Overview

overview

10

Static

static

d1431ffce4...17.exe

windows7-x64

10

d1431ffce4...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1431ffce4e448e941fb950a60bba15fd8fdcdad50bd75083e8d0d38c465b917.exe

  • Size

    407KB

  • MD5

    4af688c058e19b716438e7eb80441aea

  • SHA1

    97ff16b53ce7e12c2e19dc9cf46b40a1d3dec0c5

  • SHA256

    d1431ffce4e448e941fb950a60bba15fd8fdcdad50bd75083e8d0d38c465b917

  • SHA512

    da18cf08481f229bdddd75da53c374f1c5146c73670167b2d5af65ae2a4eb02e6ad4b9269457eb79211a3610b18d233906c6ad09ee7cd6592e0be1621ce4f531

  • SSDEEP

    12288:B1dlZo5yIBNk2xKAk2n9jMyRdW3yO1dsL+We:B1dlZo5jTLxI2nhMmdWnsRe

Score
10/10
cybergatevictimapersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victima

C2

please23.zapto.org:81

Mutex

A4AN4P73Y37FMI

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    TEamo239?

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1248
      • C:\Users\Admin\AppData\Local\Temp\d1431ffce4e448e941fb950a60bba15fd8fdcdad50bd75083e8d0d38c465b917.exe
        "C:\Users\Admin\AppData\Local\Temp\d1431ffce4e448e941fb950a60bba15fd8fdcdad50bd75083e8d0d38c465b917.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Users\Admin\AppData\Local\Temp\NBFile.exe
          "C:\Users\Admin\AppData\Local\Temp\NBFile.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Users\Admin\AppData\Local\Temp\NBFile.exe
            "C:\Users\Admin\AppData\Local\Temp\NBFile.exe"
            4⤵
            • Adds policy Run key to start application
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1388
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
              • Modifies Installed Components in the registry
              • Suspicious use of AdjustPrivilegeToken
              PID:304
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
              • Loads dropped DLL
              • Drops desktop.ini file(s)
              • Drops file in Windows directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:1440
              • C:\Windows\install\server.exe
                "C:\Windows\install\server.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:1100
                • C:\Windows\install\server.exe
                  "C:\Windows\install\server.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:1840
            • C:\Windows\install\server.exe
              "C:\Windows\install\server.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:1072
              • C:\Windows\install\server.exe
                "C:\Windows\install\server.exe"
                6⤵
                • Executes dropped EXE
                PID:1784
        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Graficas1.docx"
          3⤵
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:1708
          • C:\Windows\splwow64.exe
            C:\Windows\splwow64.exe 12288
            4⤵
              PID:1512

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      3
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        55be163c93ece96131a1b2d1a79105b2

        SHA1

        fc7f018d610b65c09f614892aa80eeaa03727bee

        SHA256

        eccd00de8c992238bca1508cd8aff33c58b561d08e98afeb1509343fe966bdfb

        SHA512

        021a19b7c614f8b3011a62f82e0ce916235ba9c175de55127765f90c2914c5577e863840531d5693a64c26ce22a24a6e3ecd7f2bcbaaa64c43cbe2cde8aab83c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\NBFile.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\NBFile.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\NBFile.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • C:\Windows\install\server.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • C:\Windows\install\server.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • C:\Windows\install\server.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • C:\Windows\install\server.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • C:\Windows\install\server.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • \??\PIPE\srvsvc
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • \Users\Admin\AppData\Local\Temp\NBFile.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • \Users\Admin\AppData\Local\Temp\NBFile.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • \Users\Admin\AppData\Local\Temp\NBFile.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • \Windows\install\server.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • \Windows\install\server.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • \Windows\install\server.exe
        Filesize

        291KB

        MD5

        379e9aebff117fad70173b7494bc2edc

        SHA1

        0fb5b96b26658d36ef73a51e3b63d3d542982947

        SHA256

        ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3

        SHA512

        0f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4

        Download Submit
      • memory/304-94-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/304-80-0x0000000000000000-mapping.dmp
        Download
      • memory/304-90-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/304-83-0x0000000073C41000-0x0000000073C43000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1072-129-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1072-111-0x0000000000000000-mapping.dmp
        Download
      • memory/1100-133-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1100-117-0x0000000000000000-mapping.dmp
        Download
      • memory/1248-77-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1388-101-0x00000000104F0000-0x0000000010555000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1388-72-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1388-70-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1388-85-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1388-74-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1388-115-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1388-69-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1388-64-0x0000000000456620-mapping.dmp
        Download
      • memory/1388-63-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1416-71-0x0000000002420000-0x0000000002427000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1416-54-0x0000000075E81000-0x0000000075E83000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1440-106-0x00000000104F0000-0x0000000010555000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1440-143-0x00000000104F0000-0x0000000010555000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1440-144-0x0000000003BC0000-0x0000000003BC7000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1440-108-0x00000000104F0000-0x0000000010555000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1440-96-0x0000000000000000-mapping.dmp
        Download
      • memory/1440-137-0x0000000003BC0000-0x0000000003BC7000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1512-146-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1512-145-0x0000000000000000-mapping.dmp
        Download
      • memory/1556-66-0x0000000000400000-0x0000000000407000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1556-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1708-82-0x0000000000000000-mapping.dmp
        Download
      • memory/1708-142-0x0000000070FFD000-0x0000000071008000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1708-84-0x0000000072591000-0x0000000072594000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1708-149-0x0000000070FFD000-0x0000000071008000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1708-148-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1708-91-0x0000000070011000-0x0000000070013000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1708-107-0x0000000070FFD000-0x0000000071008000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1708-99-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1784-140-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1784-127-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1784-130-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1784-139-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1784-120-0x0000000000456620-mapping.dmp
        Download
      • memory/1840-141-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/1840-128-0x0000000000456620-mapping.dmp
        Download
      • memory/1840-138-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download