Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
28-11-2022 10:20
General
-
Target
4ae3ae114ba84c4e8eb7acef823ad4517e628b8f088126edb956c5c1480799ce.exe
-
Size
643KB
-
MD5
dde9dfb24295d7b19cea9d06bbc70a89
-
SHA1
cac60a20c07c94a8fd293660313d37fb6613a692
-
SHA256
4ae3ae114ba84c4e8eb7acef823ad4517e628b8f088126edb956c5c1480799ce
-
SHA512
debfd350caa18f551110284173d2d1608bfb0792e044ce67ed898878ae1b78bbb912366c0ad2621ba364bc4f1d1b918c52f2f55d80a68fc6f6a384721cad4360
-
SSDEEP
12288:DYuG579ANtmDzgA9I4FpE00YglJLobyQqVtQhU7:JE5smDzDVPB0YMNYyQqV5
Score
10/10
Malware Config
Extracted
Family
cybergate
Version
v3.4.2.2
Botnet
l2ru
C2
brosto.strangled.net:81
brosto.strangled.net:4123
brosto.strangled.net:6745
brosto.strangled.net:7534
brosto.strangled.net:7653
sasaze.chickenkiller.com:7875
sasaze.chickenkiller.com:8545
sasaze.chickenkiller.com:8642
sasaze.chickenkiller.com:8742
sasaze.chickenkiller.com:8954
brostod.jumpingcrab.com:9647
brostod.jumpingcrab.com:9743
brostod.jumpingcrab.com:9866
brostod.jumpingcrab.com:10535
brostod.jumpingcrab.com:10877
1844205166:53575
1844205166:58656
1844205166:59534
1844205166:59642
Mutex
08RFLO43TP8P33
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
interface
-
install_file
csrsc.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
a123123123
-
regkey_hkcu
exploruse
-
regkey_hklm
exploruse
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 33 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4ae3ae114ba84c4e8eb7acef823ad4517e628b8f088126edb956c5c1480799ce.exe"C:\Users\Admin\AppData\Local\Temp\4ae3ae114ba84c4e8eb7acef823ad4517e628b8f088126edb956c5c1480799ce.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
234KB
MD500f501def6ae300ac4e4fa643be36261
SHA1e8604a75db905720fb064044111dd642514953f2
SHA2563e91209868ded73c538024ac67ec7b3fa17a23b94d817656bda6b1ea45ee076b
SHA512a17e742b644256ab3e2edd5b09b51eedbbd83cf213634b4c1215c3d98f8abdf33a9a1e70f82bcd05d40037d8ae4cbc05f46954143233fdc089c33989df8d17e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD503c4f3f5cdbc342eb1c0349e001fdd0c
SHA17d45ed19db4eaed16d1985240c98fab7623798e5
SHA256a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc
SHA512d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162
-
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exeFilesize
11KB
MD503c4f3f5cdbc342eb1c0349e001fdd0c
SHA17d45ed19db4eaed16d1985240c98fab7623798e5
SHA256a395cb8bb6cdaa7f0dad2e012fb5107d0d307efea021be048bdd5b67479356bc
SHA512d59ccd1ffffa884c8a7a96979ed19f0f8a586474c23d5b5ab23c235799044042f639e1834ee2e54a205a71caf97898ac8898d0da963fb006e443f3fb8f3c1162
-
memory/424-268-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/424-267-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/424-263-0x0000000000000000-mapping.dmp
-
memory/596-327-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/596-323-0x0000000000000000-mapping.dmp
-
memory/920-159-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/920-146-0x0000000000000000-mapping.dmp
-
memory/920-151-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/1036-167-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1036-166-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1036-161-0x0000000000000000-mapping.dmp
-
memory/1172-240-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1172-235-0x0000000000000000-mapping.dmp
-
memory/1172-239-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1320-186-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1320-181-0x0000000000000000-mapping.dmp
-
memory/1320-185-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1364-241-0x0000000000000000-mapping.dmp
-
memory/1364-244-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1364-243-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1400-341-0x0000000000000000-mapping.dmp
-
memory/1568-305-0x0000000000000000-mapping.dmp
-
memory/1568-310-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1568-309-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1592-299-0x0000000000000000-mapping.dmp
-
memory/1592-304-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1592-303-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1644-158-0x00000000104F0000-0x0000000010560000-memory.dmpFilesize
448KB
-
memory/1644-156-0x00000000104F0000-0x0000000010560000-memory.dmpFilesize
448KB
-
memory/1644-173-0x00000000104F0000-0x0000000010560000-memory.dmpFilesize
448KB
-
memory/1644-150-0x0000000000000000-mapping.dmp
-
memory/2420-228-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2420-227-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2420-223-0x0000000000000000-mapping.dmp
-
memory/2540-292-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2540-287-0x0000000000000000-mapping.dmp
-
memory/2540-291-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2796-297-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2796-298-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2796-293-0x0000000000000000-mapping.dmp
-
memory/2800-217-0x0000000000000000-mapping.dmp
-
memory/2800-221-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2800-222-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2944-269-0x0000000000000000-mapping.dmp
-
memory/2944-273-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2944-274-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2980-322-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2980-321-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/2980-317-0x0000000000000000-mapping.dmp
-
memory/3172-192-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3172-187-0x0000000000000000-mapping.dmp
-
memory/3172-191-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3476-216-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3476-215-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3476-211-0x0000000000000000-mapping.dmp
-
memory/3528-174-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3528-168-0x0000000000000000-mapping.dmp
-
memory/3528-172-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3632-179-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3632-175-0x0000000000000000-mapping.dmp
-
memory/3632-180-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3824-262-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3824-257-0x0000000000000000-mapping.dmp
-
memory/3824-261-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3952-316-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3952-315-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3952-311-0x0000000000000000-mapping.dmp
-
memory/3992-329-0x0000000000000000-mapping.dmp
-
memory/4012-335-0x0000000000000000-mapping.dmp
-
memory/4288-285-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4288-281-0x0000000000000000-mapping.dmp
-
memory/4288-286-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4396-199-0x0000000000000000-mapping.dmp
-
memory/4396-203-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4396-204-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4540-152-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/4540-132-0x0000000074E30000-0x00000000753E1000-memory.dmpFilesize
5.7MB
-
memory/4612-198-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4612-197-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4612-193-0x0000000000000000-mapping.dmp
-
memory/4648-256-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4648-251-0x0000000000000000-mapping.dmp
-
memory/4648-255-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4692-139-0x0000000010410000-0x0000000010480000-memory.dmpFilesize
448KB
-
memory/4692-136-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4692-133-0x0000000000000000-mapping.dmp
-
memory/4692-134-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4692-135-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4692-137-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4692-160-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4692-157-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4692-153-0x00000000104F0000-0x0000000010560000-memory.dmpFilesize
448KB
-
memory/4692-143-0x0000000010480000-0x00000000104F0000-memory.dmpFilesize
448KB
-
memory/4728-245-0x0000000000000000-mapping.dmp
-
memory/4728-249-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4728-250-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4820-280-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4820-275-0x0000000000000000-mapping.dmp
-
memory/4820-279-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4964-347-0x0000000000000000-mapping.dmp
-
memory/5080-209-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/5080-210-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/5080-205-0x0000000000000000-mapping.dmp
-
memory/5108-234-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/5108-233-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/5108-229-0x0000000000000000-mapping.dmp