Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-02-2024 04:06

General

  • Target

    9ab644449c7139b4ae722c8044383e4b.exe

  • Size

    276KB

  • MD5

    9ab644449c7139b4ae722c8044383e4b

  • SHA1

    04356f283d8278241598c5d97261344bcb2fd8d1

  • SHA256

    5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1

  • SHA512

    f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9

  • SSDEEP

    6144:Dk4qm8zcCzjrTvmXAtEZghSNdKaRafNDPKGviNI8h1hfwO:49/LvmwiTNdiPK/Nw

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

189.5.87.27:81

Mutex

PSICODELIKA

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3380
      • C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe
        "C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          PID:4960
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:980
          • C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe
            "C:\Users\Admin\AppData\Local\Temp\9ab644449c7139b4ae722c8044383e4b.exe"
            3⤵
            • Checks computer location settings
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:492
            • C:\install\server.exe
              "C:\install\server.exe"
              4⤵
              • Executes dropped EXE
              PID:4708
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 564
                5⤵
                • Program crash
                PID:3092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4708 -ip 4708
        1⤵
          PID:2088

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

          Filesize

          229KB

          MD5

          aff8d61a4d637ffc0827d306cf7520d3

          SHA1

          1eeee92063db4ef2f07fd0921f88fdea17d6caa2

          SHA256

          cc4c5fb0c6756fd11040bdcbdc1120f441e8b5d40c7dbc84c5cee5f0e55dfb85

          SHA512

          a22d099084614c32e27a3423d3acf811373ca0ca9b15f5426db23fa4f0d52f65624b0ce1b4012d7f4b39195029e3895c0798acde6b0e7cc5d02fb7b504c35d12

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          27ef41b4fd770609a937a87d8b2f2b31

          SHA1

          70eb54c3c4276fe97e4f7ebe194733f8529f2304

          SHA256

          7dcd486e3613928ff4ebe8fdc404d1c272abc65b0eb055c9631398cb1887d172

          SHA512

          ed873a73b5c19de58cae03297e769050554037d7a61a2e20a0e4cbcc5b251d43934fed4daf4678adfcef18f3aee565a4fac614f4892f5588547325a9e9e2aa42

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          9536ad566fec5667371ad4d1489999e6

          SHA1

          a343609177a19fefa8f464aa59318710997a57a5

          SHA256

          ef72cde5d3cab6d4de4f9c9482e48dfd5b29c3de293c7fcd7c237697ab5512d2

          SHA512

          ae509e5f5c921f518659c5a6aaa8567fb3e85bcc3b0edce730ec6eca4980102cff94bb4f834a2da4711dd39f5b3526311245dc2ecb24cf265a1a7e7caca4f867

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          4903030b99109e6ff740eda7e5c71164

          SHA1

          ef1e04e88789db1dcd35aaf7adbdf5f42e982d0e

          SHA256

          0a4eaa644a132a585f43620e13ad78fbaff7641a7197512a8f7815ff83b832c0

          SHA512

          50183a6919ab7c6c1985444a107d0c989af7962e6170497ef8c1bc1638a1ad13145b572edb2d6b2ee4f55b924c53bc83138039d0e3cb79b3696ca46790faf029

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          e8b27a20cc44cbcb84b8e6f07ef87160

          SHA1

          9c494a2fb300a900a7a38a6e900f978178607c44

          SHA256

          b3d4dc1f80d3910f289f56c3a488162569c99c78f77d866e6e9ce2f28c8b4336

          SHA512

          c8e0dc5f0caa39c96fa137c375b2eea466fcfd03414a0c21a7b7800741c92ae3fc65990efd480ce998d35c29dbca33abe4da7bf556997e239941e18f32b7aa49

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          9a053bbd4fd1a8022682a5855ec3ec54

          SHA1

          8d9ba8ae8b19190bf65346b80b777ecc49a2f1e9

          SHA256

          bb11347af7332145753dba167e3aaed9dbec2715ba6175a7a3d96d978479badd

          SHA512

          947d942b299cf50f74d65a38c17a588c90747892240a12dff517d630427051bd44117930705fbb7003d579c8a7cd4394f465804d4f43a0df376674eaa37532e1

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          6eb89725c509bf525899911f409d92e6

          SHA1

          f9c63b0d2e6e5a47318511f6eaf2928dbdde6be6

          SHA256

          534bb73ec0ab4585ba24b4c291f4775a11bd1838a9321a5fc2cc8a0473a372a1

          SHA512

          9b4d59bf951396160e5bde470a48e4198ca8ef9ad16059c568e74650f2e7b3ec4689ae21443aa9b1259d858aa76a5c8c2e8cbf983d362d2f701ed85a1172d491

