Analysis
-
max time kernel
204s -
max time network
219s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-12-2022 04:18
General
-
Target
d1431ffce4e448e941fb950a60bba15fd8fdcdad50bd75083e8d0d38c465b917.exe
-
Size
407KB
-
MD5
4af688c058e19b716438e7eb80441aea
-
SHA1
97ff16b53ce7e12c2e19dc9cf46b40a1d3dec0c5
-
SHA256
d1431ffce4e448e941fb950a60bba15fd8fdcdad50bd75083e8d0d38c465b917
-
SHA512
da18cf08481f229bdddd75da53c374f1c5146c73670167b2d5af65ae2a4eb02e6ad4b9269457eb79211a3610b18d233906c6ad09ee7cd6592e0be1621ce4f531
-
SSDEEP
12288:B1dlZo5yIBNk2xKAk2n9jMyRdW3yO1dsL+We:B1dlZo5jTLxI2nhMmdWnsRe
Malware Config
Extracted
cybergate
v1.07.5
victima
please23.zapto.org:81
A4AN4P73Y37FMI
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
TEamo239?
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 6 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d1431ffce4e448e941fb950a60bba15fd8fdcdad50bd75083e8d0d38c465b917.exe"C:\Users\Admin\AppData\Local\Temp\d1431ffce4e448e941fb950a60bba15fd8fdcdad50bd75083e8d0d38c465b917.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NBFile.exe"C:\Users\Admin\AppData\Local\Temp\NBFile.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NBFile.exe"C:\Users\Admin\AppData\Local\Temp\NBFile.exe"4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 5608⤵
- Program crash
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\install\server.exe"C:\Windows\install\server.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 5487⤵
- Program crash
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Graficas1.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4416 -ip 44161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4480 -ip 44801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD555be163c93ece96131a1b2d1a79105b2
SHA1fc7f018d610b65c09f614892aa80eeaa03727bee
SHA256eccd00de8c992238bca1508cd8aff33c58b561d08e98afeb1509343fe966bdfb
SHA512021a19b7c614f8b3011a62f82e0ce916235ba9c175de55127765f90c2914c5577e863840531d5693a64c26ce22a24a6e3ecd7f2bcbaaa64c43cbe2cde8aab83c
-
C:\Users\Admin\AppData\Local\Temp\NBFile.exeFilesize
291KB
MD5379e9aebff117fad70173b7494bc2edc
SHA10fb5b96b26658d36ef73a51e3b63d3d542982947
SHA256ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3
SHA5120f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4
-
C:\Users\Admin\AppData\Local\Temp\NBFile.exeFilesize
291KB
MD5379e9aebff117fad70173b7494bc2edc
SHA10fb5b96b26658d36ef73a51e3b63d3d542982947
SHA256ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3
SHA5120f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4
-
C:\Users\Admin\AppData\Local\Temp\NBFile.exeFilesize
291KB
MD5379e9aebff117fad70173b7494bc2edc
SHA10fb5b96b26658d36ef73a51e3b63d3d542982947
SHA256ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3
SHA5120f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4
-
C:\Windows\install\server.exeFilesize
291KB
MD5379e9aebff117fad70173b7494bc2edc
SHA10fb5b96b26658d36ef73a51e3b63d3d542982947
SHA256ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3
SHA5120f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4
-
C:\Windows\install\server.exeFilesize
291KB
MD5379e9aebff117fad70173b7494bc2edc
SHA10fb5b96b26658d36ef73a51e3b63d3d542982947
SHA256ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3
SHA5120f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4
-
C:\Windows\install\server.exeFilesize
291KB
MD5379e9aebff117fad70173b7494bc2edc
SHA10fb5b96b26658d36ef73a51e3b63d3d542982947
SHA256ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3
SHA5120f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4
-
C:\Windows\install\server.exeFilesize
291KB
MD5379e9aebff117fad70173b7494bc2edc
SHA10fb5b96b26658d36ef73a51e3b63d3d542982947
SHA256ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3
SHA5120f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4
-
C:\Windows\install\server.exeFilesize
291KB
MD5379e9aebff117fad70173b7494bc2edc
SHA10fb5b96b26658d36ef73a51e3b63d3d542982947
SHA256ab93ddd1558fa7470a98bdaf3246ee72ddfadeec2f6771edc6a50cd1c8b68fb3
SHA5120f4e15bd2ef1ea04b187646fbd1c828d13774421c21e9e3eb785a63cb9e8352eb8fc67f228bb563afb6c2c66ca471e33d4408b7f12b44ae0b1bf964cd81a99d4
-
memory/2032-152-0x0000000000000000-mapping.dmp
-
memory/2032-201-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmpFilesize
64KB
-
memory/2032-203-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmpFilesize
64KB
-
memory/2032-173-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/2032-205-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/2032-178-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/2032-168-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/2032-171-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/2032-206-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/2032-208-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/2032-207-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/2032-167-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/2044-153-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2044-175-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2044-137-0x0000000000000000-mapping.dmp
-
memory/2044-162-0x00000000104F0000-0x0000000010555000-memory.dmpFilesize
404KB
-
memory/2044-138-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2044-144-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2044-147-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2044-143-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2044-145-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2368-156-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2368-151-0x0000000000000000-mapping.dmp
-
memory/2368-157-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/2368-197-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3504-132-0x0000000000000000-mapping.dmp
-
memory/3504-142-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3504-141-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4064-189-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4064-169-0x0000000000000000-mapping.dmp
-
memory/4088-165-0x00000000104F0000-0x0000000010555000-memory.dmpFilesize
404KB
-
memory/4088-166-0x00000000104F0000-0x0000000010555000-memory.dmpFilesize
404KB
-
memory/4088-198-0x00000000104F0000-0x0000000010555000-memory.dmpFilesize
404KB
-
memory/4088-161-0x0000000000000000-mapping.dmp
-
memory/4176-192-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/4176-172-0x0000000000000000-mapping.dmp
-
memory/4416-202-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4416-195-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4416-185-0x0000000000000000-mapping.dmp
-
memory/4480-196-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4480-180-0x0000000000000000-mapping.dmp
-
memory/4480-200-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4480-199-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4480-186-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4480-187-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB