Overview

overview

10

Static

static

af07dcf42d...eb.exe

windows7-x64

10

af07dcf42d...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe

  • Size

    360KB

  • MD5

    adeb89e005317ed8ebd2210ffe3424b6

  • SHA1

    ba7b12cd5163bf6b44c23494c1d1d17ebd6f007a

  • SHA256

    af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb

  • SHA512

    0d8f9ff28cb88128edd1a4e58037e9f67693478aa1097e0aff5935f871a43c806e363a31c715d6159f997ff33c215f415c5e3b110bf4598df896b22c253871e4

  • SSDEEP

    6144:dXicc/18K2N++X/F/DZ363XvbTG+5IW8M2pRMJW/yEjzPKPyi40gcwHi2:dXicc/19+tl36nzH5ILMy6t40gjj

Score
10/10
cybergatevictimepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

C2

tamere.no-ip.org:1604

Mutex

O22677E3DY4N74

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    winlogon

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1234

  • regkey_hklm

    explorer.exe

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe
    "C:\Users\Admin\AppData\Local\Temp\af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:856
        • C:\Windows\SysWOW64\winlogon\svchost.exe
          "C:\Windows\system32\winlogon\svchost.exe"
          4⤵
          • Executes dropped EXE
          PID:220
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MmcAspExt.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MmcAspExt.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:388
      • C:\Users\Admin\AppData\Local\Temp\ShFusRes.exe
        "C:\Users\Admin\AppData\Local\Temp\ShFusRes.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4352
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          4⤵
            PID:4128
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 552
              5⤵
              • Program crash
              PID:4320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4128 -ip 4128
      1⤵
        PID:1444

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        e86f5d63e982194e8031d30efd90678a

        SHA1

        0b47815f87e78e29bd6e3156f18438cf5559552f

        SHA256

        8dbd5ff92a7c0455b8940c6b1daad39e22c00bbd0e515cde09bb74a15c1ceaa8

        SHA512

        68632eef4cbfe34ef76cec38ded5752dd8e0ed988869f694fb64354dba0692ceb0754b0e68479dc6288625695ab150d14994b2e103321a5a23ae67e3bd315f65

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ShFusRes.exe
        Filesize

        360KB

        MD5

        adeb89e005317ed8ebd2210ffe3424b6

        SHA1

        ba7b12cd5163bf6b44c23494c1d1d17ebd6f007a

        SHA256

        af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb

        SHA512

        0d8f9ff28cb88128edd1a4e58037e9f67693478aa1097e0aff5935f871a43c806e363a31c715d6159f997ff33c215f415c5e3b110bf4598df896b22c253871e4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ShFusRes.exe
        Filesize

        360KB

        MD5

        adeb89e005317ed8ebd2210ffe3424b6

        SHA1

        ba7b12cd5163bf6b44c23494c1d1d17ebd6f007a

        SHA256

        af07dcf42d94e00e9b44c4b10b9caba23d47705210bd6945930ca44bf1c933eb

        SHA512

        0d8f9ff28cb88128edd1a4e58037e9f67693478aa1097e0aff5935f871a43c806e363a31c715d6159f997ff33c215f415c5e3b110bf4598df896b22c253871e4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MmcAspExt.exe
        Filesize

        6KB

        MD5

        3852f794559e6af06d1fedf106b02bc2

        SHA1

        c2709b8a1cfe1dd2aa68857b4712f6dec9dd7619

        SHA256

        a00e02b52ce16b83f8797b195b22e39cfab5506ad6776d7c39d463cac6253548

        SHA512

        b6b583536ce9561883aa62d1e6cb2a3835f4d744aae4daa5fd10d002dccd58cea9eefd0ac0c8b2233889159f6b6b9c490e400b689238850fb3b4f4549010dce8

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MmcAspExt.exe
        Filesize

        6KB

        MD5

        3852f794559e6af06d1fedf106b02bc2

        SHA1

        c2709b8a1cfe1dd2aa68857b4712f6dec9dd7619

        SHA256

        a00e02b52ce16b83f8797b195b22e39cfab5506ad6776d7c39d463cac6253548

        SHA512

        b6b583536ce9561883aa62d1e6cb2a3835f4d744aae4daa5fd10d002dccd58cea9eefd0ac0c8b2233889159f6b6b9c490e400b689238850fb3b4f4549010dce8

        Download Submit
      • C:\Windows\SysWOW64\winlogon\svchost.exe
        Filesize

        57KB

        MD5

        454501a66ad6e85175a6757573d79f8b

        SHA1

        8ca96c61f26a640a5b1b1152d055260b9d43e308

        SHA256

        7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

        SHA512

        9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

        Download Submit
      • C:\Windows\SysWOW64\winlogon\svchost.exe
        Filesize

        57KB

        MD5

        454501a66ad6e85175a6757573d79f8b

        SHA1

        8ca96c61f26a640a5b1b1152d055260b9d43e308

        SHA256

        7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

        SHA512

        9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

        Download Submit
      • memory/220-154-0x0000000000000000-mapping.dmp
        Download
      • memory/388-140-0x0000000000000000-mapping.dmp
        Download
      • memory/388-150-0x00000000750E0000-0x0000000075691000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/388-164-0x00000000750E0000-0x0000000075691000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/856-148-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/856-144-0x0000000000000000-mapping.dmp
        Download
      • memory/856-151-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/856-165-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1336-163-0x00000000750E0000-0x0000000075691000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1336-139-0x00000000750E0000-0x0000000075691000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4128-161-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/4128-158-0x0000000000000000-mapping.dmp
        Download
      • memory/4352-156-0x0000000000000000-mapping.dmp
        Download
      • memory/4352-162-0x00000000750E0000-0x0000000075691000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4352-166-0x00000000750E0000-0x0000000075691000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4980-136-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/4980-145-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/4980-137-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/4980-138-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/4980-135-0x0000000000000000-mapping.dmp
        Download