Analysis
-
max time kernel
153s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 17:38
Static task
static1
Behavioral task
behavioral1
Sample
318610b00e74a5abe4bbcaa01370189d.exe
Resource
win7-20231215-en
General
-
Target
318610b00e74a5abe4bbcaa01370189d.exe
-
Size
443KB
-
MD5
318610b00e74a5abe4bbcaa01370189d
-
SHA1
c73582f6c16333c764f621f2836276e6a47fa288
-
SHA256
34c53542f56df7801d2ac8d939b53c9f053eeb54405bc5e45335fde7fa38a44a
-
SHA512
bbea7aa1706a66357a2585661022a54b8d5b39123fff6cc3ba72beac917fd505256960deb3c7d7a2c9ac10fa989fffe5c6a95ac0b7bcb28f97da37d378bc84cf
-
SSDEEP
12288:zJHUqQrRTyQrXzIN7PlQVdgVIEB1MSuMpxYwD:l0qQVTysI9PMd4JKSPp62
Malware Config
Extracted
cybergate
v1.07.5
remote
gunitx55.zapto.org:3014
X64IK5U8EXAH0X
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
svchost.exe
-
install_file
Facebook Stealer.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\Facebook Stealer.exe" crtowlw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run crtowlw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\Facebook Stealer.exe" crtowlw.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run crtowlw.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13YWF4K0-2878-2JSV-208K-5F2K558X33RR} crtowlw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13YWF4K0-2878-2JSV-208K-5F2K558X33RR}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\Facebook Stealer.exe Restart" crtowlw.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{13YWF4K0-2878-2JSV-208K-5F2K558X33RR} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13YWF4K0-2878-2JSV-208K-5F2K558X33RR}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\Facebook Stealer.exe" explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 2676 crtowlw.exe 2052 crtowlw.exe 1788 Facebook Stealer.exe -
Loads dropped DLL 5 IoCs
pid Process 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2676 crtowlw.exe 2676 crtowlw.exe 2676 crtowlw.exe -
resource yara_rule behavioral1/memory/2676-13-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral1/files/0x000c000000013a35-9.dat upx behavioral1/files/0x000c000000013a35-11.dat upx behavioral1/files/0x000c000000013a35-7.dat upx behavioral1/files/0x000c000000013a35-5.dat upx behavioral1/files/0x000c000000013a35-15.dat upx behavioral1/memory/2188-549-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/files/0x0034000000016cdf-551.dat upx behavioral1/files/0x000c000000013a35-556.dat upx behavioral1/files/0x000c000000013a35-566.dat upx behavioral1/memory/2676-592-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral1/memory/2676-558-0x00000000004D0000-0x000000000059B000-memory.dmp upx behavioral1/memory/2052-851-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/2676-858-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral1/memory/2188-860-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/1788-861-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral1/files/0x0034000000016cdf-857.dat upx behavioral1/files/0x0034000000016cdf-852.dat upx behavioral1/memory/1788-863-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral1/memory/2052-865-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\Facebook Stealer.exe" crtowlw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\Facebook Stealer.exe" crtowlw.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchost.exe\Facebook Stealer.exe crtowlw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2196 318610b00e74a5abe4bbcaa01370189d.exe 2676 crtowlw.exe 1788 Facebook Stealer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2196 318610b00e74a5abe4bbcaa01370189d.exe Token: SeBackupPrivilege 2188 explorer.exe Token: SeRestorePrivilege 2188 explorer.exe Token: SeBackupPrivilege 2052 crtowlw.exe Token: SeRestorePrivilege 2052 crtowlw.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2676 crtowlw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2676 2196 318610b00e74a5abe4bbcaa01370189d.exe 28 PID 2196 wrote to memory of 2676 2196 318610b00e74a5abe4bbcaa01370189d.exe 28 PID 2196 wrote to memory of 2676 2196 318610b00e74a5abe4bbcaa01370189d.exe 28 PID 2196 wrote to memory of 2676 2196 318610b00e74a5abe4bbcaa01370189d.exe 28 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17 PID 2676 wrote to memory of 1244 2676 crtowlw.exe 17
