cybergate | 7df42715e9ac3291391fee47cdd2d17953f08b446b115a20057c6f5597d04c7a

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 22:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f6c54a9f85391e4dd50846190189032.exe
Size

896KB
MD5

3f6c54a9f85391e4dd50846190189032
SHA1

686e909d5fb30943a1b34cc6719e2ef76efe2e99
SHA256

7df42715e9ac3291391fee47cdd2d17953f08b446b115a20057c6f5597d04c7a
SHA512

9394b47b27145659108d8ecc60df2b74a1340e66b267de666c4f4fc0ad60c2844a5c88e10691fd5b548b19ff92f33923f6735df1375a88edcb8f19f3c2ae581f
SSDEEP

24576:U+9jpSIR/998CGPMAkqAyt9kkQ1bNWxMbG:DjQBDAyt9ktUn

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

remote

127.0.0.1:81

fenerli1907.no-ip.biz:81

Mutex

6HTML1R8472C5Q

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
filevw61.OCX Error
message_box_title
Error
password
1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	Crypted.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	Crypted.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3J8WYFF1-W284-8QF4-BA65-4664XG65L25P}	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3J8WYFF1-W284-8QF4-BA65-4664XG65L25P}\StubPath = "C:\\Windows\\install\\server.exe Restart"	Crypted.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3J8WYFF1-W284-8QF4-BA65-4664XG65L25P}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3J8WYFF1-W284-8QF4-BA65-4664XG65L25P}\StubPath = "C:\\Windows\\install\\server.exe"	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
2520	Crypted.exe
2016	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	explorer.exe
2768	explorer.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d00000001232a-8.dat	upx
behavioral1/memory/2520-11-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/files/0x000d00000001232a-13.dat	upx
behavioral1/memory/1112-545-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/2520-846-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2768-845-0x00000000104F0000-0x0000000010551000-memory.dmp	upx
behavioral1/files/0x000a000000014703-865.dat	upx
behavioral1/memory/2016-870-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/files/0x000a000000014703-869.dat	upx
behavioral1/memory/2768-868-0x0000000006270000-0x00000000062C5000-memory.dmp	upx
behavioral1/memory/2768-867-0x0000000004BE0000-0x0000000004C35000-memory.dmp	upx
behavioral1/files/0x000a000000014703-866.dat	upx
behavioral1/memory/2016-873-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1112-1032-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral1/memory/2768-1676-0x00000000104F0000-0x0000000010551000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe"	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe"	Crypted.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\install\server.exe	Crypted.exe
File opened for modification	C:\Windows\install\server.exe	Crypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	explorer.exe
Token: SeDebugPrivilege	2768	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2520	Crypted.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2520	2216	3f6c54a9f85391e4dd50846190189032.exe	28
PID 2216 wrote to memory of 2520	2216	3f6c54a9f85391e4dd50846190189032.exe	28
PID 2216 wrote to memory of 2520	2216	3f6c54a9f85391e4dd50846190189032.exe	28
PID 2216 wrote to memory of 2520	2216	3f6c54a9f85391e4dd50846190189032.exe	28
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15
PID 2520 wrote to memory of 1208	2520	Crypted.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\3f6c54a9f85391e4dd50846190189032.exe
  "C:\Users\Admin\AppData\Local\Temp\3f6c54a9f85391e4dd50846190189032.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      PID:1112
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2768
    - - C:\Windows\install\server.exe
        
        "C:\Windows\install\server.exe"
        5⤵
        Executes dropped EXE
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
65KB

MD5
761de218cbcfcf19c40051a9e1f60ed6

SHA1
73ba462a7b1365aee8f2fad62420f6bc7b322832

SHA256
44235c5e4fcfaba82b6e01f500bb1e98fe6d3bbe5e79b30e41257324204146b0

SHA512
22094e3ef64a7f34d92cafff6f27da826474c8699c5bf99d3fc29ae89aed17cc9fba24597e887cca32e3242e547490b400279af15eced7e17e208ea2e27948aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
267KB

