3df741f65a71b07de9f03d854a8457d

    • SSDEEP

      1536:5ju/Zx4SGUCjwsTYsUpA/MaVlMPiQHqN7jiojy4ftroTAkIESzV1QeIw98Bk0OAp:iZWlCpMQHIu6yaFZkIECQeIQ8Bk2p

    Score
    8/10
    evasionpersistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral13behavioral14

    • Target

      2014-12-22 #32/409541f2ca9bc08e528a05970e278e57

    • Size

      233KB

    • MD5

      409541f2ca9bc08e528a05970e278e57

    • SHA1

      f74fa666a8ef14232a6c61da9e5ae47caaabb5a7

    • SHA256

      5148d95eb0c32118ae904534cb1c1098c8cf48a79941f320f8433f76fd78e91b

    • SHA512

      311f819fca707b4f22b68cd68a15f7105a45e388b0cd68de345418a158f1eb407b9ee26735be2b2018e8210007d442bc7f3aad2e9692e4db525b8cd4c23e04f8

    • SSDEEP

      3072:w1le6UqAYN076conxfvnM9dtQOGDzoiKxAdgbDxNyqStBZ0XEHKUCdBbD:Ae6UqpU4ZvM5QLDNKqs9gVtf0XOCdVD

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    behavioral15behavioral16

    • Target

      2014-12-22 #32/41378f6611e67fca821266bd8d84698c

    • Size

      1.4MB

    • MD5

      41378f6611e67fca821266bd8d84698c

    • SHA1

      a58b71aebb697170d778d4bef79f0b3df308a930

    • SHA256

      4e5a0dd3a34d526c7a3894899fa911dabc7d43342fa7015b1ece3cfe7bc9d2c8

    • SHA512

      ad87947da74ab81af76791a48a623ad6a02dd4d3b3cf8ae1973609d870ebe9d933227e662e7eaba5a5a811b5d70b2a816a801836cd2f84b26a3f15da36deb1b2

    • SSDEEP

      12288:4cGjcPsHfoxY5JBNVQ6QL5fDgA1FsHFGjzSU7ucK0rxEwYN6u04XX4ZSBrOZzsmB:hPkPvS3uGkQxEwYzTVFsfyU97GYxa

    Score
    10/10
    hawkeyekeyloggerpersistencespywarestealertrojancollection

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      2014-12-22 #32/439dce6b40c39157a046563bcb5e3a6a

    • Size

      664KB

    • MD5

      439dce6b40c39157a046563bcb5e3a6a

    • SHA1

      bd05604e465336df74df40bef6b6fbc3b360573a

    • SHA256

      d72393d84be2be8fd53c5172a88327f47dee3c5276ca2a193b403ccc90308236

    • SHA512

      f37e5e5c535284537b1f819da586c3166bd0e2e85c962b361f8e8c96f05958092cd1c093899683ad8d18121727e30d60ddbfab302e281f8cf90e1d068bfceb3a

    • SSDEEP

      12288:ZK2mhAMJ/cPl+zyeuW/xcznRZ6Ko1JL7ffM2HRmQmxx/w:Y2O/Gl+GVW5clMJL7ffdH0Q0/w

    Score
    8/10
    evasionpersistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      2014-12-22 #32/639d9e895b7e220be010b3c90432b6d0

    • Size

      1.4MB

    • MD5

      639d9e895b7e220be010b3c90432b6d0

    • SHA1

      fdf9ea893a647f80481968c103a9285907f07af7

    • SHA256

      86a96daccfc0cce3214bf87fd935cbdaaf7db855b6a79bde2050277851329b25

    • SHA512

      a89f0c47ba2cf47ee8f391e36f74e678756d6f10cd55d26e0d4e296e7de3b4a468670306927a85bd669fc047eb068847118c13e974ff1b010d288fe776d55f9c

    • SSDEEP

      24576:W1U1se/YFeAgAI/y8YsAm85tKgB68IU86OpjY3g2+rKQfzFsFfknVPpeEtjYF+:J/YFxI/cw8P1sjfHrHzFLj

    Score
    10/10
    hawkeyekeyloggerpersistencespywarestealertrojancollection

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      2014-12-22 #32/64fbde6dd4ddff6293c9e71c9fb23cee

    • Size

      218KB

    • MD5

      64fbde6dd4ddff6293c9e71c9fb23cee

    • SHA1

      3bd80fa12fd339eb536d861ec76790aad04b2e71

    • SHA256

      85f0679a2d00bb7faff75e65e874502afe421337ce2269af51b36a7620e01af6

    • SHA512

      875645a31a1b821945f51396ae407019d5eb1a6f0dfe023dc958f1b299167e385c8964d64e8b52cfb6c130381cdaf3bbaaea9e1d53acbf83636d212224c5c69d

    • SSDEEP

      3072:/+cBr/UnL7HgAp6PbjdZ3Pf+ZO4bGD1oVupD0ADvg:WWYLbPp6ndZXJ4bfupDLDv

    Score
    8/10
    evasionpersistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral23behavioral24

