Overview

overview

10

Static

static

10

b9ce5ea827...d8.exe

windows7-x64

10

b9ce5ea827...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2024, 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9ce5ea827209cd137010d1238bdfad8.exe

  • Size

    296KB

  • MD5

    b9ce5ea827209cd137010d1238bdfad8

  • SHA1

    474bcba01fc049bca30e11eb8b3a9d93d77fa052

  • SHA256

    a4e65008378dd09b23da9ead775158c84dd4a40f75557bd865d6d9cec02607a4

  • SHA512

    7f01d4f6ca8073c9a3c923bcce1b1a5359bc4876aba52fc010bea7fac9f93c815227214fbc0b441c6828c64a6b0998b05b9de3bbc0bb41db02f95e3481c9e787

  • SSDEEP

    6144:POpslFlqchdBCkWYxuukP1pjSKSNVkq/MVJbf:PwslxTBd47GLRMTbf

Score
10/10
cybergatecyberpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

cyber

C2

testseyho.no-ip.org:100

Mutex

EUT4M780VF18I8

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\b9ce5ea827209cd137010d1238bdfad8.exe
        "C:\Users\Admin\AppData\Local\Temp\b9ce5ea827209cd137010d1238bdfad8.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Modifies Installed Components in the registry
          • Suspicious use of AdjustPrivilegeToken
          PID:596
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:2004
          • C:\Users\Admin\AppData\Local\Temp\b9ce5ea827209cd137010d1238bdfad8.exe
            "C:\Users\Admin\AppData\Local\Temp\b9ce5ea827209cd137010d1238bdfad8.exe"
            3⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1976
            • C:\Windows\SysWOW64\WinDir\Svchost.exe
              "C:\Windows\system32\WinDir\Svchost.exe"
              4⤵
              • Executes dropped EXE
              PID:1756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt
        Filesize

        224KB

        MD5

        b18f04a86865dbfef2e9c83c222247cf

        SHA1

        2095d7de52abe570fd83ea4af9ded9487a68aac7

        SHA256

        6e4adfe973df90eac9b08d5c82df277445ece50ba9da95167de3d3a723dd0394

        SHA512

        b55f01c2b5941d14a94df273595bf8007f8f71c2fc1ea59b0885d9dd30a77415e324791a7eba784c269af591fe3b9d20acbc371a29b7826f053cd5a689748e51

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        57d71519d0b5a84dca53f8e7d169b6ea

        SHA1

        82fedb92b239aaf0fd705d7fd44f56c7d23342ab

        SHA256

        8cf9e7944a565d929157812fd4be53dd4d3c0be3112838fa2c5d8662c2dac596

        SHA512

        f555b687f78e85af7b41c139aa195fe04b8bfe17eba7e6a0bc1aff58290aa65e7241f740537fb3b11ddbd79c58340f7c716b1b2e27dc5d0deeb74b5fdeb088ab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a2efcb25320c7eacd93c989098f6eaa2

        SHA1

        03338b44423d5cbfb4bedae5a46a4a8f8d3167ef

        SHA256

        b421630be3c4c8a37e9596fea2942fd2b997280392fe3027b01a4062bf3ac0a3

        SHA512

        7eeb13f50408a81913d6af65f39ad1502b398f9d226e50473eabe4a02907e598b949dcc4106a15800925de9094203f25437d3608516a93db8a536a7a719adbad

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        a04f4fdad47596b0bd0907409afbb3e8

        SHA1

        baa400c8ac7c4a56681a20d8f27031266819ebb8

        SHA256

        be507deac142a88d48b7176ea94cbd2e4dc7522015c8e38fc590389cd9c4017c

        SHA512

        122eb2c6db7910db8a6b0614955145a410c2e41243d0570e53b1d1fb4e1e034aae0b879684d91092514b083872b1ec0299490ca568a7deb44d804b174a4ed8a7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        12cc5b6214340a2ddfd28b07ad9da0a9

        SHA1

        c59e2b757c0afbbb99a70dbf2d01c30a4e36a3d2

        SHA256

        3f629eb5f6bec6adc7423c21f19c9e50ed76a46984fc7c4566f41d488411b806

        SHA512

        344a74b0fb0c4143d6ac44b7df43b39cf89dcdd9b103feb90a37e314e9f61d1482389f506eb41245712cd00e6123324fd9f17351124402fa942c6b0e3d5e18f8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        6256defafbb8b1ccfd28393a83d1d94c