MD5
88d8e598c89fbec0dcec5436f99e250b

SHA1
710a793b01cdfb4a3f68b5d9628edd664014948f

SHA256
9e7de1a076834791767207fb07ee73a96592e78f15c618da7c5396fffa3c7d42

SHA512
cb6a63f82c2e8f08dc305c4d235cb75c150889469e3a65c93da2d63dbea2190a92faa8f92256cdf6098abb71996fb6fa4842fb4db3965f1b9a988ef202552fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
21736ce96610b480ba28aa7560af0eee

SHA1
b673288cbcb8229137d45d07d5553c1979c4ee62

SHA256
0175a1d969ff2e4a18eb2c8cd7519122a9596acc5a72d7ce4076f3a3ccae298b

SHA512
8e55463baec7eaa1ec48edeaa344c6f44c18dd4e2a141b826e12b1edcc405b8157bf77c643661c35d0a94f712af9d7fdcb936aadb450e8788aa866992ba4e521

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b97e775051486f5eac7c356ffb0265e1

SHA1
057b38df0b405333b559964b160932642e7c51fd

SHA256
882417e565caa0c2a9db41aecdc1048763b2bf59b7e64cd673064abe22f2444e

SHA512
fe2c96c5c1f6955df6107c0d70b6897c41f28dbb593ff719c9b06ba6a325e44d041d57c4eeae57952c2153bf3fb2f1de6449ee1fea2e00a3f3d4b82ff08ff23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
516cc1779f21187eefebdcf0f0fd0c9e

SHA1
5c165ebc01f16b6318a1d8a8d111ff823c231b01

SHA256
5124924d7545958ed7a7be898be105f70dfb620abac66be98c6ba06542d43df0

SHA512
0c288cd8938783b8167d5c0bf30d8dc7486753c90acd40448978d43b52879102e9428462e7fb36fbf3883b548d3d7c836633da64cd077623d89024b221230001

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b000a4d02224dddbd58ab3e07c3a6983

SHA1
b4364bdd750aa3683aa2bd866a79d7ef124034f6

SHA256
d44fdf6e78ae6325f9958705f866ba08b5dfbd5d1ea8028039fe3a74238bca24

SHA512
eeba4de1ece07fe5b4a9a23f9976b75bb8ad979ca17f9d01bfa635ddffc4339bafb6a42470606327e5b220bbd87b234177ec7b8495ede8f95c1465db0432eea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
46b13c062da61f42e731b3c6fd571ee2

SHA1
ce55a2c0113d6e3a6856ce01df5969141c6432f5

SHA256
486bc4733d8f6407f2663be8c87dd740556a95f924f42bf516e771a7d10c933e

SHA512
b2dd75f00a86d5f335561f4481c529a29b71aa441059f3300fe57ca65f4ed65cefb87f7edcf57ea99811fa11e0416fdc0592f3a61a8af5977324aca6b08ca0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
01a77102b9a0c352b6b8f3ac27c330c9

SHA1
f715e9ead538f068c88dc2989e3904592d11c018

SHA256
d6676b57cf88af93def840a44230c02c7b2d09c63edc243428bd8f0582938013

SHA512
f8e488765252836df509d93c99e434a72b2c24d49f3ee54e2ad2da9d7636470735cbbafd2c3b2f7d591ab6c75e64b20cbaa79c706e093012bc5ffba7640a56c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
231dfd4a0c29c7d54a9cab9f173f93d5

SHA1
4eb1ad1747fe158f0b8e0e8ac3c640fbe5138327

SHA256
054cf21964c15ed3d2e7314839c53039d2796b9b0121759cc1a70902b6f890a8

SHA512
9f80b97f05fcef01b365bb51f578bef280abe2d8e9d4f49ec759ecf25b821f853ade81a5d6a5705544fb7075c2e75c51ae19e98c999dfdebb8c28cd84bb4b021

