Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4da9865240bd15b59025e9adcce95041

  • Size

    3.6MB

  • Sample

    240109-hwj1lshdam

  • MD5

    4da9865240bd15b59025e9adcce95041

  • SHA1

    aab7bae83afe0211b7bf41628f44e1edf699d28c

  • SHA256

    b2b1f374822e760b574cff680d989d0f229bdaf9029acacb2449162b92bbc16b

  • SHA512

    3dc7df2d520eddc23e98337537a110ed5969222cdff76d5c7e83cffbbbf987431e09df91781789020019c32981c509e36535a74bc1913a7f5ac16359c6810ef9

  • SSDEEP

    98304:GKZWKZc2golKZ8L2djKbqFYNn1bPoxMk5Aq1boWoN7:GKMKu2DlKVWbqNxpoN7

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

C2

fearrusty.no-ip.info:82

Mutex

0DO30B5W0TAO3W

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    Facebook.com

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

op9.no-ip.biz:100

Mutex

H6Y643Q6J85D62

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    iTunes.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

Extracted

Family

cybergate

Version

v1.02.0

Botnet

remote

C2

fearrusty.no-ip.info:82

127.0.0.1:999

op9.no-ip.biz:82

Mutex

L0J8X1U03TC2TJ

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    csrss.exe

  • install_dir

    install

  • install_file

    iTunes.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345

Targets

    • Target

      ABO.exe

    • Size

      283KB

    • MD5

      650f9f3426d6e9d5f2d93c638eb2c44c

    • SHA1

      925d0ab1a27ea91bc018c167435809b6908c3b97

    • SHA256

      6e7d83e76ecbd7f1a860aca8b5f6bd19c0aa730bd4f884a7e683716fa66900d6

    • SHA512

      4b1925996850886e3e423a81fb5d54002c3809d2244a4282784840db568be28728b45a6ac451537a2216b4c4cb7d95ac6b71ac66e34ef7935080804436144eda

    • SSDEEP

      6144:N4ABF94NpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK+:WUxGLE0kuGnESB+

    Score
    8/10
    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      ABO.exe.1

    • Size

      283KB

    • MD5

      650f9f3426d6e9d5f2d93c638eb2c44c

    • SHA1

      925d0ab1a27ea91bc018c167435809b6908c3b97

    • SHA256

      6e7d83e76ecbd7f1a860aca8b5f6bd19c0aa730bd4f884a7e683716fa66900d6

    • SHA512

      4b1925996850886e3e423a81fb5d54002c3809d2244a4282784840db568be28728b45a6ac451537a2216b4c4cb7d95ac6b71ac66e34ef7935080804436144eda

    • SSDEEP

      6144:N4ABF94NpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK+:WUxGLE0kuGnESB+

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Adobe.exe

    • Size

      296KB

    • MD5

      eea330542ac27446cf64b44d471b3a39

    • SHA1

      58f0ce5d435a55996c73df6a3a4ba5e1046a289d

    • SHA256

      415f00cda1dd9f55669b2b0ebe6488f23e079723c75da3d78277d80683615ddd

    • SHA512

      c67925e19c3fdd55d1da2ed3833d967437907a458f32fec4963a8aa5d863ae4d195fe2bd3547e7e428558e8c2169148a4897dcbf2f3ecf5f0f6ff65058d66ffe

    • SSDEEP

      6144:/OpslFlq2hdBCkWYxuukP1pjSKSNVkq/MVJbJ:/wsl/TBd47GLRMTbJ

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      CGserver.exe

    • Size

      264KB

    • MD5

      94ae6b1aeef3dffc6b6e2ca472191f39

    • SHA1

      cbbbe4b517bf30ce526444870d41307825688884

    • SHA256

      bc86c552a4043dd054e346ce889fc577f4fe7f70ec796652f64bd8edaf14a50a

    • SHA512

      3b8831d15fd3f14f7c33df27169eaf7e13329c6772d5306be8d01667f64f314354ade90349bb309e8f8a3519786c3ba2a9c78f15c8c783fc7d43685d409fd9ad

    • SSDEEP

      6144:ukkojivbTsgtMX+UHalwvzYJMAZvRiBxta8nm3suAK:xk9syMX+k4wvz58R6xtTctAK

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      COON.exe

    • Size

      283KB

    • MD5

      08b1c9f40dab18bfb54311b61bca4cda

    • SHA1

      c22d856fe1e40e44528ef221d852facd4b2c7e1b

    • SHA256

      51e9015ca0103b4abbed0f6d85d693d6b6c081bda99fcf2d0ad24ba96cbb3e46

    • SHA512

      610035f9af23d07817fc12953bdf6f0283497abedd18b8e62e7c062968f863512101b2b4d2a184e2a655a8184861aa2b41b50ae5f1e64f09293c712843951671

