Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3f6c54a9f8...32.exe

windows7-x64

10

3f6c54a9f8...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 22:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f6c54a9f85391e4dd50846190189032.exe

  • Size

    896KB

  • MD5

    3f6c54a9f85391e4dd50846190189032

  • SHA1

    686e909d5fb30943a1b34cc6719e2ef76efe2e99

  • SHA256

    7df42715e9ac3291391fee47cdd2d17953f08b446b115a20057c6f5597d04c7a

  • SHA512

    9394b47b27145659108d8ecc60df2b74a1340e66b267de666c4f4fc0ad60c2844a5c88e10691fd5b548b19ff92f33923f6735df1375a88edcb8f19f3c2ae581f

  • SSDEEP

    24576:U+9jpSIR/998CGPMAkqAyt9kkQ1bNWxMbG:DjQBDAyt9ktUn

Score
10/10
cybergateremotepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

remote

C2

127.0.0.1:81

fenerli1907.no-ip.biz:81
Mutex

6HTML1R8472C5Q

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    filevw61.OCX Error

  • message_box_title

    Error

  • password

    1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\3f6c54a9f85391e4dd50846190189032.exe
        "C:\Users\Admin\AppData\Local\Temp\3f6c54a9f85391e4dd50846190189032.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
          "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:1112
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Loads dropped DLL
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2768
            • C:\Windows\install\server.exe
              "C:\Windows\install\server.exe"
              5⤵
              • Executes dropped EXE
              PID:2016

    Network

    • flag-us
      DNS
      www.server.com
      explorer.exe
      Remote address:
      8.8.8.8:53
      Request
      www.server.com
      IN A
      Response
      www.server.com
      IN CNAME
      server.com
      server.com
      IN A
      52.8.126.80
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 52.8.126.80:80
      www.server.com
      explorer.exe
      152 B
       3
    • 8.8.8.8:53
      www.server.com
      dns
      explorer.exe
      60 B
       90 B
       1
      1

      DNS Request

      www.server.com

      DNS Response

      52.8.126.80

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      Filesize

      65KB

      MD5

      761de218cbcfcf19c40051a9e1f60ed6

      SHA1

      73ba462a7b1365aee8f2fad62420f6bc7b322832

      SHA256

      44235c5e4fcfaba82b6e01f500bb1e98fe6d3bbe5e79b30e41257324204146b0

      SHA512

      22094e3ef64a7f34d92cafff6f27da826474c8699c5bf99d3fc29ae89aed17cc9fba24597e887cca32e3242e547490b400279af15eced7e17e208ea2e27948aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
      Filesize

      267KB

      MD5

      88d8e598c89fbec0dcec5436f99e250b

      SHA1

      710a793b01cdfb4a3f68b5d9628edd664014948f

      SHA256

      9e7de1a076834791767207fb07ee73a96592e78f15c618da7c5396fffa3c7d42

      SHA512

      cb6a63f82c2e8f08dc305c4d235cb75c150889469e3a65c93da2d63dbea2190a92faa8f92256cdf6098abb71996fb6fa4842fb4db3965f1b9a988ef202552fe3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      222KB

      MD5

      21736ce96610b480ba28aa7560af0eee

      SHA1

      b673288cbcb8229137d45d07d5553c1979c4ee62

      SHA256

      0175a1d969ff2e4a18eb2c8cd7519122a9596acc5a72d7ce4076f3a3ccae298b

      SHA512

      8e55463baec7eaa1ec48edeaa344c6f44c18dd4e2a141b826e12b1edcc405b8157bf77c643661c35d0a94f712af9d7fdcb936aadb450e8788aa866992ba4e521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      b97e775051486f5eac7c356ffb0265e1

      SHA1

      057b38df0b405333b559964b160932642e7c51fd

      SHA256

      882417e565caa0c2a9db41aecdc1048763b2bf59b7e64cd673064abe22f2444e

      SHA512

      fe2c96c5c1f6955df6107c0d70b6897c41f28dbb593ff719c9b06ba6a325e44d041d57c4eeae57952c2153bf3fb2f1de6449ee1fea2e00a3f3d4b82ff08ff23e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      516cc1779f21187eefebdcf0f0fd0c9e

      SHA1

      5c165ebc01f16b6318a1d8a8d111ff823c231b01

      SHA256

      5124924d7545958ed7a7be898be105f70dfb620abac66be98c6ba06542d43df0

      SHA512

      0c288cd8938783b8167d5c0bf30d8dc7486753c90acd40448978d43b52879102e9428462e7fb36fbf3883b548d3d7c836633da64cd077623d89024b221230001

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      b000a4d02224dddbd58ab3e07c3a6983

      SHA1

      b4364bdd750aa3683aa2bd866a79d7ef124034f6

      SHA256

      d44fdf6e78ae6325f9958705f866ba08b5dfbd5d1ea8028039fe3a74238bca24

      SHA512

      eeba4de1ece07fe5b4a9a23f9976b75bb8ad979ca17f9d01bfa635ddffc4339bafb6a42470606327e5b220bbd87b234177ec7b8495ede8f95c1465db0432eea8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      46b13c062da61f42e731b3c6fd571ee2

