Analysis

  • max time kernel
    152s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 09:31

General

  • Target

    825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

  • Size

    454KB

  • MD5

    5b747bea00230414e196afd29ffd9cf7

  • SHA1

    a1bff5c84bdb5895f693e7239735f93c81629c77

  • SHA256

    825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c

  • SHA512

    18e004758d760a26641186dfd4ac8d140a131f59d77f29e02c0b9e120d64e1cca80e8d1f5675a92f44031fd6fc78de9648d9da14da8fd158fe15314ea8ba0bfa

  • SSDEEP

    6144:FEYZenDUvNOYa+qmbjqsPGp3OJbsGynZO3ehp6k7+4Kgkw2D+QBOBw1VIfQFS2wx:Xen4vMJMqmeHZEepuw2apORD8

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

q

C2

looost.no-ip.biz:90

Mutex

K0672GC34DW2QD

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    explorer

  • install_file

    explorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Molebox Virtualization software 1 IoCs

    Detects file using Molebox Virtualization software.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
    "C:\Users\Admin\AppData\Local\Temp\825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:748
      • C:\Users\Admin\AppData\Local\Temp\825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
        "C:\Users\Admin\AppData\Local\Temp\825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:956

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      236KB

      MD5

      2d5e4b1bf6e02021ab35c7e00ca84622

      SHA1

      703bfb7a92a0d093fa1f8a9fba0bb783f42f8dec

      SHA256

      fcc830275c5c3860dfc6a91dbc93a6b6d51cd6954a0fbcb6a6367a76a808453b

      SHA512

      7600839db864321df3bba3f56962696e3d45652c45a6378f6b799a2cbd7925604d438701f01d3df852e8e56586255cf4ff9f110b4861dc1ba95025875c633e15

    • C:\Windows\explorer\explorer.exe
      Filesize

      454KB

      MD5

      5b747bea00230414e196afd29ffd9cf7

      SHA1

      a1bff5c84bdb5895f693e7239735f93c81629c77

      SHA256

      825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c

      SHA512

      18e004758d760a26641186dfd4ac8d140a131f59d77f29e02c0b9e120d64e1cca80e8d1f5675a92f44031fd6fc78de9648d9da14da8fd158fe15314ea8ba0bfa

    • memory/836-59-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/836-69-0x0000000010490000-0x0000000010502000-memory.dmp
      Filesize

      456KB

    • memory/836-58-0x0000000001EC0000-0x0000000001FC0000-memory.dmp
      Filesize

      1024KB

    • memory/836-54-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/836-60-0x0000000001D00000-0x0000000001E00000-memory.dmp
      Filesize

      1024KB

    • memory/836-61-0x0000000002110000-0x0000000002210000-memory.dmp
      Filesize

      1024KB

    • memory/836-63-0x0000000010410000-0x0000000010482000-memory.dmp
      Filesize

      456KB

    • memory/836-79-0x0000000000400000-0x000000000045B000-memory.dmp
      Filesize

      364KB

    • memory/836-78-0x0000000001BD0000-0x0000000001C1E000-memory.dmp
      Filesize

      312KB

    • memory/836-57-0x0000000001EB1000-0x0000000001EB5000-memory.dmp
      Filesize

      16KB

    • memory/836-55-0x0000000001BD0000-0x0000000001C1E000-memory.dmp
      Filesize

      312KB

    • memory/836-56-0x0000000001CF1000-0x0000000001CF5000-memory.dmp
      Filesize

      16KB

    • memory/956-75-0x0000000010490000-0x0000000010502000-memory.dmp
      Filesize

      456KB

    • memory/956-74-0x0000000010490000-0x0000000010502000-memory.dmp
      Filesize

      456KB

    • memory/956-72-0x0000000010490000-0x0000000010502000-memory.dmp
      Filesize

      456KB

    • memory/956-68-0x0000000075A11000-0x0000000075A13000-memory.dmp
      Filesize

      8KB

    • memory/956-67-0x0000000000000000-mapping.dmp
    • memory/956-80-0x0000000010490000-0x0000000010502000-memory.dmp
      Filesize

      456KB