Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-02-2024 11:12

General

  • Target

    9704acf70f601607084200c2b8f24146.exe

  • Size

    282KB

  • MD5

    9704acf70f601607084200c2b8f24146

  • SHA1

    f8d29c3f73e71fabd9d3835c04603fa5fd00c805

  • SHA256

    8e86221ff8aa85db50150848d8786d05a9fff464dd47a684bebcb136881c7f67

  • SHA512

    31f3c3347dd9f414641dcbe2c45144f3ca6cc8f1169506014a35c7e68a369c19e3b78b7ef4d5d63dc770c4c90989a82283bf206c538c997c62b206c4cfa136b1

  • SSDEEP

    6144:ZonYdhUSyP6t2zQtDtdWn7T1iaOufuz5wOUtlKOuhPbjXbK:ZUYdaSPtkQtDtdWfkaMz5fUtlKOuhPb

Malware Config

Extracted

Family

cybergate

Version

2.8 Private Edition

Botnet

vítima

C2

127.0.0.1:81

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:492
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:476
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
          2⤵
            PID:752
          • C:\Windows\system32\taskhost.exe
            "taskhost.exe"
            2⤵
              PID:1076
            • C:\Windows\system32\sppsvc.exe
              C:\Windows\system32\sppsvc.exe
              2⤵
                PID:2128
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                2⤵
                  PID:2024
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  2⤵
                    PID:1152
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    2⤵
                      PID:1008
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:276
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:980
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          2⤵
                            PID:864
                            • C:\Windows\system32\wbem\WMIADAP.EXE
                              wmiadap.exe /F /T /R
                              3⤵
                                PID:2684
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                              2⤵
                                PID:828
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:680
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  2⤵
                                    PID:612
                                    • C:\Windows\system32\DllHost.exe
                                      C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                                      3⤵
                                        PID:960
                                      • C:\Windows\system32\wbem\wmiprvse.exe
                                        C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                                        3⤵
                                          PID:376
                                    • C:\Windows\system32\winlogon.exe
                                      winlogon.exe
                                      1⤵
                                        PID:432
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:396
                                        • C:\Windows\system32\wininit.exe
                                          wininit.exe
                                          1⤵
                                            PID:384
                                            • C:\Windows\system32\lsm.exe
                                              C:\Windows\system32\lsm.exe
                                              2⤵
                                                PID:500
                                            • C:\Windows\system32\csrss.exe
                                              %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                              1⤵
                                                PID:336
                                              • C:\Windows\System32\smss.exe
                                                \SystemRoot\System32\smss.exe
                                                1⤵
                                                  PID:260
                                                • C:\Windows\system32\DllHost.exe
                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                  1⤵
                                                    PID:1580
                                                  • C:\Windows\Explorer.EXE
                                                    C:\Windows\Explorer.EXE
                                                    1⤵
                                                      PID:1196
                                                      • C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"
                                                        2⤵
                                                        • Adds policy Run key to start application
                                                        • Modifies Installed Components in the registry
                                                        • Drops file in Windows directory
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:2284
                                                        • C:\Program Files\Internet Explorer\iexplore.exe
                                                          "C:\Program Files\Internet Explorer\iexplore.exe"
                                                          3⤵
                                                            PID:2720
                                                          • C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\9704acf70f601607084200c2b8f24146.exe"
                                                            3⤵
                                                            • Drops file in Windows directory
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2304
                                                      • C:\Windows\system32\Dwm.exe
                                                        "C:\Windows\system32\Dwm.exe"
                                                        1⤵
                                                          PID:1140

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

                                                          Filesize

                                                          240KB

                                                          MD5

                                                          cf9b9bbff175bf3bc37215889ab0eeb9

                                                          SHA1

                                                          50168e04b22784056508d2436b0ebdbc0db30888

                                                          SHA256

                                                          2767d1cdcf9539a7314d0f7e64e4b56715ae8f4350c2e20f5d7394bc1e9c4218

                                                          SHA512

                                                          ea47ca865327afd8e793ad430d099ae329cfc28266d5a9916db1f915503430a00f2342352987e5816e28cb35e1db1542df58f08090484536174f1577fa2b8b24

