Overview

overview

10

Static

static

3

6d47ef9510...8b.exe

windows7-x64

10

6d47ef9510...8b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d47ef95105c1c8693068ad67a8f808b.exe

  • Size

    476KB

  • MD5

    6d47ef95105c1c8693068ad67a8f808b

  • SHA1

    b3745e7aa74afdc67dbc6fea73e0a621317f05b1

  • SHA256

    5787915613ee1a82d52bc8ea08b1eb005552a86e32d213d0684351c2786dedce

  • SHA512

    50a857ad36b2c22a53f67a756cfad4f379cf733f01c5f80f7a2bdbb90c2b0c4b3c3bc132ba894f546782e2c85c717cf6454ab2d46aa0609931a935abe058c6a2

  • SSDEEP

    12288:Kl3yiHcOCHwchidPo2bU5J4oJBHQWVKjKzRiFM:KlCiUHwW2bU5jBHbwzM

Score
10/10
cybergatemicrosoftpersistencestealertrojan

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Microsoft

C2

127.0.0.1:4069

Mutex

system

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    svchost.exe

  • install_dir

    Microsoft

  • install_file

    svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Kill Dnd And Block

  • message_box_title

    paltalk

  • password

    111122

  • regkey_hkcu

    system

  • regkey_hklm

    system

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1076
      • C:\Users\Admin\AppData\Local\Temp\6d47ef95105c1c8693068ad67a8f808b.exe
        "C:\Users\Admin\AppData\Local\Temp\6d47ef95105c1c8693068ad67a8f808b.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Users\Admin\AppData\Local\Temp\6d47ef95105c1c8693068ad67a8f808b.exe
          C:\Users\Admin\AppData\Local\Temp\6d47ef95105c1c8693068ad67a8f808b.exe
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Users\Admin\AppData\Local\Temp\6d47ef95105c1c8693068ad67a8f808b.exe
            C:\Users\Admin\AppData\Local\Temp\6d47ef95105c1c8693068ad67a8f808b.exe
            4⤵
            • Adds policy Run key to start application
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              5⤵
                PID:2464

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      3
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      3
      T1547.001

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1076-43-0x0000000002EF0000-0x0000000002EF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2052-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2052-36-0x0000000000400000-0x000000000044D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/2052-25-0x0000000000400000-0x000000000044D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/2052-23-0x0000000000400000-0x000000000044D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/2052-21-0x0000000000400000-0x000000000044D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/2052-14-0x0000000000400000-0x000000000044D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/2052-7-0x0000000000400000-0x000000000044D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/2364-13-0x0000000001DD0000-0x0000000001DE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2364-24-0x0000000074EE0000-0x0000000074FF0000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2364-19-0x0000000010000000-0x0000000010077000-memory.dmp
        Filesize

        476KB

        Download
      • memory/2364-1-0x0000000010000000-0x0000000010077000-memory.dmp
        Filesize

        476KB

        Download
      • memory/2364-20-0x0000000001D11000-0x0000000001D15000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2364-12-0x00000000773FF000-0x0000000077400000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2364-22-0x0000000000260000-0x0000000000299000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2364-2-0x0000000000220000-0x0000000000224000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2364-10-0x0000000077400000-0x0000000077401000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2364-8-0x0000000001D10000-0x0000000001D20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2364-285-0x0000000074EE0000-0x0000000074FF0000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2364-0-0x0000000010000000-0x0000000010077000-memory.dmp
        Filesize

        476KB

        Download
      • memory/2364-4-0x0000000000260000-0x0000000000299000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2464-284-0x00000000000A0000-0x00000000000A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2688-28-0x0000000000400000-0x000000000049F000-memory.dmp
        Filesize

        636KB

        Download
      • memory/2688-38-0x0000000000400000-0x000000000049F000-memory.dmp
        Filesize

        636KB

        Download
      • memory/2688-37-0x0000000000400000-0x000000000049F000-memory.dmp
        Filesize

        636KB

        Download
      • memory/2688-39-0x0000000000400000-0x000000000049F000-memory.dmp
        Filesize

        636KB

        Download
      • memory/2688-34-0x0000000000400000-0x000000000049F000-memory.dmp
        Filesize

        636KB

        Download
      • memory/2688-30-0x0000000000400000-0x000000000049F000-memory.dmp
        Filesize

        636KB

        Download
      • memory/2688-286-0x0000000000400000-0x000000000049F000-memory.dmp
        Filesize

        636KB

        Download