Analysis

  • max time kernel
    157s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/01/2023, 11:10

General

  • Target

    aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe

  • Size

    597KB

  • MD5

    a7cf3a9a2608091aeefd3b028f6c8212

  • SHA1

    773f38e2676c57f2b70754aca0a0ddc0e3b3861f

  • SHA256

    aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745

  • SHA512

    22ab8c3f06bfc3ce4cb1c886b9fec218cc8a6245c6adc96ac16308a5bdb3ae02fc7ab5437a87182b3d00074009219f1814b84e4b3b1b2a6ebfa38000bfb3185f

  • SSDEEP

    12288:p7JRNRtfWDuCIe0A/RDwtOkNglXrOS8OmARzFmInZkUb/G//MM3trzpHw0:ptO6+f/5wtmxrOS8zOZkWuB

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

1

C2

hobolicker.servebeer.com:569

Mutex

Y0108IAWI27L0C

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    giblets1880

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe
    "C:\Users\Admin\AppData\Local\Temp\aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\java.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "
          4⤵
          • Drops startup file
          PID:364
    • C:\Windows\Temp\svchost.exe
      C:\Windows\Temp\svchost.exe
      2⤵
        PID:4812
      • C:\Windows\Temp\svchost.exe
        C:\Windows\Temp\svchost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:4444
          • C:\Windows\Temp\svchost.exe
            "C:\Windows\Temp\svchost.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4744
        • C:\Windows\Temp\svchost.exe
          C:\Windows\Temp\svchost.exe
          2⤵
            PID:1448
          • C:\Windows\Temp\svchost.exe
            C:\Windows\Temp\svchost.exe
            2⤵
              PID:4804

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

            Filesize

            236KB

            MD5

            8e88f7ca977aab4c4957850affaf69dc

            SHA1

            7ce0df92852fda4c1884efda6d839d12d78f2181

            SHA256

            85067be04b7974987b68c75d5bec4f1b87f03212b89ac3e2a5d1348d7586c670

            SHA512

            624e53041bd1dca5e3496cb269004f63d3ba895b96eec4bf56d55370bd1288f7f712d90b3457cf8fe26f390441ce8c1af9612edba2cb3eba6bfdbe0918609c44

          • C:\Users\Admin\AppData\Roaming\invs.vbs

            Filesize

            78B

            MD5

            c578d9653b22800c3eb6b6a51219bbb8

            SHA1

            a97aa251901bbe179a48dbc7a0c1872e163b1f2d

            SHA256

            20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

            SHA512

            3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

          • C:\Users\Admin\AppData\Roaming\java.bat

            Filesize

            53B

            MD5

            1896de26a454df8628034ca3e0649905

            SHA1

            76b98d95a85d043539706b89194c46cf14464abe

            SHA256

            d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208

            SHA512

            ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2

          • C:\Users\Admin\AppData\Roaming\java2.bat

            Filesize

            156B

            MD5

            6e11326aa89037c32d94aac927174738

            SHA1

            002281bc47dab009f00ed9bfa898cb58605ac0c4

            SHA256

            fe4445a81e9eca7f954f0a5233bed798ba654d39503776d410b071a768147808

            SHA512

            423c6adb6d3cab2601607b813b1e6d48f60c7b3464f857d8e8f40b2445de1b7b66bc469c6367bd437c7896aec49ba87ab917ad919deeb713f1150c7764df21cf

          • C:\Users\Admin\AppData\Roaming\msvcnp .exe

            Filesize

            597KB

            MD5

            a7cf3a9a2608091aeefd3b028f6c8212

            SHA1

            773f38e2676c57f2b70754aca0a0ddc0e3b3861f

            SHA256

            aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745

            SHA512

            22ab8c3f06bfc3ce4cb1c886b9fec218cc8a6245c6adc96ac16308a5bdb3ae02fc7ab5437a87182b3d00074009219f1814b84e4b3b1b2a6ebfa38000bfb3185f

          • C:\Users\Admin\AppData\Roaming\rundll32-.txt

            Filesize

            597KB

            MD5

            a7cf3a9a2608091aeefd3b028f6c8212

            SHA1

            773f38e2676c57f2b70754aca0a0ddc0e3b3861f

            SHA256

            aa15daa6e6e776e23190035b33b26132c24ea5d586f0a23a6c44d369389b7745

            SHA512

            22ab8c3f06bfc3ce4cb1c886b9fec218cc8a6245c6adc96ac16308a5bdb3ae02fc7ab5437a87182b3d00074009219f1814b84e4b3b1b2a6ebfa38000bfb3185f

          • C:\Windows\Temp\svchost.exe

            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

          • C:\Windows\Temp\svchost.exe

            Filesize

            1.1MB

            MD5

            d881de17aa8f2e2c08cbb7b265f928f9

            SHA1

            08936aebc87decf0af6e8eada191062b5e65ac2a

            SHA256

            b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

            SHA512

            5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

          • memory/1136-138-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

          • memory/1136-153-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB

          • memory/1136-140-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

          • memory/1136-141-0x0000000000400000-0x000000000044D000-memory.dmp

            Filesize

            308KB

          • memory/1136-147-0x0000000010410000-0x0000000010482000-memory.dmp

            Filesize

            456KB

          • memory/2052-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

            Filesize

            5.7MB

          • memory/2052-159-0x0000000074EC0000-0x0000000075471000-memory.dmp

            Filesize

            5.7MB

          • memory/2052-162-0x0000000074EC0000-0x0000000075471000-memory.dmp

            Filesize

            5.7MB

          • memory/4744-156-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB

          • memory/4744-158-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB

          • memory/4744-160-0x0000000010490000-0x0000000010502000-memory.dmp

            Filesize

            456KB