Overview

overview

10

Static

static

b272460741...99.exe

windows7-x64

10

b272460741...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899.exe

  • Size

    341KB

  • MD5

    f6963bf35872677c0951f80e1045d600

  • SHA1

    6dea92224609c87bf40230343d0d3a3a3e2a838a

  • SHA256

    b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899

  • SHA512

    52b2419a59c8ced6562a90d6f561452f7028e424a3b613abe8d1f7a29d6365fc701aef38ffdfcbb38aba339cf94b6aab4cea755a7abedee2c14c664c03d1d90b

  • SSDEEP

    6144:0jWhODe3QFouyyvz4SSNpwQzRUZLQigaHRYkGYYxvOKUwygamiXY0354u:0C40Q+uys4SSNKKRKya8YYxmKazmeYyv

Score
10/10
cybergatevictimepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

C2

pedologiciel.no-ip.org:81

Mutex

A65C25I36501N8

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    windir

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Le bot Dofus n'est pas compatible avec votre Ordinateur actuel. Merci d'essayer de relancer le bot sur un nouvel ordinateur

  • message_box_title

    INCOMPATIBLE

  • password

    123456

  • regkey_hkcu

    svchost.exe

  • regkey_hklm

    svchost.exe

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899.exe
    "C:\Users\Admin\AppData\Local\Temp\b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:108
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1676
        • C:\Windows\windir\svchost.exe
          "C:\Windows\windir\svchost.exe"
          4⤵
          • Executes dropped EXE
          PID:688
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe
        "C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:1188
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          4⤵
            PID:1628

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      225KB

      MD5

      151708674e18e4a81f86f7b5f2964003

      SHA1

      b25f3ef81e8efbb645ee9e0169ed6f83f68c2a34

      SHA256

      f5435fc42ecafcf82b4a77e8ae3789d0b9360f447507950d3fc8b1a497fa8d20

      SHA512

      a58bccd7b42414da270336478b8c93d9528435f3b557f849d767010f0acbd77d29f09adb08b0ae3e08db2ad0f02a6f31ce516a09127fa03cf4fd923ffdcbebd4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe
      Filesize

      341KB

      MD5

      f6963bf35872677c0951f80e1045d600

      SHA1

      6dea92224609c87bf40230343d0d3a3a3e2a838a

      SHA256

      b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899

      SHA512

      52b2419a59c8ced6562a90d6f561452f7028e424a3b613abe8d1f7a29d6365fc701aef38ffdfcbb38aba339cf94b6aab4cea755a7abedee2c14c664c03d1d90b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe
      Filesize

      341KB

      MD5

      f6963bf35872677c0951f80e1045d600

      SHA1

      6dea92224609c87bf40230343d0d3a3a3e2a838a

      SHA256

      b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899

      SHA512

      52b2419a59c8ced6562a90d6f561452f7028e424a3b613abe8d1f7a29d6365fc701aef38ffdfcbb38aba339cf94b6aab4cea755a7abedee2c14c664c03d1d90b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe
      Filesize

      10KB

      MD5

      0ffe61cc4f11f271c8203c026aa81d39

      SHA1

      19214fb896c7a9144313b1196195053b3a63c6e0

      SHA256

      61c0c7127c5708c273c96cd0bccff3ba8149e5f279962a30ac551ae47e6d838e

      SHA512

      d78201b3f60a93c708b55033cd235f73204b923aee570ed35f423759db25e99b895b65e528af79f3a5272313bff14db01af20bb37a5df2d4287793b980ae4ce4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe
      Filesize

      10KB

      MD5

      0ffe61cc4f11f271c8203c026aa81d39

      SHA1

      19214fb896c7a9144313b1196195053b3a63c6e0

      SHA256

      61c0c7127c5708c273c96cd0bccff3ba8149e5f279962a30ac551ae47e6d838e

      SHA512

      d78201b3f60a93c708b55033cd235f73204b923aee570ed35f423759db25e99b895b65e528af79f3a5272313bff14db01af20bb37a5df2d4287793b980ae4ce4