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          356d645d30ef8cc0f7bade03c7d0b78d

          SHA1

          2872c08c7095904a5c494b10344d2f1af1275cb4

          SHA256

          12f78f6d9964f8b3ce7a006c9f5d59aaa2ff223f371e98a439baddcecd78c017

          SHA512

          1388dde17e9b70ca66d83ea6a1483c1c1e70150fa757f518be91b27aa440a573b1013df76a0b595dfd824b5c67447effe73bb6737e9a8c364f9a79d0eb66afc3

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          2bf26ea3ce57dd9e8de502ea964806ad

          SHA1

          40640f2c5e1ac60cd2d3951f2c84a2a904e27eee

          SHA256

          0fe0e4175e823bd6daf42b3e0d5d4b69470b266b668caa1bb280f15c80d6c9ad

          SHA512

          c16a8296fd890e614dc539f5637c758866bf59d98568079e40ef59da3d238c8dcc726c8105578ac40cb5de23670d1de66c7d032ef9c9af114e1f56816691a798

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          24e0049a0e2889e5bfcbd3059679c0e1

          SHA1

          767b61a091b38727260b48390dac66aef7262d6f

          SHA256

          cff074ca5c8754614fcf06338b43bebd7a9bdb5e1bc01ed5190da415607ae1b5

          SHA512

          be82f5a630558ab91a70bdb04c4f0a063fa506a5ad4f3dd59eb3bf209e7350615217ecd457616330eca6bbeb4da6b2e94247b5c2dcd7bb09984168c2d339b1b6

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          a01620835aab62bb0bb94a66f2359f01

          SHA1

          fe6f5075934a70cb4f13085e9550f77804b121bf

          SHA256

          852b2b473cbb31131aaa9e0ce7d17ec79116b322e4d323dd01c417a804bab7ed

          SHA512

          fb77a5e1d120c9c1a1184be1e3c2264c151b5cd575c072f30e3a9ad635a8749a4a0b05d0dc39a351a494a11be0de3ede5fc2861b57229db688e1390f70a12ef8

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          a7b5263fdf620f6c7b9311e7ff3d0249

          SHA1

          2f59150dbf45b72e22e5abb7a4adf8e69c6a9a79

          SHA256

          1d9beb074ddc6068f813da05b7c9e6ac45353f125de99b9054f5747cfdf17bce

          SHA512

          e8b4ab57c4628827ad49207294cf475d9732a2907dbf683b33f55f5645df6d66887317fc9704800502b1ccbd5b3279f5f92550c396c6e1d590d4d7d582ec0446

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          cbec63c228fcde5203bb9f417989bbf0

          SHA1

          cd071bc590275a24ec5146ef7191b051aa22fbf2

          SHA256

          214af02e361ed988b19e71a7a64bb6d93547bb3ce6b5cb5e4f6f84d442806fbb

          SHA512

          ac9df3a32b256af56f19a0f59af9f9c87fbde247c023773556215c69df2a23253dc6969df9e86f1dc33eb33edc71ff0b284d04d03d9017019161e31f563dd0cb

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          02c982a8239db4a202df1d27c3990f55

          SHA1

          e14eb4ba7f2a0a15f0dedb5e1686084066baefe5

          SHA256

          8a1bd9cb65010b27d00ddde938161c3906ad1357e62263b849345e2fe53abeba

          SHA512

          05d165e885d6fdbcf253c9df07ba96a2d7badfd511bd9a14a1ea4b379f1ef88a20fbd8b0822e2c4ad4946386571d3c1c7b81aeb4c960b3275ce604d345481806

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          261d78a60d6dc0113e04d3400cf5eece

          SHA1

          677e34fe84571a4e4a78155462c70a8336e77d6a

          SHA256

          7632a0f6e8b79c6a44892114a1cb743ebde854a9540c1e4befe8c5b83a49f6b0

          SHA512

          1408d2e40753efa0b2632292c47408d26a6ac40856d76ce575c6d037c7c84fa2bfd9cc93c2a93ff64c19f966cfe4506a94dee1597a55772be397e4757901dbee

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          8940140c459d57aa333e5073da9edb2e

          SHA1

          8451be1406e301039f3a6aacb5e139e5d82b0d63

          SHA256

          14859a2eb349ec692843e42a2d78eac0b54238e82c9bb65be30385d20974563c

          SHA512

          9e326e9f8839d5cc7022de013aa5f9a3056416074114943643a6740bb3909da9fde630d2f96113e733650576722577e8ba0e8605fba51106643a796d0787f5e8

