Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

e49c8ca914...47.exe

windows7-x64

10

e49c8ca914...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    262s
  • max time network
    335s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 11:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047.exe

  • Size

    754KB

  • MD5

    c5140aef3baa6885a185cca194809f8b

  • SHA1

    ab352ae0e7822236625d7479e6e7e11df0175d3b

  • SHA256

    e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047

  • SHA512

    99e4c6c570a82d067e1660ff6657b2d94914dfb7717e3d2b328e883a65539457d5fab1111c49bdaf0e09609ae060ad9ca714793a53eee4e3f8b1343e2981b71f

  • SSDEEP

    12288:VvQt60sTsdVAlCWnH2YwfqJL7Al0mWfB50/lm82dy9toTY7W2HRhVzCrDYkjW:xQXsDMOHWfqgNWQdv2s9toMWu/VzCXVW

Score
10/10
cybergateöííépersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

raaboo00.no-ip.org:288

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    eremb

  • install_file

    windows.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    t?tulo da mensagem

  • password

    abcd1234

  • regkey_hkcu

    it

  • regkey_hklm

    ig

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047.exe
        "C:\Users\Admin\AppData\Local\Temp\e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:652
        • C:\Users\Admin\AppData\Local\Temp\e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047.exe
          C:\Users\Admin\AppData\Local\Temp\e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:1664
          • C:\Users\Admin\AppData\Local\Temp\e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047.exe
            "C:\Users\Admin\AppData\Local\Temp\e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047.exe"
            4⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
            • C:\windows\SysWOW64\microsoft\eremb\windows.exe
              "C:\windows\system32\microsoft\eremb\windows.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:1516
              • C:\windows\SysWOW64\microsoft\eremb\windows.exe
                C:\windows\SysWOW64\microsoft\eremb\windows.exe
                6⤵
                • Executes dropped EXE
                PID:1192

    Network

    • flag-unknown
      DNS
      raaboo00.no-ip.org
      e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047.exe
      Remote address:
      8.8.8.8:53
      Request
      raaboo00.no-ip.org
      IN A
      Response
    No results found
    • 8.8.8.8:53
      raaboo00.no-ip.org
      dns
      e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047.exe
      64 B
       124 B
       1
      1

      DNS Request

      raaboo00.no-ip.org

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      229KB

      MD5

      d9f9dc7d1f92bd720a75ca1ff29efc95

      SHA1

      a007e0b8a69d4ec828d58bec72bec2ba8f1d3d58

      SHA256

      2a77d588dea91a500483d64a72c19c769cdf4fe9404f09d7a115f22e96ccb2d7

      SHA512

      bd13ceea36f97203f20df1d78d1d05c2b8b5f41201c33946461e7194ef91013cfda35250ab727c096fc4cfa2b17d7d50509b3ae472c85816c61b9ea9e634b3a4

      Download Submit

    • C:\Windows\SysWOW64\microsoft\eremb\windows.exe
      Filesize

      754KB

      MD5

      c5140aef3baa6885a185cca194809f8b

      SHA1

      ab352ae0e7822236625d7479e6e7e11df0175d3b

      SHA256

      e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047

      SHA512

      99e4c6c570a82d067e1660ff6657b2d94914dfb7717e3d2b328e883a65539457d5fab1111c49bdaf0e09609ae060ad9ca714793a53eee4e3f8b1343e2981b71f

      Download Submit

    • C:\Windows\SysWOW64\microsoft\eremb\windows.exe
      Filesize

      754KB

      MD5

      c5140aef3baa6885a185cca194809f8b

      SHA1

      ab352ae0e7822236625d7479e6e7e11df0175d3b

      SHA256

      e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047

      SHA512

      99e4c6c570a82d067e1660ff6657b2d94914dfb7717e3d2b328e883a65539457d5fab1111c49bdaf0e09609ae060ad9ca714793a53eee4e3f8b1343e2981b71f

      Download Submit

    • \??\c:\windows\SysWOW64\microsoft\eremb\windows.exe
      Filesize

      754KB

      MD5

      c5140aef3baa6885a185cca194809f8b

      SHA1

      ab352ae0e7822236625d7479e6e7e11df0175d3b

      SHA256

      e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047

      SHA512

      99e4c6c570a82d067e1660ff6657b2d94914dfb7717e3d2b328e883a65539457d5fab1111c49bdaf0e09609ae060ad9ca714793a53eee4e3f8b1343e2981b71f

      Download Submit

    • \Windows\SysWOW64\microsoft\eremb\windows.exe
      Filesize

      754KB

      MD5

      c5140aef3baa6885a185cca194809f8b

      SHA1

      ab352ae0e7822236625d7479e6e7e11df0175d3b

      SHA256

      e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047

      SHA512

      99e4c6c570a82d067e1660ff6657b2d94914dfb7717e3d2b328e883a65539457d5fab1111c49bdaf0e09609ae060ad9ca714793a53eee4e3f8b1343e2981b71f

      Download Submit

    • \Windows\SysWOW64\microsoft\eremb\windows.exe
      Filesize

      754KB

      MD5

      c5140aef3baa6885a185cca194809f8b

      SHA1

      ab352ae0e7822236625d7479e6e7e11df0175d3b

      SHA256

      e49c8ca914cce43fffbf5ebebf7166dd7ae6709e2cef861f2e870c8644ee0047

      SHA512

      99e4c6c570a82d067e1660ff6657b2d94914dfb7717e3d2b328e883a65539457d5fab1111c49bdaf0e09609ae060ad9ca714793a53eee4e3f8b1343e2981b71f

      Download Submit

    • memory/652-61-0x0000000000400000-0x00000000005B0000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/652-56-0x0000000000400000-0x00000000005B0000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/652-57-0x0000000001D90000-0x0000000001DF0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1192-112-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1192-110-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1192-111-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1372-69-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1516-108-0x0000000000310000-0x0000000000370000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1516-107-0x0000000000400000-0x00000000005B0000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1664-74-0x0000000074671000-0x0000000074673000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1664-80-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1664-83-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1680-94-0x0000000000400000-0x00000000005B0000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1680-95-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1680-96-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1680-92-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2008-93-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2008-87-0x00000000240F0000-0x0000000024152000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2008-75-0x0000000024080000-0x00000000240E2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2008-66-0x0000000024010000-0x0000000024072000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2008-64-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2008-63-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2008-62-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2008-60-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2008-58-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.