    • SSDEEP

      6144:N4ABF94zpAuO/50BTnqPd0Mpz7qhh4nXjjf8MZ9BKXK+:WUHGLE0kuGnESB+

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      FFA.exe

    • Size

      652KB

    • MD5

      7589fe75123045e6f30eab511e55bc3a

    • SHA1

      34e473bb2385e923feccb4aa5375a56924893a31

    • SHA256

      747f15512f3b04420d0bc2264192fb1f8a4cdf81993afb191ae835d86b650cd8

    • SHA512

      fba1f53b6c2e8954e906ba2343e2b1a9f0f88ae69df0eab567af3ece4bc93d6b5291cc55e0aaf2b3d7e7d4e5457ac95eaacbd027425e3fff9df467e28627adcf

    • SSDEEP

      12288:sRvnERMs3azRIMbcr6ZwchpZJmdhBPrx4PkAd5EBgv5gBjl:s5nm3fe5bMprx4c05EBgxgb

    • Modifies WinLogon for persistence

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Target

      FIle Rustyz bot.exe

    • Size

      592KB

    • MD5

      9975548eab59876a15169a056766b298

    • SHA1

      4fedf79abf2c9c42720651d41290874aeb65669b

    • SHA256

      ab41d268755d89e45bd724912a8ef248b75ea3a877217718561e81d8785adde8

    • SHA512

      769d7c8378c2ebcdbacf040fcf73e1940fd479edcace1a1348330720725db580c1a10d05397a4429e66d0b2fbb2dfebe4c73e7ac5de496f53f8d46779586b886

    • SSDEEP

      12288:0DGP2qDSgnZ6nf+A7OmRQqk7RsQOBxSK4XajQYt:0Keqof3AXASXKt

    Score
    8/10
    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      FrostBot v1.exe

    • Size

      264KB

    • MD5

      cf1bbacd8ef9fec5e72137d3da543401

    • SHA1

      5cd65d1c0c3b8e8d69e9dd7807c1a19c7b277b42

    • SHA256

      6c650bcd3dd6accac5cae23ed42af2a6f57d936329a8e51ee710cb9cd2e2f3f3

    • SHA512

      b0c451f371f6f9e616211b0e9489c11c1a28b4a60f318f2f08889a85628f1e74a9110591da64a54a14d13f25cd8dca8ee0b587fca7649ac40321cebdbcaa0b94

    • SSDEEP

      6144:Xkkog1WPDJpu1DxZXn/GmVuXNTaGFtWJtk/WgGF7hK:0kd1GDJM13+dXNTvt6ikK

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Google.exe

    • Size

      264KB

    • MD5

      94ae6b1aeef3dffc6b6e2ca472191f39

    • SHA1

      cbbbe4b517bf30ce526444870d41307825688884

    • SHA256

      bc86c552a4043dd054e346ce889fc577f4fe7f70ec796652f64bd8edaf14a50a

    • SHA512

      3b8831d15fd3f14f7c33df27169eaf7e13329c6772d5306be8d01667f64f314354ade90349bb309e8f8a3519786c3ba2a9c78f15c8c783fc7d43685d409fd9ad

    • SSDEEP

      6144:ukkojivbTsgtMX+UHalwvzYJMAZvRiBxta8nm3suAK:xk9syMX+k4wvz58R6xtTctAK

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      MORPH_93594C2E8879.EXE

    • Size

      185KB

    • MD5

      d0b8d51565528b23a4d3727b395dcc67

    • SHA1

      1ba2426be4351645bee5ea613d23c0cd7adf8bb6

    • SHA256

      f0786dc9282a746b73606774a6a76bb947f29b130e3647b49fedd644c7aeeeef

    • SHA512

      afef7b668a5a84f4a5e8df3e0ba29e649308910a6cbb82fdf6e6d2e46a1df7df81c371db254d22d3e6353944cbb1fa8cfd1a9b8c9e5422084ff8eab429ac8f58

    • SSDEEP

      3072:zPba0Z7gARaH7iLvfwH7t3NpaLzoqVe1Lxp4vrMrXBNFPKJ0FjiI:60NRaGLvfwbPYU92IzBN1oEjf

    Score
    3/10
    • Target

      Mycrypt.exe

    • Size

      228KB

    • MD5

      a35e683f7392d7aa6be1ac5d325a0584

    • SHA1

      7b2a3dfd0579ec4a9f61e45994a48881ebb91b49

    • SHA256

      85fac218aabc9a6d08380d6f4fbe07818c5f7c8dc1f630bb849ab5681c83d7de

    • SHA512

      7c94c1f19f793d7efe251d9c0c4df900a10b8b85a36da9c883fce2b511f5f65d107d09be777efa92a3be6c0bdd38c302acd024ee48cf836889f79dfabb069470

    • SSDEEP

      3072:R26et7TW3+lXSittze7GjsZCc8dexm1qX2Gqfkz297vslPCTjUB9LQdItu:R2BTW6ji7ZCc8dMOqX2Gb29AlPn9Mx

