Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-03-2024 03:59

General

  • Target

    b044f5284a7d36a36a3363405207ca06.exe

  • Size

    454KB

  • MD5

    b044f5284a7d36a36a3363405207ca06

  • SHA1

    0f046e14d8a993e6fb4a1bc61161aa4a03f4aa26

  • SHA256

    03b2be7dc944c46239c333604a11747707535e0e8c08611a7513015c9cf02e95

  • SHA512

    5367291e130dd01ac51f7cc2713be238e5ca5164f9744623d81636850042b8753af2ae78e4ee963c985a2462170dacd87742be8557e13b5e03e2af306f036dd5

  • SSDEEP

    12288:QUJ3QGIgmNAySgRwv9NFeC0LNkwWI+K5P:pNlsXwlNFFvwB5P

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

127.0.0.1:81

Mutex

bvnbnnnm

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    texto da mensagem

  • message_box_title

    título da mensagem

  • password

    abcd1234

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1116
      • C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
        "C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
          "C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            PID:1564
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2000
            • C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe
              "C:\Users\Admin\AppData\Local\Temp\b044f5284a7d36a36a3363405207ca06.exe"
              4⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2068
              • C:\Windows\SysWOW64\install\server.exe
                "C:\Windows\system32\install\server.exe"
                5⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:560
                • C:\Windows\SysWOW64\install\server.exe
                  "C:\Windows\SysWOW64\install\server.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:1420

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

        Filesize

        229KB

        MD5

        85c96124d1813f9842126258adf1fe00

        SHA1

        03d7b951a25f04698e0fa6b62955fab2647cdd87

        SHA256

        be1fbacd1b3e21c9edafbbe4b6806dcab185b5a45e58ba3a2b5483c9cab23100

        SHA512

        a4d918c58bacf084a6055ddfac14cfe9895fcc546ee5e51ccc92850fe2defa33e9ca675841d7bea120f5589e1222eecefd362ced5a401ea4eb451c4c06816b7f

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        62e9c4ca8e975afb6ee3fddf66b85828

        SHA1

        f4f0ba0f70f2d66fd12611b755e46cc1eb7ba40b

        SHA256

        6e675024e0366e6c0c9be35d94055f9681820fb46e33adb68fcdc637eadd322e

        SHA512

        aad2882ebbe88d721ed52c2d64c1e03aaade0a4b1fbce3cba8857939e5e0f1daff79b81aab79288fe5cefeca6376d7434ed56a1bbaaf0a91fd7932471f84ae81

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        6abb3646a441ab21e515b7dde1e14083

        SHA1

        5097d131c476f36a5fd587beb8a00e9a89a90e91

        SHA256

        6bb0fcc55634f68113b4db61eb49e2de20a0e67e50b12042fe0046e27271edac

        SHA512

        14770a6673ab280206d28518a49837ac0fdaff152d998fbe60547d0225dd044041bfc8274798f70cff8251f3bd47392b3896ff75b649e01dcc35601d8ce0fed8

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        ab5294220409e2fba69aa7a0f99d7d90

        SHA1

        7540a48af21f464cdeeeabcc9a11b3037ddacf06

        SHA256

        fd6784b8e26aaff662af31d4707588261b1d998ce2d0f21c66804bcf52cdd0e1

        SHA512

        f3b8b29620bf073e2243a7cc111dbb9bed016f17fade1a582b45dabf353f0f24ad13602225833b7a5a3107c1598c59b6a4132ea948368a60f39d0eaf83254d3f

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        b2bf5d412dd2fd304386a3537a74c4df

        SHA1

        14b81ba80deb8bc89e8c1226c7b0bed06647dda4

        SHA256

        ff774e30b51ef95b2cb864cb7f1a9283c6b1bdfecc813d6bfc3aca9b5053d7f1

        SHA512

        f854cee29ce1fe0c892ec28362bcea27c71c877952fcf17216e5505e8c09a997fa0539b5f5af9d9c00200c93571cdd96ec9e520cae7ab2439656e7cc5a47305c

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        b5c2111ef5392cefab291191c5a271fe

        SHA1

        07ce177d6c8693920f03c1efaeb20f51c4c0a6e8

        SHA256

        390a7ae3f269ebe164d8b777a7094051573294df570314a1db2e7da4c71f3691

        SHA512

        60a70f98e290143c4cfbe918d9e818f3000efce17cf5d60f1321a923d03d9fac18112095376f98a97156c468c33a65d5e84da8cc24e00b22d6117924ee935ff9

