Overview

overview

10

Static

static

7672a5945d...34.exe

windows7-x64

10

7672a5945d...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 09:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7672a5945d18c13509ad0872e28dd2ffcb14115d26a2938b4a3be2624fa00f34.exe

  • Size

    654KB

  • MD5

    67998cc5c7716d03aad09e73ae305859

  • SHA1

    678ee856ab863ec48a6969a5e6d993ef99cc4850

  • SHA256

    7672a5945d18c13509ad0872e28dd2ffcb14115d26a2938b4a3be2624fa00f34

  • SHA512

    61e291c9b9872dda26589dce8035e6d3b8e28aec27e691c8067cc06fa70578a6b87255ce86dacd9815221103f4383dec0169bc48f444396af2635bcc9ec7c733

  • SSDEEP

    12288:CwDhAOxtf3XNPWDVRQ/UtK9BJ3pAEX8KrfBtmFZRBLYCQd23sCJ:CwFAO792Q/TjpAEsgpA3UJAvJ

Score
10/10
cybergatecyberpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

rsmacroing.no-ip.biz:101

rsmacroing.no-ip.biz:100
Mutex

40S23881623UTP

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7672a5945d18c13509ad0872e28dd2ffcb14115d26a2938b4a3be2624fa00f34.exe
    "C:\Users\Admin\AppData\Local\Temp\7672a5945d18c13509ad0872e28dd2ffcb14115d26a2938b4a3be2624fa00f34.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Users\Admin\AppData\Local\Temp\plugtmp\Service.exe
      C:\Users\Admin\AppData\Local\Temp\\plugtmp\Service.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:4764
        • C:\Users\Admin\AppData\Local\Temp\plugtmp\Service.exe
          "C:\Users\Admin\AppData\Local\Temp\plugtmp\Service.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:4672
          • C:\Users\Admin\AppData\Local\Temp\plugtmp\Service.exe
            "C:\Users\Admin\AppData\Local\Temp\plugtmp\Service.exe"
            4⤵
            • Executes dropped EXE
            PID:2140

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
            Filesize

            224KB

            MD5

            5cda37c0ef390534c1a5e9d81c002bd2

            SHA1

            49c8b6baffc5a2b54d49e853d4f76bc75e7a1da7

            SHA256

            0bc2ac218277b13e8cdc3d908263c5f83568cf573eb55a7d5e9959341ec447df

            SHA512

            01ec2373efe085901598160b62b9d7118fcfcea05b29d8f75d787ef87264a6e7cb91662d1954e53e8444a99ca7d5f6c27ab1e51e7eebd9864436f0275c739626

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\plugtmp\Service.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\plugtmp\Service.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\plugtmp\Service.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\plugtmp\Service.exe
            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

            Download Submit

          • memory/3144-132-0x0000000074660000-0x0000000074C11000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3144-140-0x0000000074660000-0x0000000074C11000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4672-151-0x0000000010480000-0x00000000104E5000-memory.dmp

            Filesize

            404KB

            Download

          • memory/4672-157-0x0000000010480000-0x00000000104E5000-memory.dmp

            Filesize

            404KB

            Download

          • memory/4672-154-0x0000000010480000-0x00000000104E5000-memory.dmp

            Filesize

            404KB

            Download

          • memory/4688-138-0x0000000000400000-0x0000000000451000-memory.dmp

            Filesize

            324KB

            Download

          • memory/4688-148-0x0000000010480000-0x00000000104E5000-memory.dmp

            Filesize

            404KB

            Download

          • memory/4688-152-0x0000000000400000-0x0000000000451000-memory.dmp

            Filesize

            324KB

            Download

          • memory/4688-134-0x0000000000400000-0x0000000000451000-memory.dmp

            Filesize

            324KB

            Download

          • memory/4688-139-0x0000000000400000-0x0000000000451000-memory.dmp

            Filesize

            324KB

            Download

          • memory/4688-142-0x0000000010410000-0x0000000010475000-memory.dmp

            Filesize

            404KB

            Download

          • memory/4688-137-0x0000000000400000-0x0000000000451000-memory.dmp

            Filesize

            324KB

            Download