Overview

overview

10

Static

static

e22a92a192...4b.exe

windows7-x64

10

e22a92a192...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    193s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2022 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b.exe

  • Size

    347KB

  • MD5

    211195ac21eb346fa2daa526a7f6d292

  • SHA1

    1f448ad122f9d3ed3ae89eb0a7851c02bc6be004

  • SHA256

    e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b

  • SHA512

    c4dc5c2c3a41ee0821866924b3ce21191a63ab6163bcbed5dc60fb57acac3f38ac915d2e1617b76cb0c4b3b8209a37bb5a8c5dcbef1601a963489c6b37859bff

  • SSDEEP

    6144:ZFtTlXtdNCMHIwXFWXOd7YRqG2VSUhZBafR/8+scysK5G6sAebxZ1nW9YrTBsiBH:ZxX7NCA9XFWXP4G0SUhZBSRkmMvsfxZT

Score
10/10
cybergate123persistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

123

C2

onski123.no-ip.biz:9876

Mutex

3IN7F8CKT1P2EL

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./public_html/logs/

  • ftp_interval

    20

  • ftp_password

    6a8w73bdOO

  • ftp_port

    21

  • ftp_server

    merch4gold.com

  • ftp_username

    merch4go

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    true

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b.exe
    "C:\Users\Admin\AppData\Local\Temp\e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4736
    • C:\Users\Admin\AppData\Local\Temp\System\lssam.exe
      "C:\Users\Admin\AppData\Local\Temp\System\lssam.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
        "C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3812
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          4⤵
            PID:1832
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              5⤵
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2840
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                6⤵
                  PID:3840

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        ccffbad317ffe99e76f538182fd41ccf

        SHA1

        197cfd4b8fa468fbf105958196bd6df955759dc3

        SHA256

        2ef2d0856193a0006b982d756c0f656ac60ea9abfb91c6ab04bc35336af82796

        SHA512

        7f84e94420f49ef1383a885954f1c8829d5ce07659288eacee64f2a5f525b790b47cbb8031236907ae3a5eb9266cb25976666426d0741922337efecef7be7c1b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\System\lssam.exe
        Filesize

        25KB

        MD5

        b347591498c2c74cc3c23597cb1f34cc

        SHA1

        27054194904202938e3e7cdb10cf2c291767fdef

        SHA256

        24ada6c187f2c3188bd3e437443822f4f87fd997d9cc8d6d4abf38ba28e8528b

        SHA512

        e365f543b667ccc9b0fe5d3e5827e4df0f0f5a72676f3e7fc498ebe2f84d67d14db54d6742fdabe9c08004c6dce76d7befeac6b3f39ba1163663ae870ea973b6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\System\lssam.exe
        Filesize

        25KB

        MD5

        b347591498c2c74cc3c23597cb1f34cc

        SHA1

        27054194904202938e3e7cdb10cf2c291767fdef

        SHA256

        24ada6c187f2c3188bd3e437443822f4f87fd997d9cc8d6d4abf38ba28e8528b

        SHA512

        e365f543b667ccc9b0fe5d3e5827e4df0f0f5a72676f3e7fc498ebe2f84d67d14db54d6742fdabe9c08004c6dce76d7befeac6b3f39ba1163663ae870ea973b6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
        Filesize

        347KB

        MD5

        211195ac21eb346fa2daa526a7f6d292

        SHA1

        1f448ad122f9d3ed3ae89eb0a7851c02bc6be004

        SHA256

        e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b

        SHA512

        c4dc5c2c3a41ee0821866924b3ce21191a63ab6163bcbed5dc60fb57acac3f38ac915d2e1617b76cb0c4b3b8209a37bb5a8c5dcbef1601a963489c6b37859bff

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe
        Filesize

        347KB

        MD5

        211195ac21eb346fa2daa526a7f6d292

        SHA1

        1f448ad122f9d3ed3ae89eb0a7851c02bc6be004

        SHA256

        e22a92a192751ca568942939c56829a1f00067427a809b7b7f77ca88b68f344b

        SHA512

        c4dc5c2c3a41ee0821866924b3ce21191a63ab6163bcbed5dc60fb57acac3f38ac915d2e1617b76cb0c4b3b8209a37bb5a8c5dcbef1601a963489c6b37859bff

        Download Submit
      • memory/208-145-0x0000000075240000-0x00000000757F1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/208-137-0x0000000000000000-mapping.dmp
        Download
      • memory/208-166-0x0000000075240000-0x00000000757F1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/528-136-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/528-133-0x0000000000000000-mapping.dmp
        Download
      • memory/528-135-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/528-134-0x0000000000400000-0x000000000044F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/808-132-0x0000000075240000-0x00000000757F1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/808-151-0x0000000075240000-0x00000000757F1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1832-155-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1832-147-0x0000000000000000-mapping.dmp
        Download
      • memory/2840-154-0x0000000000000000-mapping.dmp
        Download
      • memory/2840-167-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/2840-169-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/3812-146-0x0000000075240000-0x00000000757F1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3812-143-0x0000000000000000-mapping.dmp
        Download
      • memory/3812-168-0x0000000075240000-0x00000000757F1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/3840-165-0x0000000000000000-mapping.dmp
        Download
      • memory/4736-161-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/4736-164-0x0000000010410000-0x0000000010475000-memory.dmp
        Filesize

        404KB

        Download
      • memory/4736-141-0x0000000000000000-mapping.dmp
        Download