Analysis

  • max time kernel
    151s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2023 15:19

General

  • Target

    easy_Malicious_1f3cce001ef578ff87412a58519a009c732b979f5c052a423ba933682ab94f52.exe

  • Size

    289KB

  • MD5

    aeeaa8f12c66447488a03bc0118121cc

  • SHA1

    08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

  • SHA256

    65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

  • SHA512

    239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

  • SSDEEP

    6144:2OpslFlqbhdBCkWYxuukP1pjSKSNVkq/MVJbU:2wsl0TBd47GLRMTbU

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

oscarpenelo.synology.me:8000

Mutex

CMBXE3MIQ6D7V4

Attributes
  • enable_keylogger

    false

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    setup.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    555

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1228
      • C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1f3cce001ef578ff87412a58519a009c732b979f5c052a423ba933682ab94f52.exe
        "C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1f3cce001ef578ff87412a58519a009c732b979f5c052a423ba933682ab94f52.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          • Suspicious use of AdjustPrivilegeToken
          PID:2028
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2528
          • C:\CyberGate\install\setup.exe
            "C:\CyberGate\install\setup.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2508
        • C:\CyberGate\install\setup.exe
          "C:\CyberGate\install\setup.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:2648

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • C:\CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

      Filesize

      224KB

      MD5

      abdd00f6f348a90ded7b87406e744762

      SHA1

      a4b30cccf9d78c32b24ff0198a265bbeea528632

      SHA256

      e3d50c052d09c47ed50edd7b92dbcfd330674d73d9955b9617b1ae53faabf71d

      SHA512

      502f876f7561b60754156220a2ec7f0279cd9add0f58a7712760254273aee5218ff06b63e49478e15b30b344e3cb6f22fa4249b1ab35ff96304fa67fd4740563

    • \??\c:\CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • \CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • \CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • \CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • \CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • \CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • \CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • \CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • \CyberGate\install\setup.exe

      Filesize

      289KB

      MD5

      aeeaa8f12c66447488a03bc0118121cc

      SHA1

      08ec8b8fb3c4a6c76c7e839ec0fe6908680b18f7

      SHA256

      65f3cd2b7075e28c4a65f9687c5513be8020a47815c151143f8da59d89430aef

      SHA512

      239eb587445eb6953f48695cb095010dfb67f48e00256d91893f011e8952863886e714bd542ddf609e4e953e99faa294eef5ab4b2763e949df7a335dc2ef7b63

    • memory/1228-57-0x00000000026A0000-0x00000000026A1000-memory.dmp

      Filesize

      4KB

    • memory/2028-584-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

    • memory/2028-351-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

    • memory/2028-348-0x00000000000A0000-0x00000000000A1000-memory.dmp

      Filesize

      4KB

    • memory/2528-899-0x00000000104F0000-0x0000000010555000-memory.dmp

      Filesize

      404KB

    • memory/2528-918-0x00000000104F0000-0x0000000010555000-memory.dmp

      Filesize

      404KB