Overview

overview

10

Static

static

287fbf03e1...59.exe

windows7-x64

10

287fbf03e1...59.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    50s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 22:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe

  • Size

    2.0MB

  • MD5

    0ce92ed77c07532a818e8604c582fcec

  • SHA1

    eb0932f99b64a6cca7e1cd96c989ee14810b5dae

  • SHA256

    287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59

  • SHA512

    dba5affc0b225c2f1068da92ab516f38cc6daf2132134471fd732b08d563c0fb8cfb9607c374d98146af3a0b9f2521aa53e7a6ae95e6e885f114f8a80cb2ab67

  • SSDEEP

    49152:l/DduN3sJM79Gg+DhRg9Wu/O0xFJog2wz:lrduNes8tY9Wu/fxTo2

Score
10/10
cybergateremotestealertrojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

spraslhivai.no-ip.info:12345

Mutex

683LG4WHIT0W6R

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe
    "C:\Users\Admin\AppData\Local\Temp\287fbf03e151eb1f14e051c401135ea45ea928b1eff4b54257753c5863058a59.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\intell.exe
      "C:\Users\Admin\AppData\Local\Temp\intell.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Users\Admin\AppData\Local\Temp\intell.exe
        "C:\Users\Admin\AppData\Local\Temp\intell.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Users\Admin\AppData\Local\Temp\intell.EXE
          "C:\Users\Admin\AppData\Local\Temp\intell.EXE"
          4⤵
          • Executes dropped EXE
          PID:796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • \Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • \Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • \Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • \Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • \Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • \Users\Admin\AppData\Local\Temp\intell.exe
    Filesize

    1.7MB

    MD5

    cf589d524b8ea080275efbae7448a904

    SHA1

    417a83d229bd6d53e445b1949faca63482cc0d5b

    SHA256

    4f8898afcd2fdef8bebadff99c992721e8da68ec3b3be6b178199845d8d9ef2a

    SHA512

    94f0bcc3611382c15556bfc554e96d25ff8f743bfe2e24a57d4affffe1d81bfaec62c0294edd1917497d64f0e0862fd6db9b103ddfa9e5df80408bbdb91fa189

    Download Submit

  • memory/796-113-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/796-109-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/1092-76-0x0000000002200000-0x00000000023F2000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1672-54-0x0000000075201000-0x0000000075203000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1672-57-0x0000000003030000-0x0000000003222000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1768-85-0x0000000000405000-0x0000000000406000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-82-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-86-0x0000000000403000-0x0000000000404000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-87-0x0000000000402000-0x0000000000403000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-89-0x0000000000408000-0x0000000000409000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-90-0x0000000000409000-0x000000000040A000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-91-0x000000000040B000-0x000000000040C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-92-0x000000000040D000-0x000000000040E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-97-0x000000000040C000-0x000000000040D000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-84-0x0000000000404000-0x0000000000405000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-104-0x0000000000403000-0x0000000000404000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-108-0x0000000004440000-0x0000000004632000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1768-101-0x000000000040A000-0x000000000040B000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-77-0x00000000020B1000-0x00000000021A8000-memory.dmp

    Filesize

    988KB

    Download

  • memory/1768-70-0x00000000020B0000-0x00000000021F2000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1768-68-0x0000000000511000-0x0000000000512000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-112-0x0000000000404000-0x0000000000405000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-121-0x0000000000402000-0x0000000000403000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1768-117-0x0000000000405000-0x0000000000406000-memory.dmp

    Filesize

    4KB

    Download