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          e61cf367fb2db122a053f9384cbb53b0

                                                          SHA1

                                                          37cfc0291d0eb2598c40e7326f049e5a9a171960

                                                          SHA256

                                                          87f12df24fbafa155b099da14726110d37f687dbbc01233c7d01f3573ea16294

                                                          SHA512

                                                          b7aced9c81a43a73232e148b6b34b686ef539f436a046adb3c077395786fd1910926c4dfa56e597907e2816636562fa4ff93fd293f7a29bb276b36ae40e8efed

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          40e96f5c65b61609109c94236901d482

                                                          SHA1

                                                          01a10f088e8a293bd366660b019d776ebd50b9a2

                                                          SHA256

                                                          9a924e8c883f68321a26900fdb30b27e21ea1f8e6fb309a6633666ddd5ef661d

                                                          SHA512

                                                          ee46894d890f8f352a58d9f859ab67951f5c864a984e087d50b78bcc537bbbf65df25739f34b105854b3e86a04edea7b3f35dde6494f75bc2ab55a274b7cda7f

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          817f7e7f5278a72ab3059a6f062bf1de

                                                          SHA1

                                                          361888179b9a499f12957697dd77d1ad9302b52a

                                                          SHA256

                                                          e39a825cba58937c50a4ef86cb3f8db7367f17312bb2b35523b1c2218c0055b3

                                                          SHA512

                                                          c656f5fc3183d742a45fe09cdf2dc199015414715beedcfa1fa74ebce9e2c24df276ffc44144422fccd2bd96bf766212301917a6fa731ea480dad4f6c5b4796f

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          a733f008ed8412088800d0fa7ad82539

                                                          SHA1

                                                          c524651a26400bf629308138ee04b3030699477f

                                                          SHA256

                                                          cdad163883cabacd83f3c99c1673d52f7885a45afdb96b71e4b2e7f36d8cf8f2

                                                          SHA512

                                                          e12818c53db65be58c11e61ac5b9631c82d497877003495874a7b478c2bb31796090dd6b6e36d1e78dade93d8e23a5c25651f834223e919812dbce41149fbc46

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          c3dd1ab9ff55270b633ed2eff308ff5b

                                                          SHA1

                                                          c3f4230e6a6f4b7171a9650819b7c707be4f53d8

                                                          SHA256

                                                          02091676492070ecdfef404fa4f1c7cc5a4f66eaf66d0367b1ef648f54b1f582

                                                          SHA512

                                                          2b314c1e0f1999c80d1e77985590b24281227337c40bfa984c977f12abbeb4989ce898080b01f8e5399b11e5b909954e15f064db21a6dd9517b1c8aae5b30a0a

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          5c3374031609016e075a0552a9c7f699

                                                          SHA1

                                                          dd1d1c7d6e4c6b7eed11c92514f8fa8a4c78ee8e

                                                          SHA256

                                                          f221853e4cc356fbe7caa48d05b2153f9cdd81b7c6d44b5ba7fdbd921b649981

                                                          SHA512

                                                          99514ff48c4af3848c032d3a03441aba41f563afa05ae06b8a6bf118a4a93a57e764ac3e04316062917bd67ef67d7499e31c3cc38055971bc52517481122731c

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          aabd3f6520ab94a83b238b935e53d002

                                                          SHA1

                                                          f15874894ceb39607fde9af11fdccefec60ad84a

                                                          SHA256

                                                          13955e5f34c9fb3cc277dba4632c025b4735ab4c29e23191c2b25e327d55e1df

                                                          SHA512

                                                          6fad79b45fe3f1ce274163f4ae0583fafff1be738a2860194f7123b82904970264acd3e7020d14d23babf1d3e7da6748ca3b24c0866041c5a18a488921caf0e7

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          78ffa509b80c8f5ec3d01d30ddaad507