        SHA1

        a24ea43fbc1cfaf48764b27af0941413d24e6a9a

        SHA256

        1130214415c53f8f5c7776f9b83c101fafec003425c013e31b247196e334319f

        SHA512

        1cdf0d13d836f358216a98e640ac6c27698b4ae3c172a3ca425d95dcbf9aece1583494070dd2df8174893dcc78a2db754507468f966d104c66843ee40f12509d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        3c08f3ef7e983e0840ba4119dbc4d493

        SHA1

        ee2cd033edfb9107cb1fc5320abb5049ce9a720e

        SHA256

        9fdc0ab0940674d749caaaff839e3afb44539ad7836e020599dd984c4c825adb

        SHA512

        669f461e6242f8a7c7ecd73f7d3d2dd2b7acc6456c54ef8db5397ad320138d5a52a2e7685f69533c570d9d4acf8f760f5a5ada3141bf03dc1621b2ea8d8c4f7e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        4a55c612a9ef2fa6fd658d40c7d3fedd

        SHA1

        7fa589775d4f3b3a685ccaa547b8ee69da7a7616

        SHA256

        94778a2e16df1963ff4b098f81d8beafd367627cee91d43afef7163d0bb4a1fe

        SHA512

        82c3c0a870b962c2032a49376d73b250c11d4d825209a9ad735ed4764842511b2e96957133fb060a9a895ab65913bcbd8d46e2b84e3278e7e3395abf51314b04

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        72e91aeb56478b6a7f2aa168ea10984b

        SHA1

        6afa1a1deb954171b333cdc1711b0ddf380c16bd

        SHA256

        9710f97a7ccee1c7b2254a22813c9b5271d639b958ba9cb50a1bf65ce5d747c4

        SHA512

        9b568fad76d8dbf856a136299779aabbbb0de209422dfd84f6306f96e6881bf785c5f3ce1b8b8e5c14f74a164f7a377a7196f735757627ce294dc33a8aaf4bcc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        87d20d0e6aa0aeaf67134393a6d74179

        SHA1

        d320cbcb64f45768bec53fdc1ae4b1fafa8dbccd

        SHA256

        e0e76327431dc7a57af9d85d2757fda34ad51b53b01a56e6cb4cc829ddb4e270

        SHA512

        95c918de1a248b8ab73bef89da3ed88e632c9d9eb2e77124512c12ef34e6a9eda24625783ef77527e32dc97c5a8353e723dba40fe71d0fd5b4292851cc41af9e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        5bb9859c116e9ab222d53750c59ecaea

        SHA1

        5cde1c72136d7fd1bdb85a8daee1d562a3d6cbec

        SHA256

        fcb88b2f6ee145328164fe87e4e8c41ccd454040f50de46049ac1b5127ec37e1

        SHA512

        e75946f424c8d39f78bada34bc20c3dd8efd2395a534fd873e79a168ea2860b737fad186726f8dca24324ade716e62f398e05acc856de22a354d3453893ee871

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        d3116ba81b55dc41101bc68ecda3bde2

        SHA1

        9ec005eb2444b1f5a7accd3288a911152cb7d38b

        SHA256

        0e602929b55907edf2050cbb7b9283ed6a19b2d65f815d8c6992f5b6da46c640

        SHA512

        e27a7974c3718e76f4ad7d3a2ed0005ba895a97335e554ea922dff62560682c78145fe5775b07ad719c993f65234ff46b8c2ff9cf36c96f487b8f0b9c46ea7f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        8938eea294ec2fccf00e0549a3c10d13

        SHA1

        c63959f83bf7a0e44aa0d3761b744e6038e9d306

        SHA256

        89c142d2405ad54f2a687e56e7a9990ab919521b0f09a74835a4a726322c4293

        SHA512

        58ad59ec72565ef5f0cc85c8e55891dfd23fc96b290b7eda745543e7036da6eb5d8a94649628a27c5e6bdbcdd3c83f939dad6e14ae83c3e409c469f48a3ab1af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        7ddad4f9475e48c02929888c6445963c

        SHA1

        13fe66d5451b2418f497b643e0fedcb6326efe8a

        SHA256

        615875871c32674358a926235777c3ceba755f6f7b0f56c3493926b17e8a8b22

        SHA512

        f01f97595f94356ba28f04aca1bbde85265dd8ead4cabf3a5e8abc155d366a84c079220b957c0401f78c931130f17c51e57af55e9ce1163a7c955ebf384220a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        f46a98c2d0684871dcec32a1a2268862

