Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
18/01/2024, 06:00
General
-
Target
64a73bb6ad9ffe6ffe9472eb6f0efea9.exe
-
Size
1.0MB
-
MD5
64a73bb6ad9ffe6ffe9472eb6f0efea9
-
SHA1
f5b51d0250ca3cb0f445bbffc83fa072f4e0f4f1
-
SHA256
3ab988be7998e549c715655fbff6cdee13208add6b73d3face87b6e93332deab
-
SHA512
2e23d2754dfb6869f9f24e485485002db0183f337ef5a71fda73ea67711bd7c5daec2ff2e1f53098ff20c8348b32169f6c2d992092da61f9040641e9b4ba216c
-
SSDEEP
24576:+isEYsQjgklCftc8sIixmZqF2h6ctsOhIcY:tLBQjgkc2Ii72Ec/yc
Malware Config
Extracted
cybergate
v1.07.5
remote
fahad-vip.zapto.org:999
601Y7C26116N10
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64a73bb6ad9ffe6ffe9472eb6f0efea9.exe"C:\Users\Admin\AppData\Local\Temp\64a73bb6ad9ffe6ffe9472eb6f0efea9.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\64a73bb6ad9ffe6ffe9472eb6f0efea9.exe"C:\Users\Admin\AppData\Local\Temp\64a73bb6ad9ffe6ffe9472eb6f0efea9.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Deletes itself
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\system32\install\server.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\install\server.exe"C:\Windows\SysWOW64\install\server.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5bf0d340afebb1408d2909c70eea77732
SHA13a1910be2bae5df52a325ffdc96cfba6faae9a40
SHA25621335ed60128e6588eb1e2e09a501f3bd262e055f321027fc2507d421fac2107
SHA51292ea76b8db4f6f912ce87d596396e5fc8eb02de1e45b28935864668384e0d6d2712efe5ccd5841e2b84126f545c592155432fe8fb7235ac17e729302b776258f
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
539KB
MD594cc0a79d325edbe39df054b5ba62dd2
SHA16e00c6aed1b68a040a4af5d680f49d6cc84d7cf6
SHA256cb8b4dd0e06798ad80fdd3b47cab733388b79cb4a51a29f78abfecdd7ec67f29
SHA51292b199bea8d41f2f20f83878ec428d87d692bede0d10a2f5c14359cd095f76cd74dc1fe6dbf6e969fa4273e5dc7adc05ca477b0ea96466e5888f25165d1f0bfb
-
Filesize
405KB
MD59e05f2ce1fab5b5017fce33d5136230c
SHA1d2b711a9e541e45b664c255be631d3c83e3f4b4c
SHA256a619987ba2d3552595c337896b2a3d13c5561a39f5dc16045628271c29c4dc86
SHA512ab373789dcb7ecb445d138fbea50d49c07b928fafa6389e867e3c8f1abc7ea637fddf560ee31110f37ce97db4bd6280428fc4c846239a39d4d1ab15dba98f0ba
-
Filesize
156KB
MD553da1e81dae600fa973e669c0176c5f4
SHA1c7ab91bf4bfdcd42dd0d0665c5f153794a139f3f
SHA256164a53c150d8b6ad2b522379b604a6054d19c8aeb48efb134b63a1ee132fa5ef
SHA512f2b8c2b27fea1e3cfb9fa7a4cd33267bfb19a2505b6353b8216768bfdbe1d9545b33738224f6d691a8a4389432153b02e1c659ea965e2feeed596716f7580a32
-
Filesize
485KB
MD553ad552381b0ad26314196374a0c4be7
SHA18d47114e457cb11e216bc552ea1772423a3fd23a
SHA256aa28c16d19cb9b2a9a1b282edde57d681c1ae97ca7bc83e07afe2664e35550c7
SHA5126472f3b7490f83b28aa9a7f89468af9ff39b91f8ad581f8ba0725443a38763c94c634fe7bbf28f6e1c8b9fabe44e7ce08ac1340450468b9fac6fa2474c1a32f9
-
Filesize
369KB
MD55e0455cb3a16a9f21fdcb1336d19bc18
SHA105a7e749d762e3aacff420025715a32352c2cd01
SHA25631fc0ed25a9b598a66ef6baf5fa906327010b01ae65dc6eb57636104ad39da30
SHA512009a488e49c6e34132564eb3b9a41684936ac5bb7ac55458366ac6f9c1225c83fd84d26cf8acc820f1d7c8a5e37df21b2251bd4565206ed43311a46bad85c46a
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
5.7MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
5.7MB