      Download Submit
    • C:\Windows\windir\svchost.exe
      Filesize

      54KB

      MD5

      0f01571a3e4c71eb4313175aae86488e

      SHA1

      2ba648afe2cd52edf5f25e304f77d457abf7ac0e

      SHA256

      8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

      SHA512

      159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

      Download Submit
    • C:\Windows\windir\svchost.exe
      Filesize

      54KB

      MD5

      0f01571a3e4c71eb4313175aae86488e

      SHA1

      2ba648afe2cd52edf5f25e304f77d457abf7ac0e

      SHA256

      8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

      SHA512

      159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

      Download Submit
    • \Users\Admin\AppData\Local\Temp\SearchFillterHost.exe
      Filesize

      341KB

      MD5

      f6963bf35872677c0951f80e1045d600

      SHA1

      6dea92224609c87bf40230343d0d3a3a3e2a838a

      SHA256

      b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899

      SHA512

      52b2419a59c8ced6562a90d6f561452f7028e424a3b613abe8d1f7a29d6365fc701aef38ffdfcbb38aba339cf94b6aab4cea755a7abedee2c14c664c03d1d90b

      Download Submit
    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe
      Filesize

      10KB

      MD5

      0ffe61cc4f11f271c8203c026aa81d39

      SHA1

      19214fb896c7a9144313b1196195053b3a63c6e0

      SHA256

      61c0c7127c5708c273c96cd0bccff3ba8149e5f279962a30ac551ae47e6d838e

      SHA512

      d78201b3f60a93c708b55033cd235f73204b923aee570ed35f423759db25e99b895b65e528af79f3a5272313bff14db01af20bb37a5df2d4287793b980ae4ce4

      Download Submit
    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe
      Filesize

      10KB

      MD5

      0ffe61cc4f11f271c8203c026aa81d39

      SHA1

      19214fb896c7a9144313b1196195053b3a63c6e0

      SHA256

      61c0c7127c5708c273c96cd0bccff3ba8149e5f279962a30ac551ae47e6d838e

      SHA512

      d78201b3f60a93c708b55033cd235f73204b923aee570ed35f423759db25e99b895b65e528af79f3a5272313bff14db01af20bb37a5df2d4287793b980ae4ce4

      Download Submit
    • \Windows\windir\svchost.exe
      Filesize

      54KB

      MD5

      0f01571a3e4c71eb4313175aae86488e

      SHA1

      2ba648afe2cd52edf5f25e304f77d457abf7ac0e

      SHA256

      8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

      SHA512

      159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

      Download Submit
    • memory/108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/108-56-0x0000000074AA0000-0x000000007504B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/108-55-0x0000000074AA0000-0x000000007504B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/688-102-0x0000000000000000-mapping.dmp
      Download
    • memory/1012-87-0x0000000074AA0000-0x000000007504B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1012-105-0x0000000074AA0000-0x000000007504B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1012-78-0x0000000000000000-mapping.dmp
      Download
    • memory/1188-84-0x0000000000000000-mapping.dmp
      Download
    • memory/1188-106-0x0000000074AA0000-0x000000007504B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1188-88-0x0000000074AA0000-0x000000007504B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1448-67-0x000000000040E1A8-mapping.dmp
      Download
    • memory/1448-64-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-74-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-72-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-70-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-68-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-66-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-57-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-92-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1448-58-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-60-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-75-0x0000000000401000-0x000000000040F000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1448-61-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-63-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1448-62-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1628-118-0x000000000040E1A8-mapping.dmp
      Download
    • memory/1628-121-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1628-123-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1628-125-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1676-99-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1676-97-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1676-95-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1676-90-0x0000000000000000-mapping.dmp
      Download
    • memory/1676-107-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download