Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

easyMalici...bc.exe

windows7-x64

10

easyMalici...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2023, 16:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    easyMalicious2b763683f4bc.exe

  • Size

    290KB

  • MD5

    cc5d023b5fa3916f2ef1a794145254ea

  • SHA1

    b496eb4a3947eb290717059b70d6d2fb17ed6d6b

  • SHA256

    40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

  • SHA512

    17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b

  • SSDEEP

    6144:2OpslFlqLhdBCkWYxuukP1pjSKSNVkq/MVJbX:2wsl2TBd47GLRMTbX

Score
10/10
cybergateremotepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

smokie666.chickenkiller.com:8090

Mutex

TG0LNKN1EO587L

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1384
      • C:\Users\Admin\AppData\Local\Temp\easyMalicious2b763683f4bc.exe
        "C:\Users\Admin\AppData\Local\Temp\easyMalicious2b763683f4bc.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          • Suspicious use of AdjustPrivilegeToken
          PID:584
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:3008
          • C:\Users\Admin\AppData\Local\Temp\easyMalicious2b763683f4bc.exe
            "C:\Users\Admin\AppData\Local\Temp\easyMalicious2b763683f4bc.exe"
            3⤵
            • Loads dropped DLL
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:544
            • C:\directory\CyberGate\install\server.exe
              "C:\directory\CyberGate\install\server.exe"
              4⤵
              • Executes dropped EXE
              PID:2820

      Network

      • flag-us
        DNS
        smokie666.chickenkiller.com
        easyMalicious2b763683f4bc.exe
        Remote address:
        8.8.8.8:53
        Request
        smokie666.chickenkiller.com
        IN A
        Response
      No results found
      • 8.8.8.8:53
        smokie666.chickenkiller.com
        dns
        easyMalicious2b763683f4bc.exe
        73 B
         132 B
         1
        1

        DNS Request

        smokie666.chickenkiller.com

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        ea859081c91a710ea0a57cd3aacb9139

        SHA1

        00ec36c43b42c2cca6a8f9776060e9fa19207ec5

        SHA256

        8e2b57630b79b70698de298313198b0f8c8dd54ba835b14fc8430c43e44a77e8

        SHA512

        ae1b5ca74ccddba87639c660c4fbc12c60722d6ce51e143b40c658d6bdf927e904108a1f9eff43b307fc4142c250a3ee41bd54fd0480c21145764f59878f342f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin8
        Filesize

        8B

        MD5

        59b89d8c5d0a25282737ab8e3b8febb1

        SHA1

        d9dffb117d93c64aa9d38c048c851567b4ab903a

        SHA256

        ca91d81c2f951bff34bc2e8b3ca5ee4c74cea0479bda5a393b6385c4d683e70c

        SHA512

        2e67af636a6d9514f8070774a0c573e8f5d771d4ea7dd25696fc2ed052002d5236443331125941c05cb41d6ef6e9b1a3a9beba2d6155af5b3bc264dca4e307bd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        Download Submit

      • C:\directory\CyberGate\install\server.exe
        Filesize

        290KB

        MD5

        cc5d023b5fa3916f2ef1a794145254ea

        SHA1

        b496eb4a3947eb290717059b70d6d2fb17ed6d6b

        SHA256

        40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

        SHA512

        17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b

        Download Submit

      • \??\c:\directory\CyberGate\install\server.exe
        Filesize

        290KB

        MD5

        cc5d023b5fa3916f2ef1a794145254ea

        SHA1

        b496eb4a3947eb290717059b70d6d2fb17ed6d6b

        SHA256

        40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

        SHA512

        17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b

        Download Submit

      • \directory\CyberGate\install\server.exe
        Filesize

        290KB

        MD5

        cc5d023b5fa3916f2ef1a794145254ea

        SHA1

        b496eb4a3947eb290717059b70d6d2fb17ed6d6b

        SHA256

        40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

        SHA512

        17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b

        Download Submit

      • \directory\CyberGate\install\server.exe
        Filesize

        290KB

        MD5

        cc5d023b5fa3916f2ef1a794145254ea

        SHA1

        b496eb4a3947eb290717059b70d6d2fb17ed6d6b

        SHA256

        40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

        SHA512

        17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b

        Download Submit

      • memory/544-903-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/544-933-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/584-550-0x00000000000A0000-0x00000000000A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/584-584-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/584-552-0x0000000000020000-0x0000000000021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1384-57-0x00000000021E0000-0x00000000021E1000-memory.dmp

        Filesize

        4KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.