Overview

overview

10

Static

static

eabea1fc49...67.exe

windows7-x64

10

eabea1fc49...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 14:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867.exe

  • Size

    894KB

  • MD5

    feddd6ad5fd736e0ac7099e51f2303ab

  • SHA1

    ee888d475bb89fb2636dc4951be27a565bc748d4

  • SHA256

    eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

  • SHA512

    2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

  • SSDEEP

    12288:cxoQ5RTjymNTQDV5bJKsQIJN35orslCoTj7qXwnSL85tbz0f13kg+gIqYZyu8D+v:FQ5R6m1kVrKrIOyBjOXMfzgUvg4yu8DA

Score
10/10
cybergateremotepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:999

sasha00.ddns.net:1607
Mutex

XWN0EO657A23J4

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 9 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867.exe
    "C:\Users\Admin\AppData\Local\Temp\eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
      "C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
        "C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe"
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
            PID:2508
          • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
            "C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe"
            4⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
            • C:\directory\CyberGate\install\server.exe
              "C:\directory\CyberGate\install\server.exe"
              5⤵
              • Executes dropped EXE
              PID:808
              • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
                "C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                PID:4572
                • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
                  "C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4892
          • C:\directory\CyberGate\install\server.exe
            "C:\directory\CyberGate\install\server.exe"
            4⤵
            • Executes dropped EXE
            PID:1628
            • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
              "C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              PID:1688
              • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
                "C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:2608

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
            Filesize

            224KB

            MD5

            383640a68c6c81b07e5eb9d7126f8033

            SHA1

            0e8a16b136714168b58a1d39a09b88d9b63af86c

            SHA256

            91a76fc02f507efd2129b7b8760489376ac7fe114eeff16f296231f390c80f05

            SHA512

            ca2e1f4f680b885a7ef4cdf57f4a0b467af8d19c6ed3bc01255a29e6db166bb00cb8aeb3a420824b6ef9fe8f0e9fe4d1ff183354260f8c441022bd72943c83b3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ExampleFolder\Example.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\directory\CyberGate\install\server.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\directory\CyberGate\install\server.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • C:\directory\CyberGate\install\server.exe
            Filesize

            894KB

            MD5

            feddd6ad5fd736e0ac7099e51f2303ab

            SHA1

            ee888d475bb89fb2636dc4951be27a565bc748d4

            SHA256

            eabea1fc49bcba8bbf69702ff6a6ba3bd541823857c6dcbfa6e4d1cb09bf1867

            SHA512

            2e2f9d85d18e16f0485668c348dda24797cf8097a542621d74c69486182f2469bd534fc9b3e897b2ba4938625ba1388f3137e433d2894f4a30c19a7fe831bca9

            Download Submit

          • memory/1320-146-0x0000000010480000-0x00000000104E5000-memory.dmp

            Filesize

            404KB

            Download

          • memory/1320-153-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download

          • memory/1320-140-0x0000000010410000-0x0000000010475000-memory.dmp

            Filesize

            404KB

            Download

          • memory/1320-138-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download

          • memory/1712-154-0x0000000010480000-0x00000000104E5000-memory.dmp

            Filesize

            404KB

            Download

          • memory/1712-152-0x0000000010480000-0x00000000104E5000-memory.dmp

            Filesize

            404KB

            Download

          • memory/1712-149-0x0000000010480000-0x00000000104E5000-memory.dmp

            Filesize

            404KB

            Download

          • memory/1748-132-0x00000000023A0000-0x00000000023A5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/2608-167-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download

          • memory/2608-170-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download

          • memory/4892-168-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download

          • memory/4892-169-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download