        SHA1

        1a60a0818192901a67cd72b9472d21a03c1a6e37

        SHA256

        507946896dda4d1df600901e33827e2889f30c4a41372a71564d1624afd8b565

        SHA512

        288ce6873884d6104479b206e886c89ca0879e94d8b909259eaa7fce2f550789ed03c2e0fd8701bc0a080539c4358fdab756a3192267554e99e2b97ff33f4556

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        9cb7b3a9e145ac99b12870ac5f8b4c87

        SHA1

        8853b26b09cfafd34e236ce1cb7da45eb07eadf8

        SHA256

        1ad256a392a89625efc69ae35755b5afff30d9ea779ef420e589434fd67dd42b

        SHA512

        61eeb12822f953ded8ad21b2b10858f06ee8a12ba4598b51b4beeeeab95060274ebea53770450a13456afa8a041fa6b03dac8223b94bf3998d543c5e5bdc16df

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        0f22eb444ba54144064a107b24bc228d

        SHA1

        2e23d5f77ad872d2ef77f890309466a816b62551

        SHA256

        1a8fe8e7c413e09934165c38618cdd2fdedbd9c5ba2886968cf9c8274cdda4ff

        SHA512

        3e1f5499689024946fc5d58061262eee19a6ff2bc0af9516a44032c4b9e1f37e78244ff23e77c037630f6b97828f2f54a0c4b8c1b4c01095c956935ad345c4b7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        09244f108e4789845c9cfada0a9d7a20

        SHA1

        d0d6633265871662d6de1eb1bf37313626b3497f

        SHA256

        442f7eca6cd680dde8c627b22c2d67dc5c52a56710ecdd8ef00c4856037d09d8

        SHA512

        8ea01b75100ea8469069bee08501a2ad573c4266639c5b683d7264e59095e279be92f08d2b0e63e4358ea85978dee36af1ff12a373b6dba8f65b49d7a140c932

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        305550e0bb3cd3c9dae4cede34a6959d

        SHA1

        d689f2327617b89507e20d1a1e51e8d8524fb6ce

        SHA256

        8e6bc5e9feae20c9e231e5c0c6086c15ac6fadcea2c2874c58bb4598f46498ad

        SHA512

        8b573f03c25c58c1a5c0221ad17cd0006f16e0b28f57b8acf7d0e0abe8ba9fb023cffb9cfef38820de57b76c97e579f0539fc5b493d44ed584df01210d0db076

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        17a8e1037291f9dbbf023d796d0e5565

        SHA1

        fba623d0954497148491c3d79db920cdcd581e80

        SHA256

        3dd2968259a5030929bbaab22f36176ff8235ca539e962633aa1e1e36bd29b55

        SHA512

        5c9d2a9df5110b1963e85eb5fe5b936b5c666c79fa9815724ab58615839b3dd4dfb9b7f653f42dfef586f2a9a7cd0d662af047b1c780c0d41cbd329b41c767f6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Admin7
        Filesize

        8B

        MD5

        2118504b1347f8cd85826ed1c6e79484

        SHA1

        05c3ea2a2fcdbec4ab74eeff8748dbb703995c94

        SHA256

        fbb57030f2bd12a185d25c10301794232914f100a6eac2f3f1daf0d0ec7076b8

        SHA512

        c7eccca188e03a288e523fcd56bebc4e0bcae79a371e9644b5790c70e520a96b789d22f73661139a4d26113569a753401e6c830a5dde27e11f1c2764559ad0e4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat
        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

        Download Submit

      • C:\Windows\SysWOW64\WinDir\Svchost.exe
        Filesize

        296KB

        MD5

        b9ce5ea827209cd137010d1238bdfad8

        SHA1

        474bcba01fc049bca30e11eb8b3a9d93d77fa052

        SHA256

        a4e65008378dd09b23da9ead775158c84dd4a40f75557bd865d6d9cec02607a4

        SHA512

        7f01d4f6ca8073c9a3c923bcce1b1a5359bc4876aba52fc010bea7fac9f93c815227214fbc0b441c6828c64a6b0998b05b9de3bbc0bb41db02f95e3481c9e787

        Download Submit

      • memory/596-537-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/596-250-0x00000000003C0000-0x00000000003C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/596-248-0x0000000000330000-0x0000000000331000-memory.dmp

        Filesize

        4KB

        Download

      • memory/596-860-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/1208-3-0x0000000001C70000-0x0000000001C71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-1654-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

        Download

      • memory/1976-838-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

        Download