Overview

overview

10

Static

static

b272460741...99.exe

windows7-x64

10

b272460741...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899.exe

  • Size

    341KB

  • MD5

    f6963bf35872677c0951f80e1045d600

  • SHA1

    6dea92224609c87bf40230343d0d3a3a3e2a838a

  • SHA256

    b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899

  • SHA512

    52b2419a59c8ced6562a90d6f561452f7028e424a3b613abe8d1f7a29d6365fc701aef38ffdfcbb38aba339cf94b6aab4cea755a7abedee2c14c664c03d1d90b

  • SSDEEP

    6144:0jWhODe3QFouyyvz4SSNpwQzRUZLQigaHRYkGYYxvOKUwygamiXY0354u:0C40Q+uys4SSNKKRKya8YYxmKazmeYyv

Score
10/10
cybergatevictimepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

C2

pedologiciel.no-ip.org:81

Mutex

A65C25I36501N8

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    windir

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Le bot Dofus n'est pas compatible avec votre Ordinateur actuel. Merci d'essayer de relancer le bot sur un nouvel ordinateur

  • message_box_title

    INCOMPATIBLE

  • password

    123456

  • regkey_hkcu

    svchost.exe

  • regkey_hklm

    svchost.exe

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899.exe
    "C:\Users\Admin\AppData\Local\Temp\b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4752
        • C:\Windows\windir\svchost.exe
          "C:\Windows\windir\svchost.exe"
          4⤵
          • Executes dropped EXE
          PID:3792
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:8
      • C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe
        "C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        PID:492
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          4⤵
            PID:2576

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      225KB

      MD5

      151708674e18e4a81f86f7b5f2964003

      SHA1

      b25f3ef81e8efbb645ee9e0169ed6f83f68c2a34

      SHA256

      f5435fc42ecafcf82b4a77e8ae3789d0b9360f447507950d3fc8b1a497fa8d20

      SHA512

      a58bccd7b42414da270336478b8c93d9528435f3b557f849d767010f0acbd77d29f09adb08b0ae3e08db2ad0f02a6f31ce516a09127fa03cf4fd923ffdcbebd4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe
      Filesize

      341KB

      MD5

      f6963bf35872677c0951f80e1045d600

      SHA1

      6dea92224609c87bf40230343d0d3a3a3e2a838a

      SHA256

      b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899

      SHA512

      52b2419a59c8ced6562a90d6f561452f7028e424a3b613abe8d1f7a29d6365fc701aef38ffdfcbb38aba339cf94b6aab4cea755a7abedee2c14c664c03d1d90b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\SearchFillterHost.exe
      Filesize

      341KB

      MD5

      f6963bf35872677c0951f80e1045d600

      SHA1

      6dea92224609c87bf40230343d0d3a3a3e2a838a

      SHA256

      b272460741b873f8e5237dc42a0df832f9b1b22e19246be61d4f01c59e5f4899

      SHA512

      52b2419a59c8ced6562a90d6f561452f7028e424a3b613abe8d1f7a29d6365fc701aef38ffdfcbb38aba339cf94b6aab4cea755a7abedee2c14c664c03d1d90b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe
      Filesize

      10KB

      MD5

      0ffe61cc4f11f271c8203c026aa81d39

      SHA1

      19214fb896c7a9144313b1196195053b3a63c6e0

      SHA256

      61c0c7127c5708c273c96cd0bccff3ba8149e5f279962a30ac551ae47e6d838e

      SHA512

      d78201b3f60a93c708b55033cd235f73204b923aee570ed35f423759db25e99b895b65e528af79f3a5272313bff14db01af20bb37a5df2d4287793b980ae4ce4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\InteliTrace.exe
      Filesize

      10KB

      MD5

      0ffe61cc4f11f271c8203c026aa81d39

      SHA1

      19214fb896c7a9144313b1196195053b3a63c6e0

      SHA256

      61c0c7127c5708c273c96cd0bccff3ba8149e5f279962a30ac551ae47e6d838e

      SHA512

      d78201b3f60a93c708b55033cd235f73204b923aee570ed35f423759db25e99b895b65e528af79f3a5272313bff14db01af20bb37a5df2d4287793b980ae4ce4

      Download Submit
    • C:\Windows\windir\svchost.exe
      Filesize

      57KB

      MD5

      454501a66ad6e85175a6757573d79f8b

      SHA1

      8ca96c61f26a640a5b1b1152d055260b9d43e308

      SHA256

      7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

      SHA512

      9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

      Download Submit
    • C:\Windows\windir\svchost.exe
      Filesize

      57KB

      MD5

      454501a66ad6e85175a6757573d79f8b

      SHA1

      8ca96c61f26a640a5b1b1152d055260b9d43e308

      SHA256

      7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

      SHA512

      9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

      Download Submit
    • memory/8-158-0x00000000746C0000-0x0000000074C71000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/8-153-0x00000000746C0000-0x0000000074C71000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/8-147-0x0000000000000000-mapping.dmp
      Download
    • memory/492-154-0x0000000000000000-mapping.dmp
      Download
    • memory/492-159-0x00000000746C0000-0x0000000074C71000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/492-156-0x00000000746C0000-0x0000000074C71000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1664-136-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1664-135-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1664-140-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1664-137-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/1664-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2576-160-0x0000000000000000-mapping.dmp
      Download
    • memory/2576-163-0x0000000000400000-0x000000000044F000-memory.dmp
      Filesize

      316KB

      Download
    • memory/3792-148-0x0000000000000000-mapping.dmp
      Download
    • memory/4752-157-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/4752-144-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/4752-143-0x0000000010410000-0x0000000010475000-memory.dmp
      Filesize

      404KB

      Download
    • memory/4752-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4800-132-0x00000000746C0000-0x0000000074C71000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4800-133-0x00000000746C0000-0x0000000074C71000-memory.dmp
      Filesize

      5.7MB

      Download