Overview

overview

10

Static

static

7

c4f764597e...5d.exe

windows7-x64

10

c4f764597e...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    13-03-2024 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4f764597e9912dca5e7c462d99b965d.exe

  • Size

    665KB

  • MD5

    c4f764597e9912dca5e7c462d99b965d

  • SHA1

    4b300b99f61cfec284fca6e1390eb30b7bba5803

  • SHA256

    3c058a8e9c46df81f2cbc595282d8e46e25b0b4ecd883f901a30e59a660657ff

  • SHA512

    edb16b61f68ae57c816eae37574512e1d556276a5abd9a2c1e4e2c70ab68dc9b22e31ba2012165ba32668d26b585665ee9ae9e11914357c314b926d99fcb68d3

  • SSDEEP

    12288:qHLUMuiv9RgfSjAzRtyclz4pR1UMedz6lI1vV4u+0qsx:ItARZlkpR1Uhz+Q

Score
10/10
cybergatelammerpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

Lammer

C2

matrix-hacker.no-ip.biz:81

Mutex

Pluguin

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    Microsoft

  • install_file

    virus.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.

  • message_box_title

    LAMMER

  • password

    123

  • regkey_hkcu

    win32

  • regkey_hklm

    win32

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4f764597e9912dca5e7c462d99b965d.exe
    "C:\Users\Admin\AppData\Local\Temp\c4f764597e9912dca5e7c462d99b965d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Users\Admin\AppData\Local\Temp\c4f764597e9912dca5e7c462d99b965d.exe
      "C:\Users\Admin\AppData\Local\Temp\c4f764597e9912dca5e7c462d99b965d.exe"
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Users\Admin\AppData\Local\Temp\c4f764597e9912dca5e7c462d99b965d.exe
        "C:\Users\Admin\AppData\Local\Temp\c4f764597e9912dca5e7c462d99b965d.exe"
        3⤵
          PID:2668

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    3
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    3
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1632-16-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-35-0x0000000002130000-0x0000000002215000-memory.dmp
      Filesize

      916KB

      Download
    • memory/1632-3-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-5-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-7-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-9-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-11-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-15-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-85-0x0000000002130000-0x0000000002215000-memory.dmp
      Filesize

      916KB

      Download
    • memory/1632-1-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-13-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-18-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-19-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1632-84-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2260-17-0x0000000000400000-0x00000000004E5000-memory.dmp
      Filesize

      916KB

      Download
    • memory/2260-0-0x0000000000400000-0x00000000004E5000-memory.dmp
      Filesize

      916KB

      Download
    • memory/2668-34-0x0000000000150000-0x0000000000151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2668-23-0x00000000000B0000-0x00000000000B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2668-36-0x0000000000400000-0x00000000004E5000-memory.dmp
      Filesize

      916KB

      Download
    • memory/2668-29-0x00000000000D0000-0x00000000000D1000-memory.dmp
      Filesize

      4KB

      Download