Overview

overview

10

Static

static

9080c3f6bf...dc.exe

windows7-x64

10

9080c3f6bf...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9080c3f6bf8afdc11f9182a3c93c4089031e49583bc77d891db7fba70c36a5dc.exe

  • Size

    305KB

  • MD5

    cf021b56375f2d4c7d6fa9dafb2b94d6

  • SHA1

    e010b77646dee697084e18b46a3160df0987ad0c

  • SHA256

    9080c3f6bf8afdc11f9182a3c93c4089031e49583bc77d891db7fba70c36a5dc

  • SHA512

    0e370bf8e33b1be60c1c3ab20ddd82bee26bfafb60dfa7a59beb3ee5b190e2e09b03b2df5ee4d9a45ffa8f9f20a3b1c6c79e2d7c3be16519bd70dff87ac6c0c9

  • SSDEEP

    6144:4x2WG4fmroW0nFxGbMWVbghxYHBE5793UCs+XBSLb4no8UMJa5toVKg435YA:9KfmroWKGgfCB98Q/DcKx3iA

Score
10/10
cybergateremotepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.11.0 - Public Version

Botnet

remote

C2

127.0.0.1:81

Mutex

AXJU854QUD4066

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    aaaaa.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    password www.hacks-bango.weebly.com/hacks.html

  • message_box_title

    error

  • password

    123456

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9080c3f6bf8afdc11f9182a3c93c4089031e49583bc77d891db7fba70c36a5dc.exe
    "C:\Users\Admin\AppData\Local\Temp\9080c3f6bf8afdc11f9182a3c93c4089031e49583bc77d891db7fba70c36a5dc.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Users\Admin\AppData\Local\Temp\File1.exe
      C:\Users\Admin\AppData\Local\Temp\File1.exe
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:360
        • C:\Users\Admin\AppData\Local\Temp\File1.exe
          "C:\Users\Admin\AppData\Local\Temp\File1.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:4712
        • C:\Program Files (x86)\install\server.exe
          "C:\Program Files (x86)\install\server.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3472
      • C:\Users\Admin\AppData\Local\Temp\File2.exe
        C:\Users\Admin\AppData\Local\Temp\File2.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2212

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\install\server.exe
      Filesize

      281KB

      MD5

      81a4c954f52c4589798c1c479b0fcea9

      SHA1

      859440c5405d57943601fec733be1557cd4b5351

      SHA256

      51c4ee7ec4d65d93344676af689b42cf796cd92ab5dc7af3c075625de1a80034

      SHA512

      f1e302e7ce2bc74d2030a3c0b26ba5c60467b4c1d5d69ede981582ed1c7ab71f74a0fe1da8434c991613a0d3fd2dda213737df6e5ede93f0fef0240c899bf9b2

      Download Submit

    • C:\Program Files (x86)\install\server.exe
      Filesize

      281KB

      MD5

      81a4c954f52c4589798c1c479b0fcea9

      SHA1

      859440c5405d57943601fec733be1557cd4b5351

      SHA256

      51c4ee7ec4d65d93344676af689b42cf796cd92ab5dc7af3c075625de1a80034

      SHA512

      f1e302e7ce2bc74d2030a3c0b26ba5c60467b4c1d5d69ede981582ed1c7ab71f74a0fe1da8434c991613a0d3fd2dda213737df6e5ede93f0fef0240c899bf9b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      238KB

      MD5

      078f719aa90c276919c2779e19021512

      SHA1

      0e8832dff33db6bd76c853fea1dfbb97ca4e085a

      SHA256

      46329fbe48a376214cb04e49a677cb5f77d5be7231c4a0ae381e66febe6bd99e

      SHA512

      cd0f3ad08e0186b7d4b246e5609db803ccf98e95f0984d813913d93e7b8ac930fa3fecadbd03b7a98e129c9abcd8cddae3dc271429a7323e338a9593c0f1c4f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\File1.exe
      Filesize

      281KB

      MD5

      81a4c954f52c4589798c1c479b0fcea9

      SHA1

      859440c5405d57943601fec733be1557cd4b5351

      SHA256

      51c4ee7ec4d65d93344676af689b42cf796cd92ab5dc7af3c075625de1a80034

      SHA512

      f1e302e7ce2bc74d2030a3c0b26ba5c60467b4c1d5d69ede981582ed1c7ab71f74a0fe1da8434c991613a0d3fd2dda213737df6e5ede93f0fef0240c899bf9b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\File1.exe
      Filesize

      281KB

      MD5

      81a4c954f52c4589798c1c479b0fcea9

      SHA1

      859440c5405d57943601fec733be1557cd4b5351

      SHA256

      51c4ee7ec4d65d93344676af689b42cf796cd92ab5dc7af3c075625de1a80034

      SHA512

      f1e302e7ce2bc74d2030a3c0b26ba5c60467b4c1d5d69ede981582ed1c7ab71f74a0fe1da8434c991613a0d3fd2dda213737df6e5ede93f0fef0240c899bf9b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\File1.exe
      Filesize

      281KB

      MD5

      81a4c954f52c4589798c1c479b0fcea9

      SHA1

      859440c5405d57943601fec733be1557cd4b5351

      SHA256

      51c4ee7ec4d65d93344676af689b42cf796cd92ab5dc7af3c075625de1a80034

      SHA512

      f1e302e7ce2bc74d2030a3c0b26ba5c60467b4c1d5d69ede981582ed1c7ab71f74a0fe1da8434c991613a0d3fd2dda213737df6e5ede93f0fef0240c899bf9b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\File2.exe
      Filesize

      12KB

      MD5

      0cf181ea397e5ce7982f384667a88ed1

      SHA1

      4b2622e9c2441594736ddb6c2d2b16a04396b139

      SHA256

      13ee22d4fc70c838d348b7d8d7e0c9176376c5ea6b73d0765f9debdab18fb208

      SHA512

      cd66f18d709842db4d988ca4d819441927102820f51398fecc4d9460839ecd03bd662d2b7d37b1e78f6ba7e0720534d20b9612c28224cd82ad6b1bbca1264699

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\File2.exe
      Filesize

      12KB

      MD5

      0cf181ea397e5ce7982f384667a88ed1

      SHA1

      4b2622e9c2441594736ddb6c2d2b16a04396b139

      SHA256

      13ee22d4fc70c838d348b7d8d7e0c9176376c5ea6b73d0765f9debdab18fb208

      SHA512

      cd66f18d709842db4d988ca4d819441927102820f51398fecc4d9460839ecd03bd662d2b7d37b1e78f6ba7e0720534d20b9612c28224cd82ad6b1bbca1264699

      Download Submit

    • memory/2212-150-0x0000000000000000-mapping.dmp

      Download

    • memory/3412-138-0x0000000010410000-0x0000000010482000-memory.dmp

      Filesize

      456KB

      Download

    • memory/3412-144-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

      Download

    • memory/3412-134-0x0000000000000000-mapping.dmp

      Download

    • memory/3472-155-0x0000000000000000-mapping.dmp

      Download

    • memory/4712-142-0x0000000000000000-mapping.dmp

      Download

    • memory/4712-148-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

      Download

    • memory/4712-147-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

      Download

    • memory/4712-158-0x0000000010490000-0x0000000010502000-memory.dmp

      Filesize

      456KB

      Download