    • Target

      2014-12-22 #32/7203e66c5a6aa9a0be7162b05151dc7d

    • Size

      451KB

    • MD5

      7203e66c5a6aa9a0be7162b05151dc7d

    • SHA1

      572b932565334b97736f25bb3a92b49917db6c2a

    • SHA256

      2eab200f3227e5174fd85f16f303785d5cd3fda52ae53b08685ace3287c88651

    • SHA512

      e769cf17f339cde58296cbffe850972f9f62dd260ec3626b210c634d38e102d1980bd93bb8697c1281498097aa1d7909e687caff70475aaf95f69067de690715

    • SSDEEP

      3072:0yNxrONdDt+iVR3VqDe3+YjYk/bRrA0Uf51rGWCWm59IUafckvNYWFfkz25W8pyI:BNxqR+YR4TYJoLASQN8

    Score
    10/10
    evasionpersistencenjrattrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral25behavioral26

    • Target

      2014-12-22 #32/7d6cbda928ce43eb520730a94c4f33c3

    • Size

      616KB

    • MD5

      7d6cbda928ce43eb520730a94c4f33c3

    • SHA1

      6a7404e85164adbec1d729b6fa857d2871df71f5

    • SHA256

      44796f576bbab4d1d450af8f867bb52e909e09d4001c9bcf4b0738a3018ea0f6

    • SHA512

      7b0b826fb9147eaadffbbaa5185d7a8e61764a171f11b1a713105b27f0cc62327eefdbb06925d3a284b6e153193899c831dcc9d1c3bb62ec4f955b668013e244

    • SSDEEP

      12288:HGO8Us6ZQWp2DuVb9oj+hTRbUbiqIhqql+o8A3e:1xsuQ4VVZtEGqI2Au

    Score
    8/10

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral27behavioral28

    • Target

      2014-12-22 #32/8164856e9e00ff929e519b7f4ed2df12

    • Size

      84KB

    • MD5

      8164856e9e00ff929e519b7f4ed2df12

    • SHA1

      1da6fca2ffc1e0aa7044f2dc768eadda92559075

    • SHA256

      be2a83f224392823ca6fc698d6473ec9ae6c75608bad711bafa0c918b7b7a2e8

    • SHA512

      26b2cb8747b2ef93f4ab02ed9719ef883f1b7e9b4ba9cf8ab2a75e2ffbefd3284e6cb8b79652efa0fa4cf8ff083e291104ad4ed3d2ee4eeae7a8a70b1ea79cc8

    • SSDEEP

      1536:K9W4/LoYbkV1gSLXJ9RRh1A/srQNZJ7w+F7jLqMHfYOGJ9ZnyBfU:K9W40vVjnRCsrzOypyBfU

    Score
    8/10
    evasionpersistence

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral29behavioral30

    • Target

      2014-12-22 #32/864f15a5f814d374bd36992bea448276

    • Size

      251KB

    • MD5

      864f15a5f814d374bd36992bea448276

    • SHA1

      87d5a371d967cfa068777bdea879539120b749fc

    • SHA256

      8d1f926f80c53da9ea1ca7ab9d62cd06b49a46ee94d43f37309f951395455927

    • SHA512

      36fbbe2568685e95bf3988994c7bba624f22d8c100fe89b9d6829ba87bd17a76a3f38a26dc2fa345a8335a9466578a24d855292d4502596ad50ab089fe328bb5

    • SSDEEP

      3072:M1le6UqAYN076conxfvnM9dtQOGDzoiKxAdgbDxNyqStBZ0XyVivp9D:Ue6UqpU4ZvM5QLDNKqs9gVtf0XUivp9

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    behavioral31behavioral32

MITRE ATT&CK Enterprise v6

Tasks

static1

Score
1/10

behavioral1

Score
8/10

behavioral2

Score
8/10

behavioral3

Score
7/10

behavioral4

Score
7/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
3/10

behavioral8

Score
3/10

behavioral9

persistence
Score
8/10

behavioral10

Score
7/10

behavioral11

cybergatepcpersistencestealertrojanupx
Score
10/10

behavioral12

cybergatepcpersistencestealertrojanupx
Score
10/10

behavioral13

evasionpersistence
Score
8/10

behavioral14

evasionpersistence
Score
8/10

behavioral15

Score
6/10

behavioral16

Score
6/10

behavioral17

hawkeyekeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral18

hawkeyecollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral19

evasionpersistence
Score
8/10

behavioral20

Score
8/10

behavioral21

hawkeyekeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral22

hawkeyecollectionkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral23

evasionpersistence
Score
8/10

behavioral24

evasionpersistence
Score
8/10

behavioral25

evasionpersistence
Score
8/10

behavioral26

njratevasionpersistencetrojan
Score
10/10

behavioral27

Score
8/10

behavioral28

Score
8/10

behavioral29

Score
8/10

behavioral30

evasionpersistence
Score
8/10

behavioral31

Score
6/10

behavioral32

Score
6/10