Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3f6c54a9f8...32.exe

windows7-x64

10

3f6c54a9f8...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f6c54a9f85391e4dd50846190189032.exe

  • Size

    896KB

  • MD5

    3f6c54a9f85391e4dd50846190189032

  • SHA1

    686e909d5fb30943a1b34cc6719e2ef76efe2e99

  • SHA256

    7df42715e9ac3291391fee47cdd2d17953f08b446b115a20057c6f5597d04c7a

  • SHA512

    9394b47b27145659108d8ecc60df2b74a1340e66b267de666c4f4fc0ad60c2844a5c88e10691fd5b548b19ff92f33923f6735df1375a88edcb8f19f3c2ae581f

  • SSDEEP

    24576:U+9jpSIR/998CGPMAkqAyt9kkQ1bNWxMbG:DjQBDAyt9ktUn

Score
10/10
cybergateremotepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

remote

C2

127.0.0.1:81

fenerli1907.no-ip.biz:81
Mutex

6HTML1R8472C5Q

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    filevw61.OCX Error

  • message_box_title

    Error

  • password

    1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\3f6c54a9f85391e4dd50846190189032.exe
        "C:\Users\Admin\AppData\Local\Temp\3f6c54a9f85391e4dd50846190189032.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
          "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:864
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4408
            • C:\Windows\install\server.exe
              "C:\Windows\install\server.exe"
              5⤵
              • Executes dropped EXE
              PID:4760
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 576
                6⤵
                • Program crash
                PID:1952
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4760 -ip 4760
      1⤵
        PID:1888

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
        Filesize

        267KB

        MD5

        88d8e598c89fbec0dcec5436f99e250b

        SHA1

        710a793b01cdfb4a3f68b5d9628edd664014948f

        SHA256

        9e7de1a076834791767207fb07ee73a96592e78f15c618da7c5396fffa3c7d42

        SHA512

        cb6a63f82c2e8f08dc305c4d235cb75c150889469e3a65c93da2d63dbea2190a92faa8f92256cdf6098abb71996fb6fa4842fb4db3965f1b9a988ef202552fe3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
        Filesize

        134KB

        MD5

        a8508735d64ba770b59428477e6afb8b

        SHA1

        9a1ae01501f2acb053d21132a6b9d6f78b6ca604

        SHA256

        79cb94066033d14a1c7836f5108c8c2e6ea1d0ef21f6c34cdeca29686415b982

        SHA512

        8cb73ddf5b4748e782193050a6b2889b0699505e9eb2408b3d690c42e0da26fb992f245683180790dc9720f63f838d8e48da268d9837feba6205c8dd1dce360a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        bb196e83cfb953227d231e610a39746a

        SHA1

        749820aebe2a44d89cc0e3ee4f3c17ddf78e7e2e

        SHA256

        e09bcee7a2d5c6bf05f25d3c53bfc335d43621e77ff41d87323253192db5f12e

        SHA512

        a824175e154c33ad3ff680574b5b053391f1b84a45afe2d67c6e99000a0c1ca33f2975e7dd63e3e1e09ae78c7e51bd03568db3f19d6d01a4f1768e32868fb296

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        4f400310c352efc0dc990638f3753b01

        SHA1

        63fd39e0d75eee83bc3973a3e38c7d0e74f370ff

        SHA256

        274cfba485ab81687b9e82ceeadaada4c9330f12075d45500dccbb9278c47246

        SHA512

        045e8a3591c690b6f16800984e57fd15cea58993e3ccb2a22ff9ea150319458a7a2a913da4338856b8ab93f427c369413cb9d0245af49cc6a4a06cf2c8fdd04c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
        Filesize

        8B

        MD5

        df5ac26638825a5ec6234499e34e595b

        SHA1

        f29ed1fb4f409c693f489ba8717ecb6d65d48c2b

        SHA256

        fbc008e0c7f218cb464ef172df30ca354ead2690bd574f6305740f4dce617cad

        SHA512

        02cbc680ff7102c7f1a2fd833ad15b3040b53dd3e8a09889ebb492216cb70283f74600be034d7e39daf0a200224909ef50834ca8a07d270db20db86f0eb32cff

        Download Submit

      • C:\Users\Admin\AppData\Roaming\cglogs.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        Download Submit

      • memory/864-28-0x00000000004B0000-0x00000000004B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/864-396-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

        Download

      • memory/864-86-0x00000000033E0000-0x00000000033E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/864-87-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

        Download

      • memory/864-88-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

        Download

      • memory/864-27-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2796-155-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/2796-16-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download

      • memory/2796-23-0x0000000010410000-0x0000000010471000-memory.dmp

        Filesize

        388KB

        Download

      • memory/2796-83-0x0000000010480000-0x00000000104E1000-memory.dmp

        Filesize

        388KB

        Download

      • memory/3324-0-0x000000001B250000-0x000000001B2F6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/3324-8-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3324-7-0x000000001BFA0000-0x000000001BFEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3324-6-0x000000001B320000-0x000000001B328000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3324-19-0x00007FFBCE370000-0x00007FFBCED11000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/3324-5-0x000000001BE40000-0x000000001BEDC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3324-4-0x00007FFBCE370000-0x00007FFBCED11000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/3324-3-0x000000001B810000-0x000000001BCDE000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/3324-1-0x00007FFBCE370000-0x00007FFBCED11000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/3324-2-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4408-153-0x00000000104F0000-0x0000000010551000-memory.dmp

        Filesize

        388KB

        Download

      • memory/4408-400-0x00000000104F0000-0x0000000010551000-memory.dmp

        Filesize

        388KB

        Download

      • memory/4760-175-0x0000000000400000-0x0000000000455000-memory.dmp

        Filesize

        340KB

        Download