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        29b3994a8f90b6ce851a79f23e0241e6

        SHA1

        c2cc5bdddee09e89afae86016c9bbeb547dcb2d1

        SHA256

        0bbdbda7ce1a2c49a42a221e609da6f41c71ef80f9d808221f6c5d3559aa36a7

        SHA512

        9e34de26cf0b2d8678b090092a483470524ffdeefc5257ce103512036797f60848aecd1ffa23b675db63e301a4caedefa431d928de58ddba0d55a2eb11d33af8

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        68210f06fc86c8c729a18985bbc4dace

        SHA1

        ea969f370e62febcde9a15414fb6c449ad3177be

        SHA256

        d168e2ec44742c4437ea29a3704ea992d33fbe3b940a66e49e1244a188256ad8

        SHA512

        9c08f965b2cf91e6f65a26a696a531a65b0a15262c46b361b780c9d58fd384854cdde56e67aa9ec622a22f7827ca3456bf40e4297affcc7a84ecd0973d83eabc

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        2aa7fff8d8f5a1945e44b5c281d398f1

        SHA1

        2a198659d6427c0144db762adbfd8683615f3395

        SHA256

        f5ebb5e533589f9b3e7924fa604128d79ccbe71e90af35b9019e2a07e38fbc45

        SHA512

        0775b983f4d17842993c490961d3f9492b7fcffa9840e58373b711a6e2e9f3edb6d9c3a5a2f31865ab845ff8984d3a89a4a08572938657dd8eb549a92255e739

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        686d619d52891f94fb7e44d56080e352

        SHA1

        14138e045dd7ea3fa83a39541a0e78bda39f2cac

        SHA256

        068b24e9f14015dcaa895ba413e75d09bf676d745c40ceb0a072cf0ddf5604d5

        SHA512

        406e5dbcd3b0987cb53e2cd52c375d9d6b2f122992dda589d6414be533ae8e41b693450bd301016c9d10fd59b53d7ed41bf13f50b75b4df7ce3b9af26362c734

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        374d4f4a1ab37f93cd7c3912d84ac2a8

        SHA1

        4de6f6712ff95ffa24db85451f1c4539a7bf1b34

        SHA256

        64dd244a3566c6920a52c8d0cc518fae565d23b60dedfe023a45766d62d49199

        SHA512

        e4cb4004a3e1584f726e91b14d3faa059f330c38b197052c23a2a28d6ddaba623ded5a440e29b43d9631b89b6a5cb6a5080cef267049dae80f02afc66110b468

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        1f33c2a63865ad91f74dc9cf3b45c617

        SHA1

        ae2e751055e95486bde8b32ea81072484e512cff

        SHA256

        b8a9646ed5bec50963e817db3154eb6eaa10e411817c7514c3a026bea3b257a6

        SHA512

        4483658df49c98aa8cea14700f4af80b7c1973f48abbc9a14c96d8453061b9f1a76385e0a75f4d9d0d03e650c753d37ff33f84c874b7a4710949f8a01ecb8ec1

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        ba0c54ad064b9510962d18a912b0fdf3

        SHA1

        95ecf7de94adda46c26556b55856e3608968b836

        SHA256

        a446e4f37f994f655b03381725f75a4e024750567a8f19fe71dd13cd109767df

        SHA512

        2f492c976f67529a1cd1b6db62aa6006834fb5663244e08582ed35d3d4390f6794f56f267c045c1366190e213f91e7042e603b1ea401a94647592f9d84aadcaa

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        e7ce71682dc0c83f8bce70881aca22f0

        SHA1

        3c6a0ff59ce4459943cfc50b9f90cc5976c3cad8

        SHA256

        2665c148757074e51f35182221deef376137fd1ea0f2b78a8cf9fe4af461dc64

        SHA512

        b4aee142bfaf195a93c468b3126d6b48c0cfd4488767f992067bc498a2a99a163e0e14a971af66e0c81bed48cfbd1e37263c2d783c91e014a5d1e98bb89b17cd

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        d7af09536fb500272cf5f73163e7e412

        SHA1

        45b974f55434305c61571e59955d79cb9037aee7

        SHA256

        94d79bee9f2dd8ff5db78a5cf8001362ef50b61099e439b3b491f6af97d56e37

        SHA512

        3a63d7524323489e7a95565de324201519bd0ab1683c79cc2d38a4023d8012106320b682bd56f86e9ed132ec6fa862625f5136f27df043ba158b932d7a6ba1a0

