Analysis

  • max time kernel
    153s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 17:38

General

  • Target

    318610b00e74a5abe4bbcaa01370189d.exe

  • Size

    443KB

  • MD5

    318610b00e74a5abe4bbcaa01370189d

  • SHA1

    c73582f6c16333c764f621f2836276e6a47fa288

  • SHA256

    34c53542f56df7801d2ac8d939b53c9f053eeb54405bc5e45335fde7fa38a44a

  • SHA512

    bbea7aa1706a66357a2585661022a54b8d5b39123fff6cc3ba72beac917fd505256960deb3c7d7a2c9ac10fa989fffe5c6a95ac0b7bcb28f97da37d378bc84cf

  • SSDEEP

    12288:zJHUqQrRTyQrXzIN7PlQVdgVIEB1MSuMpxYwD:l0qQVTysI9PMd4JKSPp62

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

gunitx55.zapto.org:3014

Mutex

X64IK5U8EXAH0X

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    svchost.exe

  • install_file

    Facebook Stealer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1244
      • C:\Users\Admin\AppData\Local\Temp\318610b00e74a5abe4bbcaa01370189d.exe
        "C:\Users\Admin\AppData\Local\Temp\318610b00e74a5abe4bbcaa01370189d.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Users\Admin\AppData\Local\Temp\crtowlw.exe
          "C:\Users\Admin\AppData\Local\Temp\crtowlw.exe"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Suspicious use of AdjustPrivilegeToken
            PID:2188
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2452
            • C:\Users\Admin\AppData\Local\Temp\crtowlw.exe
              "C:\Users\Admin\AppData\Local\Temp\crtowlw.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2052
            • C:\Users\Admin\AppData\Roaming\svchost.exe\Facebook Stealer.exe
              "C:\Users\Admin\AppData\Roaming\svchost.exe\Facebook Stealer.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1788

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

              Filesize

              168KB

              MD5

              e98e40e2faef1989a8dca0624a4a7e63

              SHA1

              0cfb21bc807c9314f0f3c2670459f1a644e33f0f

              SHA256

              f391f7a6327bdfc623f790b6b67fb2e88b1c812d0b2e643194ddae493526aebf

              SHA512

              7e1121ef6309e23a188258c7ca86b0504193f638a31e35d92f2b8a870833c66c5b0da07d8e852199a7637cde1e863cab825fae13843281a138feeef9b05667e6

            • C:\Users\Admin\AppData\Local\Temp\crtowlw.exe

              Filesize

              23KB

              MD5

              c45a1ca7434e285baac9ef85f8648673

              SHA1

              deb831bcf9c5bbbfdf597b509138a407cea1a01d

              SHA256

              249843060b56099d655106215d3d901619c3af11c1b2661df380628513fcd1cb

              SHA512

              352d2547f1ef75d0d6994abec0b2fe3b8a1d48c4e14e8b28eeee7a468acc7c2a3409a1ada20e0120b5ed73b94851b723931d4517290c9ecf171575768d22f55c

            • C:\Users\Admin\AppData\Local\Temp\crtowlw.exe

              Filesize

              15KB

              MD5

              3fa31b3ac6c417836e712939a7465f72

              SHA1

              7d64320fc1eb5c5a394caa6572116620aa11188f

              SHA256

              3edf8b9e788cc0e6174d05d32569d82a70f3a916fc60db3381bda59d78bbafbd

              SHA512

              4ad259d92035d477a3db25d97f3ea3cd16525c83496e70683b02445f380ae65dae556bb38458b9144ed2e424118953651af4154de83afb7f173580068272cce4

            • C:\Users\Admin\AppData\Local\Temp\crtowlw.exe

              Filesize

              327KB

              MD5

              94940a5947247447fcf1a02d68298b2c

              SHA1

              7686f4631b7bff57e91f6e84de0069fd0ce76841

              SHA256

              47ba24529db76337dfc59ca8e97730e1729f3282dc0c1268eeb645282084c649

              SHA512

              4dfb0b0abe20b84f8d9a89000739e3aefb89caee9e0bdc9f0df58eeb58528db8e6325b9cc1409eb4edf354e72fcac32dc23e84c5c25d2b12c250094b06dd8d6d

            • C:\Users\Admin\AppData\Roaming\svchost.exe\Facebook Stealer.exe

              Filesize

              174KB

              MD5

              0c45b987af23a0037e9c7aed79f436bc

              SHA1

              9d46b689331acda8bc71ffdfc731720cfeb073bd

              SHA256

              735eaa326e8152f43d6e70a3070322edc70dc184a33268a92d1a64c8ce166eea

              SHA512

              43778fed9d6650d823245fd537510b2d4aeb085bf2fb52dcb218e4c7b50a1d829e4873130e0c9f789c021c0ac864515eff9c9295a41bbc8a425859f9f7397b6a

            • C:\Users\Admin\AppData\Roaming\svchost.exe\Facebook Stealer.exe

              Filesize

              424KB

              MD5

              2f521378e80a6cb26f6469d4d5a17044

              SHA1

              3fc8c09d7ea6228f0b3a6e9ca67463ff3af55b4a

              SHA256

              f076b8d8544b494e38e82ede1f095838e7214dcd7bda70571c2db52d22c8ac14

              SHA512

              132c705448dfa99cb65984e4ff691067c18d50eea61e2457e004398fd7705796829fa5bd9e84bd751c79732b8ba6a053c8c60a4cf7322ff31a5ea0ddfa3d855b

            • \Users\Admin\AppData\Local\Temp\crtowlw.exe

              Filesize

              130KB

              MD5

              adf493363a254b579fd47720308d6490

              SHA1

              b121dce005601b348245a3cbc0f2ae061cdf03b9

              SHA256

              60c10ed488430858969512634473e2fd089b8c570ba1c043a8c8aab3388459b3

              SHA512

              6b00ca3448cde49817868e26f8ffde55b3952e8f5d203af98a00823e2392dc4338e42ca48cd36273f0b9bf2f7ed0880f91718a6225206a8d65e827c98bccd102

            • \Users\Admin\AppData\Local\Temp\crtowlw.exe

              Filesize

              36KB

              MD5

              addab579611265148a324695c40d2b45

              SHA1

              4989b6f68b15bf9f86684383725b12191592587a

              SHA256

              fd4ce5d10352f873ab50770711696d7776e0cefd7eae9cf662d436a87bfe8167

              SHA512

              d31e422cf33a46dac3f353e4710225ee541fa88b6d4ec354f381e4d775282c88f323baaa2c4d65d948bf7ef4698fc527a5eb4dac490669c14cf40cfd6061e320

            • \Users\Admin\AppData\Local\Temp\crtowlw.exe

              Filesize

              193KB

              MD5

              192c19103b5bb374d5b560e01f65cc05

              SHA1

              ccc957208c4f697b0ae82b3b2bb9aed1af391012

              SHA256

              a2597985dd967ce2ded4b7a8df9a8504555d8271bf0fa2bbed6d1ef930c959dc

              SHA512

              7635d621cc45f46e89a3c8c4284b9c2de564a7f8e3efc6035c3a0415d759b80f1c55e62ccf273307d8cf09cbce29972df7a934ac0582d3966e5a5eec07f0ce80

            • \Users\Admin\AppData\Roaming\svchost.exe\Facebook Stealer.exe

              Filesize

              226KB

              MD5

              254776a93895866a7be11524a10a7c03

              SHA1

              d5c79ae0976a2e646f3ff386e3656d6fd45c238c

              SHA256

              6fb5570c3f6b07d481d40ceb328aab8edffd7a6d8c74f1c5b03f0cb8a9e70a5b

              SHA512

              59b35201c201cbc775d7cfd74931aa00a3d96e520c9254f8169f0a1aa2eb050b0731de18364a96fd54bd1e20029eb78daecb3356b521bf8b7b185296ff9eeb1f

            • memory/1244-19-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

              Filesize

              4KB

            • memory/1788-863-0x0000000000400000-0x00000000004CB000-memory.dmp

              Filesize

              812KB

            • memory/1788-861-0x0000000000400000-0x00000000004CB000-memory.dmp

              Filesize

              812KB

            • memory/2052-851-0x0000000010560000-0x00000000105C5000-memory.dmp

              Filesize

              404KB

            • memory/2052-865-0x0000000010560000-0x00000000105C5000-memory.dmp

              Filesize

              404KB

            • memory/2188-263-0x00000000000E0000-0x00000000000E1000-memory.dmp

              Filesize

              4KB

            • memory/2188-265-0x00000000000A0000-0x00000000000A1000-memory.dmp

              Filesize

              4KB

            • memory/2188-549-0x0000000010480000-0x00000000104E5000-memory.dmp

              Filesize

              404KB

            • memory/2188-860-0x0000000010480000-0x00000000104E5000-memory.dmp

              Filesize

              404KB

            • memory/2196-12-0x0000000004C90000-0x0000000004D5B000-memory.dmp

              Filesize

              812KB

            • memory/2196-1-0x0000000074050000-0x00000000745FB000-memory.dmp

              Filesize

              5.7MB

            • memory/2196-2-0x0000000000350000-0x0000000000390000-memory.dmp

              Filesize

              256KB

            • memory/2196-14-0x0000000074050000-0x00000000745FB000-memory.dmp

              Filesize

              5.7MB

            • memory/2196-0-0x0000000074050000-0x00000000745FB000-memory.dmp

              Filesize

              5.7MB

            • memory/2676-558-0x00000000004D0000-0x000000000059B000-memory.dmp

              Filesize

              812KB

            • memory/2676-858-0x0000000000400000-0x00000000004CB000-memory.dmp

              Filesize

              812KB

            • memory/2676-592-0x0000000000400000-0x00000000004CB000-memory.dmp

              Filesize

              812KB

            • memory/2676-859-0x00000000026C0000-0x000000000278B000-memory.dmp

              Filesize

              812KB

            • memory/2676-856-0x00000000026C0000-0x000000000278B000-memory.dmp

              Filesize

              812KB

            • memory/2676-13-0x0000000000400000-0x00000000004CB000-memory.dmp

              Filesize

              812KB

            • memory/2676-867-0x00000000026C0000-0x000000000278B000-memory.dmp

              Filesize

              812KB