Overview

overview

10

Static

static

3

8919112b79...0a.exe

windows7-x64

10

8919112b79...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2024, 08:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8919112b7919f2d24dab339614909e0a.exe

  • Size

    575KB

  • MD5

    8919112b7919f2d24dab339614909e0a

  • SHA1

    ee824497e7812bb11e4ae3eeb9c546b6cd4f48b0

  • SHA256

    aedf9eb9f99bd157d54338b71262ed842776883d66bf099376ed82e9d9c738bd

  • SHA512

    5895e762d71ceb6028fcdd28fe0355f7eccf2dfe74495d2f92feb0a3330e1f6ffc5dff3e42a0dfc4cf8beef54363fb5f7e173d040e814dfef2ac83ec7bfb7abf

  • SSDEEP

    12288:/ExIE7F8UJfbCOdJSVgtqBAtvEjpOTjsIHFy8c02kXAasWEHNcckln6MA52fE9TQ:UBTjPdJ0gyjZUTUN4MZ

Score
10/10
cybergate4chanevasionpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

4chan

C2

hosturl.no-ip.biz:3737

Mutex

8M05IA3OA6AAET

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8919112b7919f2d24dab339614909e0a.exe
    "C:\Users\Admin\AppData\Local\Temp\8919112b7919f2d24dab339614909e0a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Users\Admin\AppData\Roaming\iexplore.exe
      C:\Users\Admin\AppData\Roaming\iexplore.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:4460
        • C:\Users\Admin\AppData\Roaming\iexplore.exe
          "C:\Users\Admin\AppData\Roaming\iexplore.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:4308
          • C:\Windows\SysWOW64\WinDir\Svchost.exe
            "C:\Windows\system32\WinDir\Svchost.exe"
            4⤵
            • Executes dropped EXE
            PID:2228

    Network

    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      www.server.com
      iexplore.exe
      Remote address:
      8.8.8.8:53
      Request
      www.server.com
      IN A
      Response
      www.server.com
      IN CNAME
      server.com
      server.com
      IN A
      52.8.126.80
    • flag-us
      DNS
      74.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      190.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      190.178.17.96.in-addr.arpa
      IN PTR
      Response
      190.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-190deploystaticakamaitechnologiescom
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 52.8.126.80:80
      www.server.com
      iexplore.exe
      156 B
       3
    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      www.server.com
      dns
      iexplore.exe
      60 B
       90 B
       1
      1

      DNS Request

      www.server.com

      DNS Response

      52.8.126.80

    • 8.8.8.8:53
      74.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      74.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      19.229.111.52.in-addr.arpa

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      190.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      190.178.17.96.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
      Filesize

      224KB

      MD5

      4f15b81b3424ebdb454217083ac3a754

      SHA1

      e96f6ea7c45829c334d2f32aa288f81e3508dc43

      SHA256

      9ded7a69e70a87a32f784ed101acd1a6c423fd5cfb515b49b37ee914636e57f4

      SHA512

      8a8d0d5a5fb17463e4007fd5e137b6310cafe680e91b2bec364a8e66844c58817eda0fc167dc8c6f1c40daa3abd7c20a022f679364e43313afd12f1360e8d991

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      06fa3449f253a6bec5a6c881a8880d2d

      SHA1

      754e2ec1da714852e793f6cc0781a22f361382ba

      SHA256

      16a87c32d2b3cba8081edbc513c975d240a9e5e6d09bd0374058ca26d8b7657e

      SHA512

      447ea4cae2cef478094004d021d2095bdb5eb121b9eca8ab79fa3eba9a45ffde6f088a5991458b3189e066313d2d00dea359f8cdfa4c4899a27a316dc8f7602f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      43e34d44eff43056673545c1d9c60da0

      SHA1

      f493a30d6603d18bcdf1a3019bd521d1af7edefa

      SHA256

      7f3f5a3aa9d86db553841a3259c9dc44fc65dbe95db3e9690cee8b230ca49b93

      SHA512

      789e490106ed6988a5bf61d30bfc4299808e93efd51b567d159b706f4448a6c77680aad6e3ba92abcf2ee38be2d18b9b18fed3efca6b704ff72e0399cf55db62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      1348e992c92d07e9a3d7108c7aa09555

      SHA1

      65699eb7e0b410fdd3b5b9a78b5dc4afde96c256

      SHA256

      a802e4faf368840c82709aaea1d10d7a737b58a41a1be6e5f81fcbfa2972479e

      SHA512

      e0f1a69f82823723203dc8e06be1f2f208c4eab3511968137b192ff3d79826b3b556dee5921b4264a8d5ce5f353451083fd36dc8297078f65f8aed6c89691f08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      638b7f29e33b10521b6351143ae6a64e

      SHA1

      ec733c34ef5e2d65589fa66f2e3731fcef396993

      SHA256

      40cdd604c1875e3dbe9028d770109ef91affba25b4fda659d8a56a948a6051b5

      SHA512

      37da1561c91b53528491c8b12df16bdd869ac2943c11e90435e8efaa495d6937e38cf701a4b78fcff3c28bf4a9434b6f071ad486d1282b4b0d43f0ce2636982a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      cf2e138eb281244595e589587143e932