      SHA1

      ce55a2c0113d6e3a6856ce01df5969141c6432f5

      SHA256

      486bc4733d8f6407f2663be8c87dd740556a95f924f42bf516e771a7d10c933e

      SHA512

      b2dd75f00a86d5f335561f4481c529a29b71aa441059f3300fe57ca65f4ed65cefb87f7edcf57ea99811fa11e0416fdc0592f3a61a8af5977324aca6b08ca0f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      01a77102b9a0c352b6b8f3ac27c330c9

      SHA1

      f715e9ead538f068c88dc2989e3904592d11c018

      SHA256

      d6676b57cf88af93def840a44230c02c7b2d09c63edc243428bd8f0582938013

      SHA512

      f8e488765252836df509d93c99e434a72b2c24d49f3ee54e2ad2da9d7636470735cbbafd2c3b2f7d591ab6c75e64b20cbaa79c706e093012bc5ffba7640a56c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      231dfd4a0c29c7d54a9cab9f173f93d5

      SHA1

      4eb1ad1747fe158f0b8e0e8ac3c640fbe5138327

      SHA256

      054cf21964c15ed3d2e7314839c53039d2796b9b0121759cc1a70902b6f890a8

      SHA512

      9f80b97f05fcef01b365bb51f578bef280abe2d8e9d4f49ec759ecf25b821f853ade81a5d6a5705544fb7075c2e75c51ae19e98c999dfdebb8c28cd84bb4b021

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      2e83c2571f07eef76222e602a0657bb5

      SHA1

      b788ca9ec82b367046db245675e77c5d477ecf8e

      SHA256

      d6a93ec7673b31c00db931b86cafdffcfcdf848dc2360cdbbf29d779dc4d5935

      SHA512

      333d2be1aecd27b15324ab2127e68fc97f45ba1accf36ee2bc52dfab85459d36b77df7536a19e935e655d0e282bda8b7c9fb1160d945246de7a283d4947615ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      ba7000bd73a18afcd486159c96feec49

      SHA1

      ec419d63f80010b09c71acc2cfc8c0625761eb5b

      SHA256

      1c359c379ecf9123373c99b42158317fb9518bea995c1e99f42ae1f6403e056f

      SHA512

      76ddea8a331efc37d3a6ce26998bf72e06bca3e0338f98b5648e2001cba5249a8ac03a95220b0f7fe73e1da1e4861ac3a7394336afd46349a9ecbeb5fe98f74c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      91828fcf668f495bacf284aedb8e2aa2

      SHA1

      a91a91ba16868f7dbdc6f58e30effb496b9e2899

      SHA256

      25612eac1b739aafcabb71ee2745b045fe4648f8e2fd55be0c21352afb3a1db2

      SHA512

      b3ff25369a93eeeb86288ef7dbd82a54d630bfeacf605b860003df23469f8a5419e526a1872599e319c9d371e9c430ad45f6ca0b15dfa4de1d6541115f1e07b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      91c39cfde32b24dd2af633aa68d6cfea

      SHA1

      aba8ccfb65cb60c5ab40813370b893a3dbcf8acf

      SHA256

      0a20459d6771319b52aa0804c4e5b23e96e344c3094996ab0fd7c957881875e5

      SHA512

      b5aefabc83d4ea80931a5a745082bcca5d7535bf86f12fa9607040172d7b3f947d649c9073560115b6cb97193629beab70219bcb72941b6744316327593034c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      d9ca21b7bf45923f83ac9e96941da6ea

      SHA1

      4b5780f937e2b27320294c51123683a1936dd45d

      SHA256

      bee85ce98ed4ef224d4ba2086b21e70197a54ce626005ae2f0e699308dbc863b

      SHA512

      378b60081df77ff9fef004660b7d8b357253d649bed5cb30736756cb3e34a9c2bf3201720ef2532836dfc429fe959b9cd88927c3123dca913b1d2c1cd04888a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      1ff0c6e7675105c56bf02ee91c678f3e

      SHA1

      6331f9a02ff149c2ce324ac10316e44d9140ddd3

      SHA256

      2f49d479590bc5b1b82da80304ad275486036394bf6af1233acc8573d9d0ce23

      SHA512

      691019a3fef6d2593d41b4d973dc3038f37aaaa7a800f21cdc871da0635f798475d02517ec18627fd088e575b68dd15fe49c32f32b3ea456e9b995034f22600f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      1da187dfa9483ee5aae65db6b4cf409e

      SHA1

      4da07139ada9fde8bca0a4b3d42670ba0c936cfc

      SHA256

      387446d819eddaaae78154d48869678a3b6925f037ee01e4d5da7fa11348c497

      SHA512

      3d8a01c9541bd0807ace681cea32419925086e5617bf4b0133f70a16a4490b65615838406eb472dc9fd72991a6c85e8c6ef1b1781d9992fe3eb83672ee4423e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      e3383844d103a629cbce42eded1bd174

