Analysis
-
max time kernel
2s -
max time network
3s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
06-03-2024 11:55
General
-
Target
b756cabdc438f199a443e6393ea04f0d.exe
-
Size
302KB
-
MD5
b756cabdc438f199a443e6393ea04f0d
-
SHA1
0167dd17939e796d2dcfea1c82f0b1b6fb788ba9
-
SHA256
20ea4faa2783de82e7786ce2c89d5c1f87c9287eb10907226964d1a64c122396
-
SHA512
311df7a8a82b66e1be1b921e737e0c0e3e278e2291365d4984fea83dbd451f21e0de9c06802f5d06e766204db74ae3602012ac598795e18d7c9dcae8be535dfb
-
SSDEEP
6144:2OpslFlqUhdBCkWYxuukP1pjSKSNVkq/MVJb6:2wsl3TBd47GLRMTb6
Malware Config
Extracted
cybergate
v1.07.5
cyber
79.132.181.169:100
8LUG2YFKPUT0DL
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b756cabdc438f199a443e6393ea04f0d.exe"C:\Users\Admin\AppData\Local\Temp\b756cabdc438f199a443e6393ea04f0d.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\b756cabdc438f199a443e6393ea04f0d.exe"C:\Users\Admin\AppData\Local\Temp\b756cabdc438f199a443e6393ea04f0d.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5f9dc6fa8e34af760e4d6e0b12279a41d
SHA1b08570ae7c001b8a0244b0188106883e8f5a3f1a
SHA256896811d42001553d0cea05166acad7f2f3f726af92c1d961a4428e567cb5c475
SHA512bb0fe687e82a6b2e33ecbac96cce28405e0078f0841b30422f439ef3eef5ba082883dc87d65c076aeabef5bd3a221d2e2d758eb56f393c5fc19685330221078e
-
C:\Windows\SysWOW64\install\server.exeFilesize
302KB
MD5b756cabdc438f199a443e6393ea04f0d
SHA10167dd17939e796d2dcfea1c82f0b1b6fb788ba9
SHA25620ea4faa2783de82e7786ce2c89d5c1f87c9287eb10907226964d1a64c122396
SHA512311df7a8a82b66e1be1b921e737e0c0e3e278e2291365d4984fea83dbd451f21e0de9c06802f5d06e766204db74ae3602012ac598795e18d7c9dcae8be535dfb
-
memory/1996-7-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/1996-8-0x0000000001400000-0x0000000001401000-memory.dmpFilesize
4KB
-
memory/1996-66-0x0000000003EF0000-0x0000000003EF1000-memory.dmpFilesize
4KB
-
memory/1996-67-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/1996-68-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB
-
memory/3916-3-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/3916-63-0x0000000010480000-0x00000000104E5000-memory.dmpFilesize
404KB