      SHA1

      d7343fcc449ca2701f4db305067fb7fcd8ab177e

      SHA256

      5e94350236c78ab801346cd2842bc5fdff34453e1a3af694c0ddeca1cead7df6

      SHA512

      a00ec4ffef012f8725f8822412a01ad1645a6f38c003a7805eafafb2f140d3db4d4a8282000b77ee3ffdef2c7019707f3d1326fbb79b2aec172ced879208b4b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      0b92b8baf256a4e686b0228b0fb93ce2

      SHA1

      16ff6aa1e7af1f9175bd9604edc5be9e88d61091

      SHA256

      30e14b5fbfedcae167bbb0187c97f439c07e24e85df8d18ccaf5c78c6646c203

      SHA512

      094b15f313775a811ea99f2c94905cdf890741e1979efd489459b859bc2c603aa3ddbb6bce7809e427f7b475939c19cfdf5109eb1713dda0a829197fa2610f27

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      da9801014db9d6ea3c00eb4ff4c77874

      SHA1

      ce2727671778626f66d01c98f5e40e6da311572a

      SHA256

      60ad22dab4f06e53cfb9cb467c041d1727b536f717bb684b9d8c411d0d6d5fd5

      SHA512

      dddcb81c90581d8600fd59b1d36010e3364b018c5b92687e58ac19f4e3797322ea1953bba71c2c2b72e2ff16544b10cae1b0bd818e964b8e372d196c1d39b58d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      43b83a5677e1107c947ba9644eebcb50

      SHA1

      1948f6a3a140679cacdc64be9ce6a8b3d36cd19c

      SHA256

      a3ed005d50dbc2ec281b0a04ea855331f848b1f0c77215885b1f9cd948f27cac

      SHA512

      69e730d9efb6dd3ecc386033c9d797e73d33a31170c264f3641f6a163f9983958144efce578f9530eb4d71e3d0d7fd27b123157de779eb01dda0eb37ca125cb5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      1dcde3e5c362ce3d798c8951108e0b27

      SHA1

      498810ee0d35928e8aa8964ed225017fe1ccf492

      SHA256

      d3dfa71fd3178fe8c3d5e682bd5129654c2695d2e65be02a2df717f82f527af2

      SHA512

      de83632ddce3a60fe99a7c8d5cf7c76c55a024e5d00a932c632ce48096a938090a97ccb54fb3a48771b7ac90f02ccb510f1c81bce7f986e214eace14be04b802

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      51160f9996e4b379087198db6bb65bbd

      SHA1

      94b5995937415febc841684a4d20a6d4ca4fa316

      SHA256

      7d8328a3c20747e13c6955a31378b5b4f71757badc1b4e70c7308b9f94dd131d

      SHA512

      d549eb30e212798207b0f0120bd2c1e7e4250c938c64eb18fd41add76ebb313fd64790efa91927e4cc62df45ea14bf64ad406fea65a4cecf0d593a124921eeaa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Admin7
      Filesize

      8B

      MD5

      acb883635a309d2464ef0082a44124df

      SHA1

      1b418c0a6dd4829f437c77432da86317f30b83da

      SHA256

      9111055eb4f43ab15fcbe96305d9981e77b081d7694a1e2d901f38f241d08ec5

      SHA512

      a004d625da6b8f4f514396c92e46297e32e1b784f1c5b1ff7b4460de04630d26e49c1af483c7b5fdaa99a0a0abd106e5c8337894358296b9d62131f81eca6854

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adminlog.dat
      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      Download Submit

    • C:\Users\Admin\AppData\Roaming\iexplore.exe
      Filesize

      1KB

      MD5

      0856a2a6089ef9046f78b1e45f5d8162

      SHA1

      d7e6737ec0d1c478a9d0bd6df20e33e0f410a014

      SHA256

      b1fb8e964d0b091b8af2d72221b64cebe25ae46ea2b6314a6d2c0be05e5d969e

      SHA512

      0a0739a57f743ceb2dd99e73bfd900712075a2cad240264ab2c432ac7fbcb2ed0ce28c332ba44b48ef4acf9b5416f7a8d292d5594a63ae316503be9d4e3bd29d

      Download Submit

    • memory/2276-86-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2276-9-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2276-6-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2276-78-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2276-11-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2276-13-0x0000000000400000-0x0000000000451000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2276-17-0x0000000010410000-0x0000000010475000-memory.dmp

      Filesize

      404KB

      Download

    • memory/4308-21-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-22-0x0000000000570000-0x0000000000571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-84-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/4308-1108-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/4960-12-0x0000000074D80000-0x0000000075331000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4960-0-0x0000000074D80000-0x0000000075331000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4960-2-0x0000000000930000-0x0000000000940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4960-1-0x0000000074D80000-0x0000000075331000-memory.dmp

      Filesize

      5.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.