      SHA1

      a076f69327078d3afed0a9a8a1a656707512fee3

      SHA256

      06b53dfb331f133456b498bfd99a1ddd44626436f31cd503080c3661be5b5514

      SHA512

      eb2cc5faeb3674b8e308b8d1fd9e49d83c6307052197af4666b02a2124d819e5af9803ac19b89d647d2ad72fafd44321f4b2322b519cce907ee21f458cf4d3c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      d7a44002cbeae30ef72227f5e77f118c

      SHA1

      32563245d7607c0881ab1e562c49810d24c615db

      SHA256

      6a9f9a23612413797b55583b98cd07bcd99cb88ac583414c3a92fa961ca557b8

      SHA512

      793624300c586485bd77185816e059f5de0cfe434f573539a622f0c609910749ef84137e51759186f76a66ec9b841ee720278905e538fb8f5fb889ac06a9d84b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      3efc2a9c5d98db000d7fb141a1188aa1

      SHA1

      2dfc23309755f47b07a9dc72ae1ffc7a05b47082

      SHA256

      083b7358a2c1e5b24e2c95bd77b464a416ca862e42ba4a2dd1c6f1df8d838e9e

      SHA512

      7a313067ac1f40c4d212368cd551009ad91379cb1eafb779b88dee013d10b83eabb863ab4306b8601bd6ff7a3a89d47f7a87981a7ae6164a7f82523cbffd7775

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      a845d1a265b7a0ec25b9c44d9936e45c

      SHA1

      b9814bedd9656fc463dbcc3183dba25c6083bccc

      SHA256

      9390ecd936fb2f52f4f6c5f5a2ffc7cde40163b19a55db80e7413e0c82ef60ff

      SHA512

      26542f81dd39fd0c95e9f61f1caeeba150bd921b54391c46752d9c8c2134fd69a9bdaba53b2bd07a9c9512d23b09d01e3ab0ad941b85d8122fa61496b9dfbf6d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cglogs.dat
      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      Download Submit

    • C:\Windows\install\server.exe
      Filesize

      215KB

      MD5

      e966b34b13f43c3059f1e33195bc0e0d

      SHA1

      7f9bfa5fe6184533783be05747d2b1b8f8c904ae

      SHA256

      c23fa3d7de3f9982759976a9e18530b668b61c8a1df9db800dadf0adfdd3e8ac

      SHA512

      44a7d44413a958bb16992c7bb2ad8aa5719342befbd6b42eebb865ccd03fb036c21bc3519e3e83ee1fdbaca59cf872aaf3abf5c8cffbea0b64933af15179cd6d

      Download Submit

    • \Windows\install\server.exe
      Filesize

      190KB

      MD5

      b8ab58c5132dc2011c4c0abdca5197d0

      SHA1

      34599fce4ec173434ee1f53e0ff8cb59355d5a9f

      SHA256

      af7b0335e7eed111de572bd79670de91e8aad2111ea5222af6cac824cfcc17e6

      SHA512

      3171cd702a7427247b8e6de39d48a984feff5bcfca7b9771d794b502fb5a489d194466a9549e4e26cdcf88f47d807ff5d7fd3108d7fb1ff74fa88b2ea3ce88ec

      Download Submit

    • \Windows\install\server.exe
      Filesize

      216KB

      MD5

      f76f9acf0dbdfa556e39253400b9e087

      SHA1

      80c36406463431da28a34a078b16e505abe963c7

      SHA256

      d845db233abd24f97b63c48838dd6464b40078ef7a812e5468d2863bcb2f9ca8

      SHA512

      a3abd10de42cad65fde0b44cdc26751c87e301691a15520ad7318fb247e1e0f764cd775e10a080c758adea4152a243ae51ee4558be26fe3397d1ed508bf016ee

      Download Submit

    • memory/1112-303-0x0000000000120000-0x0000000000121000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1112-545-0x0000000010480000-0x00000000104E1000-memory.dmp

      Filesize

      388KB

      Download

    • memory/1112-1032-0x0000000010480000-0x00000000104E1000-memory.dmp

      Filesize

      388KB

      Download

    • memory/1112-305-0x00000000000A0000-0x00000000000A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1208-17-0x0000000002B00000-0x0000000002B01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2016-870-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2016-873-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2216-0-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2216-12-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2216-3-0x0000000000930000-0x00000000009B0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2216-2-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2216-1-0x0000000000930000-0x00000000009B0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2520-846-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2520-11-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2768-845-0x00000000104F0000-0x0000000010551000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2768-1676-0x00000000104F0000-0x0000000010551000-memory.dmp

      Filesize

      388KB

      Download

    • memory/2768-868-0x0000000006270000-0x00000000062C5000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2768-867-0x0000000004BE0000-0x0000000004C35000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2768-1898-0x0000000004BE0000-0x0000000004C35000-memory.dmp

      Filesize

      340KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.