                                                          SHA1

                                                          f8483baa6b6f2fad46eac92f54a4552a901a8ecd

                                                          SHA256

                                                          3bb0b226b675991467e0e58acfc2b610d00c6057889a667cf26904c14bc3884c

                                                          SHA512

                                                          f2040678072e30505f6e91caec1d0c5faf11edf9b79247917f49044b883b63a18027a7c02b0213ecf472e1c271db0c59c0879107f0b45da9d4ebb75c0069bce3

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          8bca05a85fd43fc1d30ef84557d6a6db

                                                          SHA1

                                                          bf141fb385b3d74dbf6c433d7a0dcac973d7358d

                                                          SHA256

                                                          d40ade2d8a89f2c49304a337d6942081a9c00169c0b1763b660744da4bbbb2e5

                                                          SHA512

                                                          a7915f7fff95eb0db6aebb52d00387d24b1ce92705e4f2155e3c67657a43c0dc4aec5c65d24e9a63a3d07a15634ee0f26a67672608b997ba236780746902d1ee

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          fd549a11c6a8d82d5089501dc28cef81

                                                          SHA1

                                                          6d9964cd2a7a55f5f9904ae6f2227e73af91d52d

                                                          SHA256

                                                          559de9146062a052e293413c3fd50312114d70dfad32514ac41ba211e2f3380e

                                                          SHA512

                                                          c3704bf1c280c9c2838794badaae6f43dfc4405c59d528431c22dce7ce83859d05d3f749f76b81a597dd8b4787919834ea1d2c8c67cfe921b2e3581da7d83c13

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          4dbdc7a22fa8351e4165454e0c3b058a

                                                          SHA1

                                                          86c58c2d3931c33b5d7a616c391a17e78295f7f9

                                                          SHA256

                                                          e5b0ff9e6c244d145fc10a082424f4a7e2f85aa50168c24fbe7f37c263ef0cd2

                                                          SHA512

                                                          e49e5399caf0aa8bf0b5ffb7679c0452ea11349e9e563bad940927abd20589361c5cfc8cc88f138b33b38c71c5bd3ea29d7dfa66e548044387c1126977622704

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          70b7283ffb2d91c4bfa15b647095e8b4

                                                          SHA1

                                                          56041654695016edb9e4752797ab3fe422545738

                                                          SHA256

                                                          da8269a99ec1ccea9e814641426ee5d032bd74b171d467499412c6d8242b20cb

                                                          SHA512

                                                          2a2dc78d9bef79b80d6c945232450d418b5970f7991be24cb1732ae21e0cb55abbb5bd5b804ae2856521bce5f234304a426e2b0fee6cac8f83c971bb39d8710e

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          2f1c225f6e4aea6d369f062ebf2826e8

                                                          SHA1

                                                          73a049986d2967d27caac55b5067cb1bca5969cf

                                                          SHA256

                                                          6490eb6b9b71f5896e11d247a76b1c0074111deed7fe3586ea66ce125ccb4504

                                                          SHA512

                                                          2574b9f9f977bc8c73fddc8ee1d87c9cce21ebad1f5dcc2c54787fb3ef732bdbedfb978b0c62d19ae04a894a6c69a3c41f218d0fbd2a558f47783603facb17c7

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          7d8e1dd89bd7c90e9b0a87f4eac3fb13

                                                          SHA1

                                                          ba602f160b847f6331e9f3762fa1725cbc8e04c8

                                                          SHA256

                                                          6208c188dcfc7f99be6265ae1030de4a2cb11f908a804e132cd727eadd38fe75

                                                          SHA512

                                                          c7bab79330d10a2eee6d0e9c4cc87087da1933ed15671d71cdbec0bea444a0c2c404542fa780ec27e6f592d9d2204c219219a800d1d13dfd07f087cb6e150e80

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          48c5daaa22f18f64c950c71b9448093c

                                                          SHA1

                                                          830bcf5640a326a82fb37948a163d69fc4ba3147

                                                          SHA256

                                                          7650de22861e7e2302f5d9734ba7d9bc03a7adc0f911af32460c9943dee7098c

                                                          SHA512

                                                          1e58331fd8a7d30574c327accf4283fb3cf65f815711432a7e573bd5fe06614b8f347694390a22abaa190c98690301a6aaf18572e5791f1a926512a0cf1dcdd1

