Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

41b9b44d21...22.exe

windows7-x64

8

41b9b44d21...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/01/2024, 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41b9b44d2148e05ad8bed16cb14d1522.exe

  • Size

    199KB

  • MD5

    41b9b44d2148e05ad8bed16cb14d1522

  • SHA1

    f06026bd702fb2aad1ea4e2541c89d264a12ff15

  • SHA256

    cff5e727c9d26cd29b68e1c6c15679e9768a6b3436c6e316c70adcd710ae1e0b

  • SHA512

    07df25d313fce037ab2561215ed523cb1630a10d090b88f6688e3d16f1e28d92369babfdda75a11f037c2ca51b61f1f0044e9e995d225f4f8d7e91c38fc374ef

  • SSDEEP

    6144:nbbzaZzW7z4ipOIf1rB0+oHK+wgLE6y/zQ:bb8z0TVlBPD1BzQ

Score
10/10
cybergatexxxv2.3xxxpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.3

Botnet

xxxv2.3xxx

C2

crash.serveftp.com:6662

tucke.servebeer.com:6662

pussy75.serveftp.com:6662
Mutex

***iexplorer***

Attributes
  • enable_keylogger

    false

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    iexplorer

  • install_file

    iexplorer.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    memmel

  • regkey_hkcu

    iexplorer

  • regkey_hklm

    iexplorer

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\41b9b44d2148e05ad8bed16cb14d1522.exe
        "C:\Users\Admin\AppData\Local\Temp\41b9b44d2148e05ad8bed16cb14d1522.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          PID:1800
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          PID:3580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
      Filesize

      144KB

      MD5

      df76f3f013116c8db60350675a5f12b4

      SHA1

      f797d960a0e22bb67a2134bba9a4c38e687b2b22

      SHA256

      08a6411668d66047b7d1038b38a26a1dbb43ecbf77ab60d46799d6c748e357f2

      SHA512

      1ef3f564c09ec3ac951cbaf19f75e9cc990c2ba75ff062a2ab4510984cac903e3f7dc3eec2bfc00bd4c70f3e6d07e255c85aa5df51409eaab9d9f5da15d86278

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx
      Filesize

      8B

      MD5

      d13fd0e5f62e5ab7980f2ffcbc5812e0

      SHA1

      4ada2059ed393e796a59c4ab25f0abc835eaf1bc

      SHA256

      23abcf8d82a5b13c5d3474a24e20e239860178725028d6cfba0b9b15697d9f50

      SHA512

      80b48cdd2c66748aa40496ca073fa1eab229b2ff51fe8fc5f79aea4b0ca3d8f4238540eb062f6df32b27e110595f5f1244b8a4dbe68718e76b489cfccf0394d5

      Download Submit

    • C:\Windows\SysWOW64\iexplorer\iexplorer.exe
      Filesize

      199KB

      MD5

      41b9b44d2148e05ad8bed16cb14d1522

      SHA1

      f06026bd702fb2aad1ea4e2541c89d264a12ff15

      SHA256

      cff5e727c9d26cd29b68e1c6c15679e9768a6b3436c6e316c70adcd710ae1e0b

      SHA512

      07df25d313fce037ab2561215ed523cb1630a10d090b88f6688e3d16f1e28d92369babfdda75a11f037c2ca51b61f1f0044e9e995d225f4f8d7e91c38fc374ef

      Download Submit

    • memory/1800-60-0x0000000024060000-0x00000000240A1000-memory.dmp

      Filesize

      260KB

      Download

    • memory/1800-57-0x0000000024060000-0x00000000240A1000-memory.dmp

      Filesize

      260KB

      Download

    • memory/1800-56-0x0000000003350000-0x0000000003351000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-8-0x0000000000800000-0x0000000000801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-126-0x0000000024060000-0x00000000240A1000-memory.dmp

      Filesize

      260KB

      Download

    • memory/1800-7-0x0000000000540000-0x0000000000541000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3084-53-0x0000000024060000-0x00000000240A1000-memory.dmp

      Filesize

      260KB

      Download

    • memory/3084-9-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

      Download

    • memory/3084-3-0x0000000024010000-0x0000000024051000-memory.dmp

      Filesize

      260KB

      Download

    • memory/3580-111-0x00000000240B0000-0x00000000240F1000-memory.dmp

      Filesize

      260KB

      Download

    • memory/3580-132-0x00000000240B0000-0x00000000240F1000-memory.dmp

      Filesize

      260KB

      Download