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          82bceba2fe6edc73efb430386fec2261

          SHA1

          c947ed2e42c0a9f4eddce7c1c01cbecd7fe203ae

          SHA256

          0003cb6ab09256144dd7687415221c63f231b7e5dc03e5be62a54d86f320d3c6

          SHA512

          a24efeeccfe13557434277539169b754b577e8da8752009ce6a027248157073165529cce35cb910b53fc05cedc45d87034c8df5869fd43ade29875b3d269021a

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          322c992457627f4c4b67107396e0c1d1

          SHA1

          c89d7dac89ccaeec73227d1c716e5e3be79ed47f

          SHA256

          cc1adf73f40be7a0c44fc56cef116eb6029d31c61801942899c64f9222db9755

          SHA512

          2f18213447342f14adb03efdd5c2b9f9e49dfd5a1ca2cbb4a130315f417ad265792d96b743dfdc9f7180dbb522b7d8f6b11c4d20baa6ea904bca30f3be563429

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          7fb9b01e601a94b5432b4de5f8799e75

          SHA1

          ebf9651621a9c1a6ce69b1fb10dd2e6a2d05b547

          SHA256

          fb4c981fe8d8f99956012901d7d97b59412830ced45cdb01cb6ece83156e0e16

          SHA512

          49255e54753606294d2a8faf74235846a29dcc13078ec1d66eff10c0a963a518d4f74789a5beae8ec7bd3e9fb02a9fb214f56d7426b6fee5335469675c9a316c

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          90e8196425c73cadef66a7dbe59d9985

          SHA1

          ad037f1eb679ff0fba0d6e5fb8654acb0d7d33c9

          SHA256

          e8b2e1dcd796b149617b1077e0a57ff70250a61d9d3fb1d5d9f54f7741bf2678

          SHA512

          2839739f202cd0bbbd59816b4ac241e8ef2fe64545c600c69917b683fac61cd9c77d99aa000ac72c45ec0390df74aa0fac90eda267e29a48eeeeb33862aa40cd

        • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

          Filesize

          8B

          MD5

          7a419fa13f909f1f0369c33f712bf69f

          SHA1

          0c53de9d92dd5cde6c749f3cb08926950cd5f85d

          SHA256

          3648e80cbccac2c3d9460898e68dfb2acef7a9a19d1aa32f9ec486ce8edfd194

          SHA512

          90c37e822027360e2cb7b6f44248ef2d1fef3202d3b7ea1a25d808f42d25a363fd1cb80fe9beab2145c91d9b1cb8604f86105d90cd3ce6b0f147b31474c7cb5e

        • C:\Users\Admin\AppData\Roaming\logs.dat

          Filesize

          15B

          MD5

          e21bd9604efe8ee9b59dc7605b927a2a

          SHA1

          3240ecc5ee459214344a1baac5c2a74046491104

          SHA256

          51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

          SHA512

          42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

        • C:\install\server.exe

          Filesize

          276KB

          MD5

          9ab644449c7139b4ae722c8044383e4b

          SHA1

          04356f283d8278241598c5d97261344bcb2fd8d1

          SHA256

          5b85a3101295d1b0bfd0f843a3e733747d4ad7447b996048ba4eb23934cc65f1

          SHA512

          f45cc5cf5bf52ae93a7ab8c921e31999f083c71508997e50cf7bb99cbd8ecc7bd3d77301ac5117ecf3eb414fbed465f82b2d5cac05a3f6dca5e180baae0c8fc9

        • memory/228-86-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/228-64-0x0000000024080000-0x00000000240E2000-memory.dmp

          Filesize

          392KB

        • memory/228-4-0x0000000024010000-0x0000000024072000-memory.dmp

          Filesize

          392KB

        • memory/228-142-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/228-0-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/492-141-0x0000000024160000-0x00000000241C2000-memory.dmp

          Filesize

          392KB

        • memory/492-80-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/492-1340-0x0000000024160000-0x00000000241C2000-memory.dmp

          Filesize

          392KB

        • memory/4708-163-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4708-161-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/4960-68-0x0000000024080000-0x00000000240E2000-memory.dmp

          Filesize

          392KB

        • memory/4960-67-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

          Filesize

          4KB

        • memory/4960-9-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

          Filesize

          4KB

        • memory/4960-164-0x0000000024080000-0x00000000240E2000-memory.dmp

          Filesize

          392KB

        • memory/4960-8-0x0000000000F00000-0x0000000000F01000-memory.dmp

          Filesize

          4KB

        • memory/4960-69-0x0000000024080000-0x00000000240E2000-memory.dmp

          Filesize

          392KB