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2e83c2571f07eef76222e602a0657bb5

SHA1
b788ca9ec82b367046db245675e77c5d477ecf8e

SHA256
d6a93ec7673b31c00db931b86cafdffcfcdf848dc2360cdbbf29d779dc4d5935

SHA512
333d2be1aecd27b15324ab2127e68fc97f45ba1accf36ee2bc52dfab85459d36b77df7536a19e935e655d0e282bda8b7c9fb1160d945246de7a283d4947615ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ba7000bd73a18afcd486159c96feec49

SHA1
ec419d63f80010b09c71acc2cfc8c0625761eb5b

SHA256
1c359c379ecf9123373c99b42158317fb9518bea995c1e99f42ae1f6403e056f

SHA512
76ddea8a331efc37d3a6ce26998bf72e06bca3e0338f98b5648e2001cba5249a8ac03a95220b0f7fe73e1da1e4861ac3a7394336afd46349a9ecbeb5fe98f74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
91828fcf668f495bacf284aedb8e2aa2

SHA1
a91a91ba16868f7dbdc6f58e30effb496b9e2899

SHA256
25612eac1b739aafcabb71ee2745b045fe4648f8e2fd55be0c21352afb3a1db2

SHA512
b3ff25369a93eeeb86288ef7dbd82a54d630bfeacf605b860003df23469f8a5419e526a1872599e319c9d371e9c430ad45f6ca0b15dfa4de1d6541115f1e07b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
91c39cfde32b24dd2af633aa68d6cfea

SHA1
aba8ccfb65cb60c5ab40813370b893a3dbcf8acf

SHA256
0a20459d6771319b52aa0804c4e5b23e96e344c3094996ab0fd7c957881875e5

SHA512
b5aefabc83d4ea80931a5a745082bcca5d7535bf86f12fa9607040172d7b3f947d649c9073560115b6cb97193629beab70219bcb72941b6744316327593034c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d9ca21b7bf45923f83ac9e96941da6ea

SHA1
4b5780f937e2b27320294c51123683a1936dd45d

SHA256
bee85ce98ed4ef224d4ba2086b21e70197a54ce626005ae2f0e699308dbc863b

SHA512
378b60081df77ff9fef004660b7d8b357253d649bed5cb30736756cb3e34a9c2bf3201720ef2532836dfc429fe959b9cd88927c3123dca913b1d2c1cd04888a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1ff0c6e7675105c56bf02ee91c678f3e

SHA1
6331f9a02ff149c2ce324ac10316e44d9140ddd3

SHA256
2f49d479590bc5b1b82da80304ad275486036394bf6af1233acc8573d9d0ce23

SHA512
691019a3fef6d2593d41b4d973dc3038f37aaaa7a800f21cdc871da0635f798475d02517ec18627fd088e575b68dd15fe49c32f32b3ea456e9b995034f22600f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1da187dfa9483ee5aae65db6b4cf409e

SHA1
4da07139ada9fde8bca0a4b3d42670ba0c936cfc

SHA256
387446d819eddaaae78154d48869678a3b6925f037ee01e4d5da7fa11348c497

SHA512
3d8a01c9541bd0807ace681cea32419925086e5617bf4b0133f70a16a4490b65615838406eb472dc9fd72991a6c85e8c6ef1b1781d9992fe3eb83672ee4423e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e3383844d103a629cbce42eded1bd174

SHA1
a076f69327078d3afed0a9a8a1a656707512fee3

SHA256
06b53dfb331f133456b498bfd99a1ddd44626436f31cd503080c3661be5b5514

SHA512
eb2cc5faeb3674b8e308b8d1fd9e49d83c6307052197af4666b02a2124d819e5af9803ac19b89d647d2ad72fafd44321f4b2322b519cce907ee21f458cf4d3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d7a44002cbeae30ef72227f5e77f118c

