Overview

overview

10

Static

static

10

b00424edfc...8a.exe

windows7-x64

10

b00424edfc...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    89s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b00424edfc48711031bad31abfe49fda518bae28377d2fb2f473105770dc988a.exe

  • Size

    860KB

  • MD5

    4eddd070fa5aa3359fa83a03c109946c

  • SHA1

    14196a95592659aa960db4afa20f7f80e016839f

  • SHA256

    b00424edfc48711031bad31abfe49fda518bae28377d2fb2f473105770dc988a

  • SHA512

    9adceb76951a016260fa24b9c12013311a2488fe1be918cf23c806d16bbfbc2644941fed0b06fca11ccd10146ea5d804ddb1a4b0fda9f4a70bbc8f90b9b73b69

  • SSDEEP

    12288:M39wslcTBd47GLRMTbmVt8BURgxr/V+phmdE808YKXF:dsl6d474mfmVtAUsUphmdErp

Score
10/10
cybergatevictimepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

C2

bshades95.no-ip.org:82

Mutex

3K65S1BAQYI442

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Settings

  • install_file

    opera.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Le fichier n'est pas un éxécutable valide. Veuillez vérifier votre compabilité plateforme x32 ou x64bits.

  • message_box_title

    explorer.exe

  • password

    hacker

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\b00424edfc48711031bad31abfe49fda518bae28377d2fb2f473105770dc988a.exe
        "C:\Users\Admin\AppData\Local\Temp\b00424edfc48711031bad31abfe49fda518bae28377d2fb2f473105770dc988a.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:700
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Suspicious use of AdjustPrivilegeToken
            PID:568
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1180
            • C:\Windows\SysWOW64\Settings\opera.exe
              "C:\Windows\system32\Settings\opera.exe"
              5⤵
              • Executes dropped EXE
              PID:1544
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:1680
            • C:\Windows\SysWOW64\Settings\opera.exe
              "C:\Windows\system32\Settings\opera.exe"
              4⤵
              • Executes dropped EXE
              PID:1504
          • C:\Users\Admin\AppData\Local\Temp\csrss.exe
            "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1484

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      3
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        7214fa5f49eeb6876955565146e6ad96

        SHA1

        ab83b1b9882cf1578f7766777d1fbfb3d3131590

        SHA256

        d8a08fea0dab5a23c342496aea7f59e739ba69899349e9fae1773704420e2b26

        SHA512

        7abea091d8544558eee750cc37843631803a8148f4da5a4f0dcd06432042266981e446b1bfa6ead43f2a1e484d63bce1ef06973331aa2c8ca1aec249f4935a6f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\csrss.exe
        Filesize

        379KB

        MD5

        9a2347903d6edb84c10f288bc0578c1c

        SHA1

        ae96a47e781ed600704b0b040f6b5c8a92ac5e51

        SHA256

        5dca5dad7a63810dacee7f38c098a7b2d68617bf8175f05147e44d19dfa57a04

        SHA512

        e80a158455179bdad7cd388beee9ccfa6e89073671e7386f14e00bf0c4b96e998db50f1274fe5371e518f2ffe8279d0038996da384d1555bd36926b17797a29d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • C:\Windows\SysWOW64\Settings\opera.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • C:\Windows\SysWOW64\Settings\opera.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • C:\Windows\SysWOW64\Settings\opera.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • \Users\Admin\AppData\Local\Temp\svchost.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • \Windows\SysWOW64\Settings\opera.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • \Windows\SysWOW64\Settings\opera.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • \Windows\SysWOW64\Settings\opera.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • \Windows\SysWOW64\Settings\opera.exe
        Filesize

        296KB

        MD5

        1b992f0ff95138b3eaf7a0fdc8dc4ea3

        SHA1

        be861be10bd11d5db5cfa02cf930cedbe50ad848

        SHA256

        c427895505ab0ff191447548c21133aa3d0c01009627683d4b9ab19c8a46fec0

        SHA512

        36255f061e28b52eb5b4d5defe38fe8f8a1ca21d2f344a936fdac416c0b66fc013223d462f609eea3b9f5f7516e5efab554223bd80aaeff1ff6ef10fc34ab33c

        Download Submit
      • memory/568-75-0x0000000074511000-0x0000000074513000-memory.dmp
        Filesize

        8KB

        Download
      • memory/568-81-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/568-84-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/568-73-0x0000000000000000-mapping.dmp
        Download
      • memory/700-76-0x0000000010480000-0x00000000104E5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/700-94-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/700-56-0x0000000000000000-mapping.dmp
        Download
      • memory/700-86-0x00000000104F0000-0x0000000010555000-memory.dmp
        Filesize

        404KB

        Download
      • memory/700-58-0x00000000757A1000-0x00000000757A3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/700-67-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1180-99-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1180-91-0x0000000000000000-mapping.dmp
        Download
      • memory/1180-110-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1180-111-0x0000000010560000-0x00000000105C5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1212-70-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1484-64-0x0000000000400000-0x000000000055D000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1484-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1504-102-0x0000000000000000-mapping.dmp
        Download
      • memory/1544-107-0x0000000000000000-mapping.dmp
        Download
      • memory/1652-54-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/1652-61-0x0000000000B36000-0x0000000000B55000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1652-55-0x000007FEF33A0000-0x000007FEF4436000-memory.dmp
        Filesize

        16.6MB

        Download