Overview

overview

10

Static

static

02dbd51e6e...20.exe

windows7-x64

10

02dbd51e6e...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02dbd51e6e6665e1dbcee0114c837134c5e081e8d20b2f2cdec7dfe6d561d020.exe

  • Size

    287KB

  • MD5

    90836c37324ef07af0c8a2fbbbcb43df

  • SHA1

    3bcf740147ac242d80f03b9665988f9c54e9b2ce

  • SHA256

    02dbd51e6e6665e1dbcee0114c837134c5e081e8d20b2f2cdec7dfe6d561d020

  • SHA512

    85c7b07dfdbb43770bfc34069dc0ea17346b349a9f9b58d366fbf33ed1a171109d291017a9f75bd819c2a14e6a72679cc8aff9b1e9b5ac7c9bfaf89abfdfab94

  • SSDEEP

    6144:dSD3sPwpUuuBsrVXUAvDmH5r/YVFKlc8RfMRoEY:oDsopimRUAvDmH5r/mclcEfMRk

Score
10/10
cybergateremotepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

koolzone.no-ip.biz:2000

Mutex

X102C60DYD7IA4

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./victim/

  • ftp_interval

    30

  • ftp_password

    hiphop49

  • ftp_port

    21

  • ftp_server

    ftp.megastylesboutique.pusku.com

  • ftp_username

    u642653441.bob

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    firefoxexe

  • install_flag

    true

  • keylogger_enable_ftp

    true

  • message_box_caption

    Error un fichier cidz.dl introuvable

  • message_box_title

    Error

  • password

    hiphop

  • regkey_hkcu

    HKCU

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2560
      • C:\Users\Admin\AppData\Local\Temp\02dbd51e6e6665e1dbcee0114c837134c5e081e8d20b2f2cdec7dfe6d561d020.exe
        "C:\Users\Admin\AppData\Local\Temp\02dbd51e6e6665e1dbcee0114c837134c5e081e8d20b2f2cdec7dfe6d561d020.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          3⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Suspicious use of AdjustPrivilegeToken
            PID:1932
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2136
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1168

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      224KB

      MD5

      3e34523330a6d6a7da32e6f6179b5467

      SHA1

      e174599463baa2f03af29814a47faf8b86082781

      SHA256

      d9ee0d25e487350e00675b8158ab80912b0a4bcfe407b38bf58fba3544c872af

      SHA512

      9d1e69348ab69ff1612aa7d8681dcd89e7b4286f666dc885cee8a9df0acf1230848f3ccf1bcae3600283fc1f33097be675b4e33b0c763111ab09317791b0447b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\server.exe
      Filesize

      296KB

      MD5

      2e4e23a058cfc26ef55cdb5ed7a451f7

      SHA1

      8917ff4dab0234a0a6c57c71107dedf55f3f0142

      SHA256

      677cb5bbce93f4acd86295fae4d94f561e41b6fe19a92eb9c8f233523bcc1dbc

      SHA512

      7c29ee11bfc75463d01f2ca16753b54e51d8b6e2b083bd41b0097ca688828f5369245c864db3047fe93b285f5bb5b6033f8baca4e0c82e3da304f0bba67190b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\server.exe
      Filesize

      296KB

      MD5

      2e4e23a058cfc26ef55cdb5ed7a451f7

      SHA1

      8917ff4dab0234a0a6c57c71107dedf55f3f0142

      SHA256

      677cb5bbce93f4acd86295fae4d94f561e41b6fe19a92eb9c8f233523bcc1dbc

      SHA512

      7c29ee11bfc75463d01f2ca16753b54e51d8b6e2b083bd41b0097ca688828f5369245c864db3047fe93b285f5bb5b6033f8baca4e0c82e3da304f0bba67190b9

      Download Submit

    • C:\Windows\SysWOW64\install\firefoxexe
      Filesize

      296KB

      MD5

      2e4e23a058cfc26ef55cdb5ed7a451f7

      SHA1

      8917ff4dab0234a0a6c57c71107dedf55f3f0142

      SHA256

      677cb5bbce93f4acd86295fae4d94f561e41b6fe19a92eb9c8f233523bcc1dbc

      SHA512

      7c29ee11bfc75463d01f2ca16753b54e51d8b6e2b083bd41b0097ca688828f5369245c864db3047fe93b285f5bb5b6033f8baca4e0c82e3da304f0bba67190b9

      Download Submit

    • memory/1016-136-0x0000000010410000-0x0000000010475000-memory.dmp

      Filesize

      404KB

      Download

    • memory/1016-150-0x00000000104F0000-0x0000000010555000-memory.dmp

      Filesize

      404KB

      Download

    • memory/1016-141-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/1932-144-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/1932-147-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2136-153-0x00000000104F0000-0x0000000010555000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2136-154-0x00000000104F0000-0x0000000010555000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2136-155-0x00000000104F0000-0x0000000010555000-memory.dmp

      Filesize

      404KB

      Download