Overview

overview

10

Static

static

d6435be2b0...a6.exe

windows7-x64

10

d6435be2b0...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6.exe

  • Size

    760KB

  • MD5

    3e2a57446e7cb2204f2cc2366164a5d4

  • SHA1

    f8c3e8d31f3e2cbe7033d38671faed639e9dab7d

  • SHA256

    d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6

  • SHA512

    6eaf2fb59a2f612228f76cb4ff0d20d867c39823884ee8c152da21b4e5fcd89138a9f39de23812e815e4b4a4d1b7ee758039cea9f226cf2fd32297bd3a0d9b92

  • SSDEEP

    12288:7n6bjcB3SqPLZJC645qRYIIjosQyyaRV0DlOvl4vYrUcmmej7DDk52osjG:b6lqPNMFOYIKosQ1awJ+l4vG1mmejfDS

Score
10/10
cybergatevictimepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

C2

pedologiciel.no-ip.org:81

Mutex

LMC5A5AWOS860S

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    windir

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Le bot Dofus n'est pas compatible avec votre Ordinateur actuel. Merci d'essayer de relancer le bot sur un nouvel ordinateur

  • message_box_title

    INCOMPATIBLE

  • password

    123456

  • regkey_hkcu

    svchost.exe

  • regkey_hklm

    svchost.exe

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6.exe
    "C:\Users\Admin\AppData\Local\Temp\d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:608
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:584
        • C:\Windows\windir\svchost.exe
          "C:\Windows\windir\svchost.exe"
          4⤵
          • Executes dropped EXE
          PID:1528
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mscormmc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mscormmc.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1056
      • C:\Users\Admin\AppData\Local\Temp\sbscmp10.exe
        C:\Users\Admin\AppData\Local\Temp\\sbscmp10.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1008
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          4⤵
            PID:1080

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      225KB

      MD5

      81361fe4ce9e1eb712e8a1e897b74634

      SHA1

      165a41632eea25b85a34447e25638ff733f01496

      SHA256

      0ea7ac2971f1759c85395ad54e8356f175e64c19f609e0a480b1722e03ea7b54

      SHA512

      95368a4b26beb838f127c2893f101817165c1afea86065863dd45c7bac67e76b352350222c36ad4a5075897805d1b8a1db97424570defe3b517933e9cb2d4713

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sbscmp10.exe
      Filesize

      760KB

      MD5

      3e2a57446e7cb2204f2cc2366164a5d4

      SHA1

      f8c3e8d31f3e2cbe7033d38671faed639e9dab7d

      SHA256

      d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6

      SHA512

      6eaf2fb59a2f612228f76cb4ff0d20d867c39823884ee8c152da21b4e5fcd89138a9f39de23812e815e4b4a4d1b7ee758039cea9f226cf2fd32297bd3a0d9b92

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sbscmp10.exe
      Filesize

      760KB

      MD5

      3e2a57446e7cb2204f2cc2366164a5d4

      SHA1

      f8c3e8d31f3e2cbe7033d38671faed639e9dab7d

      SHA256

      d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6

      SHA512

      6eaf2fb59a2f612228f76cb4ff0d20d867c39823884ee8c152da21b4e5fcd89138a9f39de23812e815e4b4a4d1b7ee758039cea9f226cf2fd32297bd3a0d9b92

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mscormmc.exe
      Filesize

      9KB

      MD5

      a9c263f463aa341cb82c895e3cc74a8e

      SHA1

      a3822a2402e7b4ab127fb3057dd2181288912067

      SHA256

      5db638ce5aaef711c16fa1459e0712426c70aabbcd26b1cbe17cf0396a63d04a

      SHA512

      2d862a509061c98d75010efeccd32c31b5474ce62970139f56c6a603e210faae96b604868d3ccabe2b476244f9e17cfe821c8fe2c30a6f8da0c89dd49f771fda

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mscormmc.exe
      Filesize

      9KB

      MD5

      a9c263f463aa341cb82c895e3cc74a8e

      SHA1

      a3822a2402e7b4ab127fb3057dd2181288912067

      SHA256

      5db638ce5aaef711c16fa1459e0712426c70aabbcd26b1cbe17cf0396a63d04a

      SHA512

      2d862a509061c98d75010efeccd32c31b5474ce62970139f56c6a603e210faae96b604868d3ccabe2b476244f9e17cfe821c8fe2c30a6f8da0c89dd49f771fda

      Download Submit
    • C:\Windows\windir\svchost.exe
      Filesize

      54KB

      MD5

      0f01571a3e4c71eb4313175aae86488e

      SHA1

      2ba648afe2cd52edf5f25e304f77d457abf7ac0e

      SHA256

      8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

      SHA512

      159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

      Download Submit
    • C:\Windows\windir\svchost.exe
      Filesize

      54KB

      MD5

      0f01571a3e4c71eb4313175aae86488e

      SHA1

      2ba648afe2cd52edf5f25e304f77d457abf7ac0e

      SHA256

      8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

      SHA512

      159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

      Download Submit
    • \Users\Admin\AppData\Local\Temp\sbscmp10.exe
      Filesize

      760KB

      MD5

      3e2a57446e7cb2204f2cc2366164a5d4

      SHA1

      f8c3e8d31f3e2cbe7033d38671faed639e9dab7d

      SHA256

      d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6

      SHA512

      6eaf2fb59a2f612228f76cb4ff0d20d867c39823884ee8c152da21b4e5fcd89138a9f39de23812e815e4b4a4d1b7ee758039cea9f226cf2fd32297bd3a0d9b92

      Download Submit
    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mscormmc.exe
      Filesize

      9KB

      MD5

      a9c263f463aa341cb82c895e3cc74a8e

      SHA1

      a3822a2402e7b4ab127fb3057dd2181288912067

      SHA256

      5db638ce5aaef711c16fa1459e0712426c70aabbcd26b1cbe17cf0396a63d04a

      SHA512

      2d862a509061c98d75010efeccd32c31b5474ce62970139f56c6a603e210faae96b604868d3ccabe2b476244f9e17cfe821c8fe2c30a6f8da0c89dd49f771fda

      Download Submit
    • \Windows\windir\svchost.exe
      Filesize

      54KB

      MD5

      0f01571a3e4c71eb4313175aae86488e

      SHA1

      2ba648afe2cd52edf5f25e304f77d457abf7ac0e

      SHA256

      8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

      SHA512

      159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

      Download Submit
    • memory/584-83-0x0000000000000000-mapping.dmp
      Download
    • memory/584-90-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/584-88-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/584-105-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/584-97-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/608-54-0x0000000075811000-0x0000000075813000-memory.dmp
      Filesize

      8KB

      Download
    • memory/608-56-0x0000000074110000-0x00000000746BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/608-55-0x0000000074110000-0x00000000746BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1008-100-0x0000000000000000-mapping.dmp
      Download
    • memory/1008-106-0x0000000074110000-0x00000000746BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1008-103-0x0000000074110000-0x00000000746BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1056-104-0x0000000074110000-0x00000000746BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1056-81-0x0000000074110000-0x00000000746BB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1056-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1080-117-0x000000000040E1A8-mapping.dmp
      Download
    • memory/1080-120-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1080-122-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1080-124-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-63-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-85-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1484-58-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-60-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-57-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-61-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-62-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-68-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-80-0x0000000000401000-0x000000000040F000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1484-67-0x000000000040E1A8-mapping.dmp
      Download
    • memory/1484-64-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-66-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-74-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-72-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1484-70-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1528-94-0x0000000000000000-mapping.dmp
      Download