    Score
    10/10
    • Modifies WinLogon for persistence

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      PortChecker.exe

    • Size

      128KB

    • MD5

      f9e1db23e7a2293a089963351994208d

    • SHA1

      dd60e6052959bf6787e035ce4122f4b9f461ce14

    • SHA256

      27a739ca787fa265624d3ab8a5311a0e0f7d39c79c3c5365aff25159b0bb8dd4

    • SHA512

      7058767d13fc57534f437b6c077d70ced53a0a8f53a03259dc3cc513ab07809c04303db649ba368b67bddee854f78c8570aa46d5f468720caa26696a8d70bc8e

    • SSDEEP

      1536:KENNZHJxxl+LxcZDWAy3OgHEtIyAq3Hoa35ecoNVkSQLVz4ZkNfG:pNHHgKZ4Et5lTRoNO5VEZkNe

    Score
    10/10
    • Modifies WinLogon for persistence

    • Modifies Windows Firewall

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      R.exe

    • Size

      264KB

    • MD5

      cf1bbacd8ef9fec5e72137d3da543401

    • SHA1

      5cd65d1c0c3b8e8d69e9dd7807c1a19c7b277b42

    • SHA256

      6c650bcd3dd6accac5cae23ed42af2a6f57d936329a8e51ee710cb9cd2e2f3f3

    • SHA512

      b0c451f371f6f9e616211b0e9489c11c1a28b4a60f318f2f08889a85628f1e74a9110591da64a54a14d13f25cd8dca8ee0b587fca7649ac40321cebdbcaa0b94

    • SSDEEP

      6144:Xkkog1WPDJpu1DxZXn/GmVuXNTaGFtWJtk/WgGF7hK:0kd1GDJM13+dXNTvt6ikK

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      RSBOT.exe

    • Size

      917B

    • MD5

      5076a2f51f15fb1c1c8e9a53c3f7d75c

    • SHA1

      1484b075977db4eea49d56ba4aa2a222afa158af

    • SHA256

      1f546772433db3cf1f04cb7af5bd724190f6dbd274a6cfd3f82b6bb1c46edae5

    • SHA512

      32ddc204effeb81f69a0f9dac64133ec72e90e3826ba73b3dbe563ca77e40105542eebb92ec25da5eae09af83591ead5f376ebac073d30653fca5dfda20763b6

    Score
    1/10
    • Target

      Rustyz.exe

    • Size

      120KB

    • MD5

      72bcd7f24413629f6b194c718af7b39e

    • SHA1

      8495ab957722ea594b4a45a8a7522b9a24d23988

    • SHA256

      43a8ced5b270b43b025b166f5069446de5c15479dcb049034f7db073153ebce4

    • SHA512

      d5c9f01857e20fef93a8dc2e854bd3d18cf4c8d712eb6bf416f740c2e17eb14d9afa7eb9afb9241261bbfb07ab066447f6b22c9f78b815416d392329265a5213

    • SSDEEP

      1536:94WHOJOV+P1tMZw1pSqvarF8TfHlo6nu/dhIo7RkSQAVE4Zks:94nzHn1nHllnu/co7aGV3Zks

    Score
    10/10
    • Modifies WinLogon for persistence

    • Modifies Windows Firewall

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      Rustyzzbot.exe

    • Size

      128KB

    • MD5

      f9e1db23e7a2293a089963351994208d

    • SHA1

      dd60e6052959bf6787e035ce4122f4b9f461ce14

    • SHA256

      27a739ca787fa265624d3ab8a5311a0e0f7d39c79c3c5365aff25159b0bb8dd4

    • SHA512

      7058767d13fc57534f437b6c077d70ced53a0a8f53a03259dc3cc513ab07809c04303db649ba368b67bddee854f78c8570aa46d5f468720caa26696a8d70bc8e

    • SSDEEP

      1536:KENNZHJxxl+LxcZDWAy3OgHEtIyAq3Hoa35ecoNVkSQLVz4ZkNfG:pNHHgKZ4Et5lTRoNO5VEZkNe

    Score
    8/10

MITRE ATT&CK Enterprise v15

Tasks

static1

remotecyberupxcybergate
Score
10/10

behavioral1

persistenceupx
Score
8/10

behavioral2

persistenceupx
Score
8/10

behavioral3

persistenceupx
Score
8/10

behavioral4

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral5

persistenceupx
Score
8/10

behavioral6

cybergatecyberpersistencestealertrojanupx
Score
10/10

behavioral7

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral8

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral9

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral10

persistenceupx
Score
8/10

behavioral11

evasionpersistencespywarestealer
Score
10/10

behavioral12

evasion
Score
8/10

behavioral13

persistenceupx
Score
8/10

behavioral14

persistenceupx
Score
8/10

behavioral15

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral16

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral17

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral18

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral19

Score
3/10

behavioral20

Score
3/10

behavioral21

evasion
Score
8/10

behavioral22

evasionpersistence
Score
10/10

behavioral23

evasion
Score
8/10

behavioral24

evasionpersistence
Score
10/10

behavioral25

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral26

cybergateremotepersistencestealertrojanupx
Score
10/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

evasion
Score
8/10

behavioral30

evasionpersistence
Score
10/10

behavioral31

evasion
Score
8/10

behavioral32

Score
1/10