Overview

overview

10

Static

static

3

7c2d4032fe...2c.exe

windows7-x64

10

7c2d4032fe...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2024 04:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c2d4032fe9a740ee4eebd4c9dba4b2c.exe

  • Size

    258KB

  • MD5

    7c2d4032fe9a740ee4eebd4c9dba4b2c

  • SHA1

    e5ca92f61d2d4efec0dc29223714f10cd340065b

  • SHA256

    ddf51f86fda93814de759eeff8080b0435646a9313151780e4aa4d03c1d2d98a

  • SHA512

    848f5079cd7de6b4d07b162388d1196548772847c154c4b6fdbad83071a23db3384b9a9507b9545061b0f3680d60e67a6d1c3a100cf0bb946c59b7bc5779a9da

  • SSDEEP

    6144:uXwGGtfQEjcJf263r5JLdvf9cBEeT8pS3ci72MzfGOlnziTRCeq:uX+YEY2675JLF9cBVTGSMG2MzugnzFeq

Score
10/10
cybergatevictimapersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

2.2.3

Botnet

Victima

C2

habboflooder.no-ip.org:3460

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    asd

  • install_file

    flooder.exe#

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    hola22

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c2d4032fe9a740ee4eebd4c9dba4b2c.exe
    "C:\Users\Admin\AppData\Local\Temp\7c2d4032fe9a740ee4eebd4c9dba4b2c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Users\Admin\AppData\Local\Temp\7c2d4032fe9a740ee4eebd4c9dba4b2c.exe
      C:\Users\Admin\AppData\Local\Temp\7c2d4032fe9a740ee4eebd4c9dba4b2c.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Users\Admin\AppData\Local\Temp\7c2d4032fe9a740ee4eebd4c9dba4b2c.exe
        "C:\Users\Admin\AppData\Local\Temp\7c2d4032fe9a740ee4eebd4c9dba4b2c.exe"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\UuU.uUu
    Filesize

    8B

    MD5

    91972fd7300a79c20f472979de70330a

    SHA1

    3cba9de7e870499b19fa28f500c0f6dd2ca93b96

    SHA256

    d64dcd15f53afbc632a0bc5f697056b6aaae818ea4acdcd4467b52c6bb98b24a

    SHA512

    0d0e7949c694bd632b647ccdaf3b6bb5fe0eca94e82fb6931176ab111217a3f62e5a7bade9b563e5dfa99847c08f2f49a660762fde06497177d36b3db0f815be

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
    Filesize

    141KB

    MD5

    154bdcfc02bd3497f014a629cc1c8877

    SHA1

    2acfbbd6fe91c5c21b24f6689f096f63efd308a2

    SHA256

    1d772499cb349fa710332880a70cf4d7b70a43e5172311ceb9ca76177dc611f0

    SHA512

    cad6c417609cfb773207730783af5e9c6a7db24c01dcc6d59daedcb6ca258dc9ba967c2c99648f908cd28f56cdad7f66da59700eeb0a7d8d796c378f485b2107

    Download Submit
  • C:\Users\Admin\AppData\Roaming\logs.dat
    Filesize

    15B

    MD5

    86f3c87caff4d7973404ff22c664505b

    SHA1

    245bc19c345bc8e73645cd35f5af640bc489da19

    SHA256

    e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

    SHA512

    0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

    Download Submit
  • memory/2784-76-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2784-59-0x0000000003D20000-0x0000000003D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2784-113-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2784-11-0x00000000001E0000-0x00000000001E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2784-12-0x0000000000580000-0x0000000000581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2784-14-0x0000000000400000-0x0000000000416000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2784-75-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2784-78-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2784-60-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2784-79-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2784-68-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2784-65-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2784-67-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3616-0-0x0000000000400000-0x0000000000416000-memory.dmp
    Filesize

    88KB

    Download
  • memory/3616-6-0x0000000000400000-0x0000000000416000-memory.dmp
    Filesize

    88KB

    Download
  • memory/3800-56-0x0000000024010000-0x000000002404E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3800-4-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3800-5-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3800-63-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3800-61-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3800-3-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3800-7-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download