Overview

overview

10

Static

static

d6435be2b0...a6.exe

windows7-x64

10

d6435be2b0...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6.exe

  • Size

    760KB

  • MD5

    3e2a57446e7cb2204f2cc2366164a5d4

  • SHA1

    f8c3e8d31f3e2cbe7033d38671faed639e9dab7d

  • SHA256

    d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6

  • SHA512

    6eaf2fb59a2f612228f76cb4ff0d20d867c39823884ee8c152da21b4e5fcd89138a9f39de23812e815e4b4a4d1b7ee758039cea9f226cf2fd32297bd3a0d9b92

  • SSDEEP

    12288:7n6bjcB3SqPLZJC645qRYIIjosQyyaRV0DlOvl4vYrUcmmej7DDk52osjG:b6lqPNMFOYIKosQ1awJ+l4vG1mmejfDS

Score
10/10
cybergatevictimepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

C2

pedologiciel.no-ip.org:81

Mutex

LMC5A5AWOS860S

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    windir

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Le bot Dofus n'est pas compatible avec votre Ordinateur actuel. Merci d'essayer de relancer le bot sur un nouvel ordinateur

  • message_box_title

    INCOMPATIBLE

  • password

    123456

  • regkey_hkcu

    svchost.exe

  • regkey_hklm

    svchost.exe

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6.exe
    "C:\Users\Admin\AppData\Local\Temp\d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4900
        • C:\Windows\windir\svchost.exe
          "C:\Windows\windir\svchost.exe"
          4⤵
          • Executes dropped EXE
          PID:2896
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mscormmc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mscormmc.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4296
      • C:\Users\Admin\AppData\Local\Temp\sbscmp10.exe
        C:\Users\Admin\AppData\Local\Temp\\sbscmp10.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:3692
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          4⤵
            PID:4632

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      225KB

      MD5

      81361fe4ce9e1eb712e8a1e897b74634

      SHA1

      165a41632eea25b85a34447e25638ff733f01496

      SHA256

      0ea7ac2971f1759c85395ad54e8356f175e64c19f609e0a480b1722e03ea7b54

      SHA512

      95368a4b26beb838f127c2893f101817165c1afea86065863dd45c7bac67e76b352350222c36ad4a5075897805d1b8a1db97424570defe3b517933e9cb2d4713

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sbscmp10.exe
      Filesize

      760KB

      MD5

      3e2a57446e7cb2204f2cc2366164a5d4

      SHA1

      f8c3e8d31f3e2cbe7033d38671faed639e9dab7d

      SHA256

      d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6

      SHA512

      6eaf2fb59a2f612228f76cb4ff0d20d867c39823884ee8c152da21b4e5fcd89138a9f39de23812e815e4b4a4d1b7ee758039cea9f226cf2fd32297bd3a0d9b92

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sbscmp10.exe
      Filesize

      760KB

      MD5

      3e2a57446e7cb2204f2cc2366164a5d4

      SHA1

      f8c3e8d31f3e2cbe7033d38671faed639e9dab7d

      SHA256

      d6435be2b0329e5ef1073cc8a3bab8b6d88e6d9f8944d9b47d77204b54bfbfa6

      SHA512

      6eaf2fb59a2f612228f76cb4ff0d20d867c39823884ee8c152da21b4e5fcd89138a9f39de23812e815e4b4a4d1b7ee758039cea9f226cf2fd32297bd3a0d9b92

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mscormmc.exe
      Filesize

      9KB

      MD5

      a9c263f463aa341cb82c895e3cc74a8e

      SHA1

      a3822a2402e7b4ab127fb3057dd2181288912067

      SHA256

      5db638ce5aaef711c16fa1459e0712426c70aabbcd26b1cbe17cf0396a63d04a

      SHA512

      2d862a509061c98d75010efeccd32c31b5474ce62970139f56c6a603e210faae96b604868d3ccabe2b476244f9e17cfe821c8fe2c30a6f8da0c89dd49f771fda

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mscormmc.exe
      Filesize

      9KB

      MD5

      a9c263f463aa341cb82c895e3cc74a8e

      SHA1

      a3822a2402e7b4ab127fb3057dd2181288912067

      SHA256

      5db638ce5aaef711c16fa1459e0712426c70aabbcd26b1cbe17cf0396a63d04a

      SHA512

      2d862a509061c98d75010efeccd32c31b5474ce62970139f56c6a603e210faae96b604868d3ccabe2b476244f9e17cfe821c8fe2c30a6f8da0c89dd49f771fda

      Download Submit
    • C:\Windows\windir\svchost.exe
      Filesize

      57KB

      MD5

      454501a66ad6e85175a6757573d79f8b

      SHA1

      8ca96c61f26a640a5b1b1152d055260b9d43e308

      SHA256

      7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

      SHA512

      9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

      Download Submit
    • C:\Windows\windir\svchost.exe
      Filesize

      57KB

      MD5

      454501a66ad6e85175a6757573d79f8b

      SHA1

      8ca96c61f26a640a5b1b1152d055260b9d43e308

      SHA256

      7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

      SHA512

      9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

      Download Submit
    • memory/1612-137-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1612-134-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-136-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1612-135-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1612-140-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/2556-133-0x00000000746F0000-0x0000000074CA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2556-132-0x00000000746F0000-0x0000000074CA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2896-148-0x0000000000000000-mapping.dmp
      Download
    • memory/3692-159-0x00000000746F0000-0x0000000074CA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3692-155-0x0000000000000000-mapping.dmp
      Download
    • memory/3692-158-0x00000000746F0000-0x0000000074CA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4296-154-0x00000000746F0000-0x0000000074CA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4296-152-0x00000000746F0000-0x0000000074CA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4296-147-0x0000000000000000-mapping.dmp
      Download
    • memory/4632-160-0x0000000000000000-mapping.dmp
      Download
    • memory/4632-163-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/4900-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4900-153-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/4900-146-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/4900-143-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download