Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 19:23
Behavioral task
behavioral1
Sample
a9f72a00211481791e8c4466be3c60f7.exe
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
a9f72a00211481791e8c4466be3c60f7.exe
-
Size
272KB
-
MD5
a9f72a00211481791e8c4466be3c60f7
-
SHA1
1cc485c7a05822a67fba1bcdb0173c157a8681f1
-
SHA256
327f751abc80cb895dffd6d6fad32f0a926e89e9fa5ef90f12699542e88d4cb2
-
SHA512
e58b1372b57b34abf72f9582c19ee5e67670490c78e232c3f54f729897aba3132845994754decd2958d88f413563789df85eb36fdee76c477aa949982536ca7e
-
SSDEEP
6144:Nk4qmKcaqde+osCM8ZfI9wfZAyzfn/CaOKAy:a9cR8ZwyZAsCHm
Malware Config
Extracted
Family
cybergate
Version
2.6
Botnet
vítima
C2
tiger-n.no-ip.biz:81
Mutex
explorer
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
System32
-
install_file
svhost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
147741
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2584-0-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/2584-1-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2924 2584 WerFault.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f72a00211481791e8c4466be3c60f7.exe"C:\Users\Admin\AppData\Local\Temp\a9f72a00211481791e8c4466be3c60f7.exe"1⤵PID:2584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 4762⤵
- Program crash
PID:2924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2584 -ip 25841⤵PID:3740