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        8217c34bfd44f6de02c889c1088bba4b

        SHA1

        9b29142da249e1c9ec1c010227a941a7e115f469

        SHA256

        1652e1aa3a9f86ae25268d725738d8d25f0ddd77635315087d7ac6275dc69b75

        SHA512

        504d0058e3780526ef9cf74fb5876e67d17a36f89c5c771e005335649225320593264255adba56ef4dd021aa23a0c7b4792a05f3a2cec6f47121a9a5a97c0663

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        502ee9e516f1d1c026ba8ab66d9365d3

        SHA1

        ce5eac995596fb68b403b9f5fe49c199c81d3ad3

        SHA256

        5e2b5afc00e116caba8e3e0c3dd7fa84acfc212af2798a6dd19e67ce14df13f4

        SHA512

        45c36703b6a1909d06859a5fcb9b1d0d28dd770ff227c11049c0d10663d979f75b057b884b7c562927225974ec457ce2e7e314a9260a56b4785df8c3e9109952

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        21112aab10a238fb91a6820789598088

        SHA1

        7e176a1b80ad72e5bda8b400f4f7bb15ee453d5f

        SHA256

        ed0d69765eb20171e663f60855430d4c4e1f8094d30feac9c951c7a250caaa11

        SHA512

        380fb39736336ec4b1a18af9fa388845b6d2f6af65718a9b2ce4dde6bab6228e261e8c11a0f51cf3dd3fa121f3a1cedc92f06163cc6bf97815fd4645010405e3

      • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

        Filesize

        8B

        MD5

        2e81d0a01db39496512505d88c74e948

        SHA1

        1a86351f57ef32e04b760a0509704a4afc961e9e

        SHA256

        24eb7afe9c203a2975a17871db825e8d7d7a4d683b99166e6c227a0256e2c2c1

        SHA512

        c8ba0de7abc07b3a45de2c14b91c5f737260d36d0e1869eacfec781610a1634d3ddddb6514287e6797a23ff5cc7d1a67bd69bb879ba8bc12f01370cc78ce2839

      • C:\Users\Admin\AppData\Roaming\logs.dat

        Filesize

        15B

        MD5

        e21bd9604efe8ee9b59dc7605b927a2a

        SHA1

        3240ecc5ee459214344a1baac5c2a74046491104

        SHA256

        51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46

        SHA512

        42052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493

      • C:\Windows\SysWOW64\install\server.exe

        Filesize

        454KB

        MD5

        b044f5284a7d36a36a3363405207ca06

        SHA1

        0f046e14d8a993e6fb4a1bc61161aa4a03f4aa26

        SHA256

        03b2be7dc944c46239c333604a11747707535e0e8c08611a7513015c9cf02e95

        SHA512

        5367291e130dd01ac51f7cc2713be238e5ca5164f9744623d81636850042b8753af2ae78e4ee963c985a2462170dacd87742be8557e13b5e03e2af306f036dd5

      • memory/560-877-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/560-883-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/560-875-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/560-878-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/560-880-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/560-888-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/1116-18-0x0000000002D90000-0x0000000002D91000-memory.dmp

        Filesize

        4KB

      • memory/1420-893-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/1420-891-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/1564-548-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

      • memory/1564-882-0x0000000024080000-0x00000000240E2000-memory.dmp

        Filesize

        392KB

      • memory/1564-263-0x0000000000120000-0x0000000000121000-memory.dmp

        Filesize

        4KB

      • memory/1564-261-0x00000000000A0000-0x00000000000A1000-memory.dmp

        Filesize

        4KB

      • memory/1924-11-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/1924-0-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/1924-2-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/1924-4-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/1924-3-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/1924-1-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/1924-5-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/1924-9-0x0000000000580000-0x00000000005F8000-memory.dmp

        Filesize

        480KB

      • memory/2068-569-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/2068-1277-0x0000000005E50000-0x0000000005EC8000-memory.dmp

        Filesize

        480KB

      • memory/2068-847-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

      • memory/2068-1030-0x0000000024160000-0x00000000241C2000-memory.dmp

        Filesize

        392KB

      • memory/2068-873-0x0000000005E50000-0x0000000005EC8000-memory.dmp

        Filesize

        480KB

      • memory/2572-13-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/2572-12-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/2572-14-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/2572-8-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/2572-848-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

      • memory/2572-568-0x0000000000220000-0x0000000000298000-memory.dmp

        Filesize

        480KB

      • memory/2572-595-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB