Overview

overview

10

Static

static

9f330824e3...6b.exe

windows7-x64

10

9f330824e3...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 10:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9f330824e3106c985abb4967dc6f8ba37aa7ce8c33abb70a8eaa9feff15e2d6b.exe

  • Size

    1.4MB

  • MD5

    29a6deb602e8ba4a71b369c4aa48e89f

  • SHA1

    7cadb4beadab893524cc51e93c0b63ab89a87057

  • SHA256

    9f330824e3106c985abb4967dc6f8ba37aa7ce8c33abb70a8eaa9feff15e2d6b

  • SHA512

    92eec53b8d9e6d84d411bfeffccbf4c5c0a08e7e52acf63559d06385885153bae9891dbd9ed5652738dd1003979ba2c012fe409d4044b9d11a84076970d59f8c

  • SSDEEP

    24576:s3Syp13QWl/5IWU5bIjUUODz30/XpYceph11/GR6QDbIjUUODz30/XpYceph11/A:Wz9QaqaxU3WZepR/GR61xU3WZepR/GR5

Score
10/10
cybergateozipersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

ozi

C2

spynet271.no-ip.biz:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    system32

  • install_file

    host.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    1234qwer

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3000
      • C:\Users\Admin\AppData\Local\Temp\9f330824e3106c985abb4967dc6f8ba37aa7ce8c33abb70a8eaa9feff15e2d6b.exe
        "C:\Users\Admin\AppData\Local\Temp\9f330824e3106c985abb4967dc6f8ba37aa7ce8c33abb70a8eaa9feff15e2d6b.exe"
        2⤵
        • Checks computer location settings
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          3⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4604
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4032
            • C:\Windows\SysWOW64\system32\host.exe
              "C:\Windows\system32\system32\host.exe"
              5⤵
              • Executes dropped EXE
              PID:9080
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 9080 -s 572
                6⤵
                • Program crash
                PID:9144
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
              PID:6292
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 1160
                5⤵
                • Program crash
                PID:9056
          • C:\Users\Admin\AppData\Local\Temp\server.exe
            "C:\Users\Admin\AppData\Local\Temp\server.exe"
            3⤵
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            PID:1476
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              4⤵
              • Modifies Installed Components in the registry
              PID:3732
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              4⤵
                PID:6272
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 1176
                  5⤵
                  • Program crash
                  PID:9048
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1248
              3⤵
              • Program crash
              PID:220
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1248
              3⤵
              • Program crash
              PID:6224
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5060 -ip 5060
          1⤵
            PID:1236
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5060 -ip 5060
            1⤵
              PID:6172
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6292 -ip 6292
              1⤵
                PID:9008
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6272 -ip 6272
                1⤵
                  PID:9016
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 9080 -ip 9080
                  1⤵
                    PID:9120

                  Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
                          Filesize

                          588KB

                          MD5

                          bf93691d87aa654c9915356ea59a96b3

                          SHA1

                          818dcf1b827f75c05330c09a856b361cff1eb1fe

                          SHA256

                          eabe6d02e8dd25021caafb1bace356f82d7ff202273d345462c32c376943341c

                          SHA512

                          64818705695512bd88ff4f0cc052a78d51d488bfa51a31d162061444619ac47ef9391694611fd9d28313c1a6cde00b6cd021179a683db611c191053b227427d7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
                          Filesize

                          588KB

                          MD5

                          bf93691d87aa654c9915356ea59a96b3

                          SHA1

                          818dcf1b827f75c05330c09a856b361cff1eb1fe

                          SHA256

                          eabe6d02e8dd25021caafb1bace356f82d7ff202273d345462c32c376943341c

                          SHA512

                          64818705695512bd88ff4f0cc052a78d51d488bfa51a31d162061444619ac47ef9391694611fd9d28313c1a6cde00b6cd021179a683db611c191053b227427d7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                          Filesize

                          472KB

                          MD5

                          82bd76f399f5db6e6f1e6368b2bd8f90

                          SHA1

                          4d472ad3774860edbbf935dd70934b495ac70f7c

                          SHA256

                          29f76f788588ca575de2fb0c89c7e8f95250ac9e0e193adea4c6a996e59a7b2a

                          SHA512

                          f2577c6213cfed9634ba14ea58e6b2963a9ae1a5f6ce2c184d3443f67c93cea0417229deac77d6f3cb19f70321ef19cd51e2e51dadbaa50b4a815b2626210747

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                          Filesize

