Overview

overview

10

Static

static

d37befc983...24.exe

windows7-x64

10

d37befc983...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 08:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24.exe

  • Size

    529KB

  • MD5

    fb4d81ec0e4b961d1fed3c31d663a90a

  • SHA1

    a14307aef747edb356bdcaa643eea1e645342013

  • SHA256

    d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24

  • SHA512

    08a08716cdc6fdea8f5844c61a44541dc8ac31900624414d0326e4a8599a8444612d242a3d5a824f23fca316665a157e01a32c4c58aedeb8e2f060e3d36b257c

  • SSDEEP

    12288:iws3BcN2emjotGtuy6H8eAtpVxagSCyVCbS0jYNFXifvS:iN3BWmoElNSCyVCe0jYLy

Score
10/10
cybergateremotepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.02.7

Botnet

remote

C2

buenasondas.no-ip.biz:81

Mutex

16X65KS0A215BO

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    csrss.exe

  • install_dir

    MsnSettings

  • install_file

    Updates.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    dapimp

  • regkey_hkcu

    MsnPluss

  • regkey_hklm

    MsnPluss

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24.exe
    "C:\Users\Admin\AppData\Local\Temp\d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24.exe
      "C:\Users\Admin\AppData\Local\Temp\d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24.exe"
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Modifies Installed Components in the registry
        PID:1132
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:1944
        • C:\Users\Admin\AppData\Local\Temp\d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24.exe
          "C:\Users\Admin\AppData\Local\Temp\d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24.exe"
          3⤵
          • Checks computer location settings
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2440
          • C:\Windows\SysWOW64\MsnSettings\Updates.exe
            "C:\Windows\system32\MsnSettings\Updates.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:2928
            • C:\Windows\SysWOW64\MsnSettings\Updates.exe
              "C:\Windows\SysWOW64\MsnSettings\Updates.exe"
              5⤵
              • Executes dropped EXE
              PID:344
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 576
                6⤵
                • Program crash
                PID:1592
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 344 -ip 344
        1⤵
          PID:2028

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
                Filesize

                219KB

                MD5

                bbf4fe40815187a4869b736f1ebcc540

                SHA1

                c2aeafafbbceec32125060f297694d2b4a452aed

                SHA256

                dbce9c8651b488e79dab610eb269f57f737c71f57ba17461c1f30d347c6a2e5b

                SHA512

                255f7ab8233a3e4819f496e6694d0071df6883542d88c15fac2df56a524780fb61047f503b74b607abbf3c19b4d6a7dd0d04e723d0c556ecbe03051568d6840d

                Download Submit

              • C:\Windows\SysWOW64\MsnSettings\Updates.exe
                Filesize

                529KB

                MD5

                fb4d81ec0e4b961d1fed3c31d663a90a

                SHA1

                a14307aef747edb356bdcaa643eea1e645342013

                SHA256

                d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24

                SHA512

                08a08716cdc6fdea8f5844c61a44541dc8ac31900624414d0326e4a8599a8444612d242a3d5a824f23fca316665a157e01a32c4c58aedeb8e2f060e3d36b257c

                Download Submit

              • C:\Windows\SysWOW64\MsnSettings\Updates.exe
                Filesize

                529KB

                MD5

                fb4d81ec0e4b961d1fed3c31d663a90a

                SHA1

                a14307aef747edb356bdcaa643eea1e645342013

                SHA256

                d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24

                SHA512

                08a08716cdc6fdea8f5844c61a44541dc8ac31900624414d0326e4a8599a8444612d242a3d5a824f23fca316665a157e01a32c4c58aedeb8e2f060e3d36b257c

                Download Submit

              • C:\Windows\SysWOW64\MsnSettings\Updates.exe
                Filesize

                529KB

                MD5

                fb4d81ec0e4b961d1fed3c31d663a90a

                SHA1

                a14307aef747edb356bdcaa643eea1e645342013

                SHA256

                d37befc983e4585d2c5779de018cc527f517f3b3c98919555d0365fe701e1a24

                SHA512

                08a08716cdc6fdea8f5844c61a44541dc8ac31900624414d0326e4a8599a8444612d242a3d5a824f23fca316665a157e01a32c4c58aedeb8e2f060e3d36b257c

                Download Submit

              • memory/344-179-0x0000000000400000-0x000000000044B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/344-181-0x0000000000400000-0x000000000044B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/344-182-0x0000000000400000-0x000000000044B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/1132-168-0x0000000024070000-0x00000000240CF000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1132-151-0x0000000024070000-0x00000000240CF000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1132-152-0x0000000024070000-0x00000000240CF000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1444-138-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/1444-134-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/1916-143-0x0000000024010000-0x000000002406F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1916-141-0x0000000000400000-0x000000000044B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/1916-154-0x00000000240D0000-0x000000002412F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1916-161-0x0000000024130000-0x000000002418F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1916-136-0x0000000000400000-0x000000000044B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/1916-137-0x0000000000400000-0x000000000044B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/1916-167-0x0000000000400000-0x000000000044B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/1916-148-0x0000000024070000-0x00000000240CF000-memory.dmp

                Filesize

                380KB

                Download

              • memory/1916-139-0x0000000000400000-0x000000000044B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/1916-140-0x0000000000400000-0x000000000044B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/2440-165-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2440-169-0x0000000024130000-0x000000002418F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/2440-166-0x0000000024130000-0x000000002418F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/2440-164-0x0000000024130000-0x000000002418F000-memory.dmp

                Filesize

                380KB

                Download

              • memory/2928-174-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2928-180-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download