Overview

overview

10

Static

static

6778ccbc9d...9d.exe

windows7-x64

10

6778ccbc9d...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 03:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe

  • Size

    649KB

  • MD5

    28eb2401c10f2877daab62a6e749f6b0

  • SHA1

    64f0e58afc44b1ef387df1d885678a287090a616

  • SHA256

    6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d

  • SHA512

    8671d339192ef77cc3a981ae8efed4d49480bfe2dce4efe4adf1fbda3551e59100aefe2e859d6b3c9fa9c60ff0857ce5c424046a7457e3e50c6d7b164f5a38fb

  • SSDEEP

    6144:gCttNye+9aj4mOfaLzg89Vo/FGR0E7hMI4RJDNN2aXH16aaI6iul9FYLwHeNlllq:b9ROiLisxNMblHEaarFYL2euIzjsUAV

Score
10/10
cybergatehackpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

hack

C2

ze-hack3r.zapto.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Updater

  • install_file

    Patch.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    This program is corrupted. Please verify all files and retry.

  • message_box_title

    ERROR

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe
    "C:\Users\Admin\AppData\Local\Temp\6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C cd C:\Users\Admin\AppData\Roaming\ &&ren *.zgy *.exe && exit
      2⤵
        PID:4804
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs"
        2⤵
        • Adds Run key to start application
        PID:2412
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:4880
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
            3⤵
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4856
            • C:\Windows\SysWOW64\Updater\Patch.exe
              "C:\Windows\system32\Updater\Patch.exe"
              4⤵
              • Executes dropped EXE
              PID:1544
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5112

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Registry Run Keys / Startup Folder

      3
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs
        Filesize

        248B

        MD5

        226a406fb0187ed8966dbcefcf582d03

        SHA1

        3a2b8c28bfc6332f05458bcc251a2850e76ff949

        SHA256

        db40e76b6a109be060619d0dd7103d3fe3eeafcabef02a4b47bc4ebfd287b2ff

        SHA512

        dcf416c3575f6161f2f5362e8ab2bcf05d618d14c61f9e03a5b866bd9cf1064246285797850faee9db9ab08c97af02106fa517fdab883152e360b07a09793e1d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        229KB

        MD5

        48a79f3783d59cf59e56d646def0c436

        SHA1

        3523c6fce7533f6b52cf2da9067f753e330878c0

        SHA256

        bf537cf61f6aa7fd8f7bce3780bfe5019c77f628188363c22393d45886a06814

        SHA512

        fef8568a8f9261fc97d58a5b842782b0d9cc066dca1ad2daece0010ae9f8b4138c921a78621bfe700cac9ab43f0d2b5e4d302331017e91748b1f7e8c355c2e57

        Download Submit
      • C:\Users\Admin\AppData\Roaming\ecran.zgy
        Filesize

        649KB

        MD5

        28eb2401c10f2877daab62a6e749f6b0

        SHA1

        64f0e58afc44b1ef387df1d885678a287090a616

        SHA256

        6778ccbc9de5d0a1403fc466e0d4ba7943056bbe7c5f1b1a1bdc6cc52073439d

        SHA512

        8671d339192ef77cc3a981ae8efed4d49480bfe2dce4efe4adf1fbda3551e59100aefe2e859d6b3c9fa9c60ff0857ce5c424046a7457e3e50c6d7b164f5a38fb

        Download Submit
      • C:\Windows\SysWOW64\Updater\Patch.exe
        Filesize

        34KB

        MD5

        e118330b4629b12368d91b9df6488be0

        SHA1

        ce90218c7e3b90df2a3409ec253048bb6472c2fd

        SHA256

        3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

        SHA512

        ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

        Download Submit
      • C:\Windows\SysWOW64\Updater\Patch.exe
        Filesize

        34KB

        MD5

        e118330b4629b12368d91b9df6488be0

        SHA1

        ce90218c7e3b90df2a3409ec253048bb6472c2fd

        SHA256

        3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

        SHA512

        ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

        Download Submit
      • memory/1544-156-0x0000000000000000-mapping.dmp
        Download
      • memory/2412-135-0x0000000000000000-mapping.dmp
        Download
      • memory/2952-162-0x0000000006130000-0x0000000006230000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2952-161-0x0000000000F79000-0x0000000000F7F000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2952-159-0x00000000750A0000-0x0000000075651000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2952-158-0x0000000000F79000-0x0000000000F7F000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2952-132-0x00000000750A0000-0x0000000075651000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2952-167-0x00000000750A0000-0x0000000075651000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2952-168-0x0000000000F79000-0x0000000000F7F000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2972-137-0x0000000000000000-mapping.dmp
        Download
      • memory/2972-139-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/2972-151-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/2972-138-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/2972-148-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/2972-140-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/2972-143-0x0000000024010000-0x0000000024072000-memory.dmp
        Filesize

        392KB

        Download
      • memory/2972-141-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/4804-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4856-160-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/4856-147-0x0000000000000000-mapping.dmp
        Download
      • memory/4856-155-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/4856-152-0x0000000024080000-0x00000000240E2000-memory.dmp
        Filesize

        392KB

        Download
      • memory/5112-163-0x0000000000000000-mapping.dmp
        Download
      • memory/5112-166-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/5112-169-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download
      • memory/5112-170-0x0000000000400000-0x000000000044E000-memory.dmp
        Filesize

        312KB

        Download