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\318610b00e74a5abe4bbcaa01370189d.exe"C:\Users\Admin\AppData\Local\Temp\318610b00e74a5abe4bbcaa01370189d.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\crtowlw.exe"C:\Users\Admin\AppData\Local\Temp\crtowlw.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\crtowlw.exe"C:\Users\Admin\AppData\Local\Temp\crtowlw.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe\Facebook Stealer.exe"C:\Users\Admin\AppData\Roaming\svchost.exe\Facebook Stealer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1788
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD5e98e40e2faef1989a8dca0624a4a7e63
SHA10cfb21bc807c9314f0f3c2670459f1a644e33f0f
SHA256f391f7a6327bdfc623f790b6b67fb2e88b1c812d0b2e643194ddae493526aebf
SHA5127e1121ef6309e23a188258c7ca86b0504193f638a31e35d92f2b8a870833c66c5b0da07d8e852199a7637cde1e863cab825fae13843281a138feeef9b05667e6
-
Filesize
23KB
MD5c45a1ca7434e285baac9ef85f8648673
SHA1deb831bcf9c5bbbfdf597b509138a407cea1a01d
SHA256249843060b56099d655106215d3d901619c3af11c1b2661df380628513fcd1cb
SHA512352d2547f1ef75d0d6994abec0b2fe3b8a1d48c4e14e8b28eeee7a468acc7c2a3409a1ada20e0120b5ed73b94851b723931d4517290c9ecf171575768d22f55c
-
Filesize
15KB
MD53fa31b3ac6c417836e712939a7465f72
SHA17d64320fc1eb5c5a394caa6572116620aa11188f
SHA2563edf8b9e788cc0e6174d05d32569d82a70f3a916fc60db3381bda59d78bbafbd
SHA5124ad259d92035d477a3db25d97f3ea3cd16525c83496e70683b02445f380ae65dae556bb38458b9144ed2e424118953651af4154de83afb7f173580068272cce4
-
Filesize
327KB
MD594940a5947247447fcf1a02d68298b2c
SHA17686f4631b7bff57e91f6e84de0069fd0ce76841
SHA25647ba24529db76337dfc59ca8e97730e1729f3282dc0c1268eeb645282084c649
SHA5124dfb0b0abe20b84f8d9a89000739e3aefb89caee9e0bdc9f0df58eeb58528db8e6325b9cc1409eb4edf354e72fcac32dc23e84c5c25d2b12c250094b06dd8d6d
-
Filesize
174KB
MD50c45b987af23a0037e9c7aed79f436bc
SHA19d46b689331acda8bc71ffdfc731720cfeb073bd
SHA256735eaa326e8152f43d6e70a3070322edc70dc184a33268a92d1a64c8ce166eea
SHA51243778fed9d6650d823245fd537510b2d4aeb085bf2fb52dcb218e4c7b50a1d829e4873130e0c9f789c021c0ac864515eff9c9295a41bbc8a425859f9f7397b6a
-
Filesize
424KB
MD52f521378e80a6cb26f6469d4d5a17044
SHA13fc8c09d7ea6228f0b3a6e9ca67463ff3af55b4a
SHA256f076b8d8544b494e38e82ede1f095838e7214dcd7bda70571c2db52d22c8ac14
SHA512132c705448dfa99cb65984e4ff691067c18d50eea61e2457e004398fd7705796829fa5bd9e84bd751c79732b8ba6a053c8c60a4cf7322ff31a5ea0ddfa3d855b
-
Filesize
130KB
MD5adf493363a254b579fd47720308d6490
SHA1b121dce005601b348245a3cbc0f2ae061cdf03b9
SHA25660c10ed488430858969512634473e2fd089b8c570ba1c043a8c8aab3388459b3
SHA5126b00ca3448cde49817868e26f8ffde55b3952e8f5d203af98a00823e2392dc4338e42ca48cd36273f0b9bf2f7ed0880f91718a6225206a8d65e827c98bccd102
-
Filesize
36KB
MD5addab579611265148a324695c40d2b45
SHA14989b6f68b15bf9f86684383725b12191592587a
SHA256fd4ce5d10352f873ab50770711696d7776e0cefd7eae9cf662d436a87bfe8167
SHA512d31e422cf33a46dac3f353e4710225ee541fa88b6d4ec354f381e4d775282c88f323baaa2c4d65d948bf7ef4698fc527a5eb4dac490669c14cf40cfd6061e320
-
Filesize
193KB
MD5192c19103b5bb374d5b560e01f65cc05
SHA1ccc957208c4f697b0ae82b3b2bb9aed1af391012
SHA256a2597985dd967ce2ded4b7a8df9a8504555d8271bf0fa2bbed6d1ef930c959dc
SHA5127635d621cc45f46e89a3c8c4284b9c2de564a7f8e3efc6035c3a0415d759b80f1c55e62ccf273307d8cf09cbce29972df7a934ac0582d3966e5a5eec07f0ce80
-
Filesize
226KB
MD5254776a93895866a7be11524a10a7c03
SHA1d5c79ae0976a2e646f3ff386e3656d6fd45c238c
SHA2566fb5570c3f6b07d481d40ceb328aab8edffd7a6d8c74f1c5b03f0cb8a9e70a5b
SHA51259b35201c201cbc775d7cfd74931aa00a3d96e520c9254f8169f0a1aa2eb050b0731de18364a96fd54bd1e20029eb78daecb3356b521bf8b7b185296ff9eeb1f