SHA1
32563245d7607c0881ab1e562c49810d24c615db

SHA256
6a9f9a23612413797b55583b98cd07bcd99cb88ac583414c3a92fa961ca557b8

SHA512
793624300c586485bd77185816e059f5de0cfe434f573539a622f0c609910749ef84137e51759186f76a66ec9b841ee720278905e538fb8f5fb889ac06a9d84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3efc2a9c5d98db000d7fb141a1188aa1

SHA1
2dfc23309755f47b07a9dc72ae1ffc7a05b47082

SHA256
083b7358a2c1e5b24e2c95bd77b464a416ca862e42ba4a2dd1c6f1df8d838e9e

SHA512
7a313067ac1f40c4d212368cd551009ad91379cb1eafb779b88dee013d10b83eabb863ab4306b8601bd6ff7a3a89d47f7a87981a7ae6164a7f82523cbffd7775

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a845d1a265b7a0ec25b9c44d9936e45c

SHA1
b9814bedd9656fc463dbcc3183dba25c6083bccc

SHA256
9390ecd936fb2f52f4f6c5f5a2ffc7cde40163b19a55db80e7413e0c82ef60ff

SHA512
26542f81dd39fd0c95e9f61f1caeeba150bd921b54391c46752d9c8c2134fd69a9bdaba53b2bd07a9c9512d23b09d01e3ab0ad941b85d8122fa61496b9dfbf6d

Download Submit
C:\Users\Admin\AppData\Roaming\cglogs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\install\server.exe

Filesize
215KB

MD5
e966b34b13f43c3059f1e33195bc0e0d

SHA1
7f9bfa5fe6184533783be05747d2b1b8f8c904ae

SHA256
c23fa3d7de3f9982759976a9e18530b668b61c8a1df9db800dadf0adfdd3e8ac

SHA512
44a7d44413a958bb16992c7bb2ad8aa5719342befbd6b42eebb865ccd03fb036c21bc3519e3e83ee1fdbaca59cf872aaf3abf5c8cffbea0b64933af15179cd6d

Download Submit
\Windows\install\server.exe

Filesize
190KB

MD5
b8ab58c5132dc2011c4c0abdca5197d0

SHA1
34599fce4ec173434ee1f53e0ff8cb59355d5a9f

SHA256
af7b0335e7eed111de572bd79670de91e8aad2111ea5222af6cac824cfcc17e6

SHA512
3171cd702a7427247b8e6de39d48a984feff5bcfca7b9771d794b502fb5a489d194466a9549e4e26cdcf88f47d807ff5d7fd3108d7fb1ff74fa88b2ea3ce88ec

Download Submit
\Windows\install\server.exe

Filesize
216KB

MD5
f76f9acf0dbdfa556e39253400b9e087

SHA1
80c36406463431da28a34a078b16e505abe963c7

SHA256
d845db233abd24f97b63c48838dd6464b40078ef7a812e5468d2863bcb2f9ca8

SHA512
a3abd10de42cad65fde0b44cdc26751c87e301691a15520ad7318fb247e1e0f764cd775e10a080c758adea4152a243ae51ee4558be26fe3397d1ed508bf016ee

Download Submit
memory/1112-303-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1112-545-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1112-1032-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1112-305-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1208-17-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2016-870-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2016-873-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2216-0-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2216-12-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2216-3-0x0000000000930000-0x00000000009B0000-memory.dmp

Filesize
512KB

Download
memory/2216-2-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2216-1-0x0000000000930000-0x00000000009B0000-memory.dmp

Filesize
512KB

Download
memory/2520-846-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2520-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2768-845-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/2768-1676-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/2768-868-0x0000000006270000-0x00000000062C5000-memory.dmp

Filesize
340KB

Download
memory/2768-867-0x0000000004BE0000-0x0000000004C35000-memory.dmp

Filesize
340KB

Download
memory/2768-1898-0x0000000004BE0000-0x0000000004C35000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads