Overview

overview

10

Static

static

8425989fe2...1b.exe

windows7-x64

10

8425989fe2...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b.exe

  • Size

    472KB

  • MD5

    90bb128ec246bfaa7d2802a0e8665c98

  • SHA1

    5c3061dd171ed870e3048665ad7374c2127918ad

  • SHA256

    8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

  • SHA512

    ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

  • SSDEEP

    6144:Z5cAKFkSTQz3PSBA9pmMgKb6WL8q0bFTU+HgNdnpfJcifTQnJ4UB8q2Yj9:Z5crZ8z3PCpw6tdAvbnXTQnyU8DY

Score
10/10
cybergatevítimapersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

berkturkmen.zapto.org:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    system32

  • install_file

    win32.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 16 IoCs
    persistence
  • Executes dropped EXE 9 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2824
      • C:\Users\Admin\AppData\Local\Temp\8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b.exe
        "C:\Users\Admin\AppData\Local\Temp\8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Users\Admin\AppData\Local\Temp\8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b.exe
          C:\Users\Admin\AppData\Local\Temp\8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Checks computer location settings
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Adds policy Run key to start application
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            PID:4968
            • C:\Windows\SysWOW64\system32\win32.exe
              "C:\Windows\system32\system32\win32.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:2928
              • C:\Windows\SysWOW64\system32\win32.exe
                C:\Windows\SysWOW64\system32\win32.exe
                6⤵
                • Adds policy Run key to start application
                • Executes dropped EXE
                • Modifies Installed Components in the registry
                • Adds Run key to start application
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                PID:1972
                • C:\Windows\SysWOW64\system32\win32.exe
                  "C:\Windows\SysWOW64\system32\win32.exe"
                  7⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:60
                  • C:\Windows\SysWOW64\system32\win32.exe
                    "C:\Windows\SysWOW64\system32\win32.exe"
                    8⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Suspicious use of SetWindowsHookEx
                    PID:1956
                    • C:\Windows\SysWOW64\system32\win32.exe
                      C:\Windows\SysWOW64\system32\win32.exe
                      9⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1968
          • C:\Windows\SysWOW64\system32\win32.exe
            "C:\Windows\system32\system32\win32.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:1524
            • C:\Windows\SysWOW64\system32\win32.exe
              C:\Windows\SysWOW64\system32\win32.exe
              5⤵
              • Adds policy Run key to start application
              • Executes dropped EXE
              • Modifies Installed Components in the registry
              • Checks computer location settings
              • Adds Run key to start application
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              PID:316
              • C:\Users\Admin\AppData\Roaming\system32\win32.exe
                "C:\Users\Admin\AppData\Roaming\system32\win32.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:3676
                • C:\Users\Admin\AppData\Roaming\system32\win32.exe
                  C:\Users\Admin\AppData\Roaming\system32\win32.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1844

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      229KB

      MD5

      6d39e0ecac0b4983b03055eac30007c7

      SHA1

      69c041bd286cd83118d70d4000e6d343f16933d2

      SHA256

      580ce1da5ed1d9140179d7e50035e1fcb4bb52f9a2651b7015a2bbf31a1b3a79

      SHA512

      ed731bad8e5c6340b6dc91a1e338614eca6d99a3a276aa1d1b200fff52a30fbe94a9bb214ab7488ce8546db98ef7ac2b46c3622fe2d58ec3fac0e504043651dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      229KB

      MD5

      0b2ca1f4e89a368f244afe45780cec69

      SHA1

      909da69b95090aa2950f39bd0dc3b945eee5d960

      SHA256

      e7edeff9a687bac8acfa119a0927e02340df15eeec0ef314b0f0154b03a6c026

      SHA512

      d7ab8f3467393c077fa66c0f67b88b2e09239f4a85de90d0d4fd96d59ea02a4d3adbfaff8fd921a1e03c0db89e774eec53a40aa0bad215b807c04c9593af01fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      229KB

      MD5

      0b2ca1f4e89a368f244afe45780cec69

      SHA1

      909da69b95090aa2950f39bd0dc3b945eee5d960

      SHA256

      e7edeff9a687bac8acfa119a0927e02340df15eeec0ef314b0f0154b03a6c026

      SHA512

      d7ab8f3467393c077fa66c0f67b88b2e09239f4a85de90d0d4fd96d59ea02a4d3adbfaff8fd921a1e03c0db89e774eec53a40aa0bad215b807c04c9593af01fe

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2891029575-1462575-1165213807-1000\88603cb2913a7df3fbd16b5f958e6447_9be0bf4d-f8db-4af4-be85-dc38433c9501
      Filesize

      51B

      MD5

      5fc2ac2a310f49c14d195230b91a8885

      SHA1

      90855cc11136ba31758fe33b5cf9571f9a104879

      SHA256

      374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

      SHA512

      ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Users\Admin\AppData\Roaming\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Windows\SysWOW64\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Windows\SysWOW64\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Windows\SysWOW64\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Windows\SysWOW64\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Windows\SysWOW64\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Windows\SysWOW64\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Windows\SysWOW64\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • C:\Windows\SysWOW64\system32\win32.exe
      Filesize

      472KB

      MD5

      90bb128ec246bfaa7d2802a0e8665c98

      SHA1

      5c3061dd171ed870e3048665ad7374c2127918ad

      SHA256

      8425989fe24cde0df99787cd6606b2b267bc462884fae517fa03a7db93b6d41b

      SHA512

      ee6415e0bddc0ae0f11f2e38cdc4a6e349400530c0d41eeeacfeefa3acf13e3295d7bb9e67e5721a1a61ae1607f020d98c4dc55ea96fb69fc28e943f71bce850

      Download Submit

    • memory/60-208-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/60-216-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/60-228-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/316-175-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/316-190-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/316-173-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/316-174-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/1844-215-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/1968-227-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/1968-226-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/1972-185-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/1972-205-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1972-209-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2052-141-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2052-160-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2052-135-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2052-142-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2052-149-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2052-136-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2052-140-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2052-137-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2052-144-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4968-152-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4968-155-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download