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          780d8fa1d864d630197523faf47d5644

                                                          SHA1

                                                          97c931c9af41daae0dd90048a2535399e8d4247b

                                                          SHA256

                                                          a1df2207aebe8fbd3abdeed9f9b939ba49f80d87b864ca03d7907692df88448e

                                                          SHA512

                                                          5ec3289786d0c8adf4b08ac123bda097289f91859885295cdd63552028b512bf933d1cb061d5be3383fad360306e58e92addf3b6895eeebb5d39a9f1bbea5fcc

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          10c82b760d48ef76505ff697547d0083

                                                          SHA1

                                                          734c2666aec190c486a907fc1e106b3c8852efae

                                                          SHA256

                                                          ae046f46e0e98bfee1007a76af39dafc15455ad0518ccfca4da21897e0fe2d5e

                                                          SHA512

                                                          da5b4abc8d73ac547c45fded862f7fbf0d6783e6ea249d3b3a1c804cd129a49e1196ec1cdc1468a04a98864b86cce305a3c8e1d909541cd5b1125d5fe82cc0eb

                                                        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

                                                          Filesize

                                                          8B

                                                          MD5

                                                          b084ba2e54a9a1b392f3ff925ba6ed5d

                                                          SHA1

                                                          e3391c3214391c67e951acf66780a7c7e87293fb

                                                          SHA256

                                                          e574055ee61fce8401623c33c59ecde24da3d0f4b3b164c8a38868cc0ef140d3

                                                          SHA512

                                                          7abf2e188c426ec11a876252ab23ce24399d7f228d19f54a6ae84d066fed297b855812d830fac88e21302bd465a058a6277540dced38b42e1aad996185aae34b

                                                        • C:\Users\Admin\AppData\Roaming\logs.dat

                                                          Filesize

                                                          15B

                                                          MD5

                                                          bf3dba41023802cf6d3f8c5fd683a0c7

                                                          SHA1

                                                          466530987a347b68ef28faad238d7b50db8656a5

                                                          SHA256

                                                          4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

                                                          SHA512

                                                          fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

                                                        • C:\Windows\install\server.exe

                                                          Filesize

                                                          282KB

                                                          MD5

                                                          9704acf70f601607084200c2b8f24146

                                                          SHA1

                                                          f8d29c3f73e71fabd9d3835c04603fa5fd00c805

                                                          SHA256

                                                          8e86221ff8aa85db50150848d8786d05a9fff464dd47a684bebcb136881c7f67

                                                          SHA512

                                                          31f3c3347dd9f414641dcbe2c45144f3ca6cc8f1169506014a35c7e68a369c19e3b78b7ef4d5d63dc770c4c90989a82283bf206c538c997c62b206c4cfa136b1

                                                        • memory/2284-16-0x0000000001CE0000-0x0000000001D38000-memory.dmp

                                                          Filesize

                                                          352KB

                                                        • memory/2284-0-0x0000000000400000-0x0000000000458000-memory.dmp

                                                          Filesize

                                                          352KB

                                                        • memory/2284-4-0x0000000010410000-0x0000000010472000-memory.dmp

                                                          Filesize

                                                          392KB

                                                        • memory/2284-307-0x0000000000400000-0x0000000000458000-memory.dmp

                                                          Filesize

                                                          352KB

                                                        • memory/2304-18-0x0000000000400000-0x0000000000458000-memory.dmp

                                                          Filesize

                                                          352KB

                                                        • memory/2304-2915-0x0000000010480000-0x00000000104E2000-memory.dmp

                                                          Filesize

                                                          392KB

                                                        • memory/2304-8-0x00000000001B0000-0x00000000001B1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2304-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2304-22-0x0000000000350000-0x0000000000351000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2304-308-0x0000000010480000-0x00000000104E2000-memory.dmp

                                                          Filesize

                                                          392KB