                          472KB

                          MD5

                          82bd76f399f5db6e6f1e6368b2bd8f90

                          SHA1

                          4d472ad3774860edbbf935dd70934b495ac70f7c

                          SHA256

                          29f76f788588ca575de2fb0c89c7e8f95250ac9e0e193adea4c6a996e59a7b2a

                          SHA512

                          f2577c6213cfed9634ba14ea58e6b2963a9ae1a5f6ce2c184d3443f67c93cea0417229deac77d6f3cb19f70321ef19cd51e2e51dadbaa50b4a815b2626210747

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                          Filesize

                          472KB

                          MD5

                          82bd76f399f5db6e6f1e6368b2bd8f90

                          SHA1

                          4d472ad3774860edbbf935dd70934b495ac70f7c

                          SHA256

                          29f76f788588ca575de2fb0c89c7e8f95250ac9e0e193adea4c6a996e59a7b2a

                          SHA512

                          f2577c6213cfed9634ba14ea58e6b2963a9ae1a5f6ce2c184d3443f67c93cea0417229deac77d6f3cb19f70321ef19cd51e2e51dadbaa50b4a815b2626210747

                          Download Submit

                        • C:\Windows\SysWOW64\system32\host.exe
                          Filesize

                          472KB

                          MD5

                          82bd76f399f5db6e6f1e6368b2bd8f90

                          SHA1

                          4d472ad3774860edbbf935dd70934b495ac70f7c

                          SHA256

                          29f76f788588ca575de2fb0c89c7e8f95250ac9e0e193adea4c6a996e59a7b2a

                          SHA512

                          f2577c6213cfed9634ba14ea58e6b2963a9ae1a5f6ce2c184d3443f67c93cea0417229deac77d6f3cb19f70321ef19cd51e2e51dadbaa50b4a815b2626210747

                          Download Submit

                        • C:\Windows\SysWOW64\system32\host.exe
                          Filesize

                          472KB

                          MD5

                          82bd76f399f5db6e6f1e6368b2bd8f90

                          SHA1

                          4d472ad3774860edbbf935dd70934b495ac70f7c

                          SHA256

                          29f76f788588ca575de2fb0c89c7e8f95250ac9e0e193adea4c6a996e59a7b2a

                          SHA512

                          f2577c6213cfed9634ba14ea58e6b2963a9ae1a5f6ce2c184d3443f67c93cea0417229deac77d6f3cb19f70321ef19cd51e2e51dadbaa50b4a815b2626210747

                          Download Submit

                        • C:\Windows\SysWOW64\system32\host.exe
                          Filesize

                          472KB

                          MD5

                          82bd76f399f5db6e6f1e6368b2bd8f90

                          SHA1

                          4d472ad3774860edbbf935dd70934b495ac70f7c

                          SHA256

                          29f76f788588ca575de2fb0c89c7e8f95250ac9e0e193adea4c6a996e59a7b2a

                          SHA512

                          f2577c6213cfed9634ba14ea58e6b2963a9ae1a5f6ce2c184d3443f67c93cea0417229deac77d6f3cb19f70321ef19cd51e2e51dadbaa50b4a815b2626210747

                          Download Submit

                        • memory/1476-191-0x0000000000400000-0x00000000004AD000-memory.dmp

                          Filesize

                          692KB

                          Download

                        • memory/1476-181-0x00000000104D0000-0x000000001052C000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/1476-142-0x0000000010470000-0x00000000104CC000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/1476-158-0x0000000010410000-0x000000001046C000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/3732-172-0x0000000010410000-0x000000001046C000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/4032-173-0x0000000010470000-0x00000000104CC000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/4032-198-0x0000000010470000-0x00000000104CC000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/4604-137-0x0000000000400000-0x00000000004AD000-memory.dmp

                          Filesize

                          692KB

                          Download

                        • memory/4604-160-0x0000000010470000-0x00000000104CC000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/4604-178-0x00000000104D0000-0x000000001052C000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/4604-190-0x0000000000400000-0x00000000004AD000-memory.dmp

                          Filesize

                          692KB

                          Download

                        • memory/4604-144-0x0000000010410000-0x000000001046C000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/6272-194-0x00000000104D0000-0x000000001052C000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/6272-199-0x00000000104D0000-0x000000001052C000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/6292-196-0x00000000104D0000-0x000000001052C000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/6292-200-0x00000000104D0000-0x000000001052C000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/9080-195-0x0000000000400000-0x00000000004AD000-memory.dmp

                          Filesize

                          692KB

                          Download

                        • memory/9080-197-0x0000000000400000-0x00000000004AD000-memory.dmp

                          Filesize

                          692KB

                          Download