Analysis

  • max time kernel
    146s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 19:59

General

  • Target

    ceefcf02c92ab1bb3042b882e9a6637e.exe

  • Size

    1.6MB

  • MD5

    ceefcf02c92ab1bb3042b882e9a6637e

  • SHA1

    ac138746d5c3b5ca777cb4e7a057c6b84aaac76b

  • SHA256

    08bbf2e4657271c35a06e2288aa82fdfa663e06b98f3f5189d8749f03e3d9ba4

  • SHA512

    fcf0fd0099bec688db085d528de1c8a13a6cd13f023bf833260125d222482c7dbc84f24cd0db4a4a01149f67ecba5896e44df8ac7fcfd6f275759c3fc87ae316

  • SSDEEP

    49152:sMsxm4qZKuScUmS7tehSJhSHjLh9ENTalbZR:sQU7uyhSvENmtf

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

$TESTE$

C2

ocaradepauhackert.no-ip.biz:2000

Mutex

***MUTEX***

Attributes
  • enable_keylogger

    true

  • enable_message_box

    true

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    regditclean.ocx não registrada

  • message_box_title

    error

  • password

    abcd1234

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
    "C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
      C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
          PID:2648
        • C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe
          "C:\Users\Admin\AppData\Local\Temp\ceefcf02c92ab1bb3042b882e9a6637e.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2548
          • C:\Windows\SysWOW64\install\server.exe
            "C:\Windows\system32\install\server.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:1552
            • C:\Windows\SysWOW64\install\server.exe
              C:\Windows\SysWOW64\install\server.exe
              5⤵
              • Executes dropped EXE
              PID:1440
          • C:\Users\Admin\AppData\Local\Temp\Metralha's Crypter v3.12.exe
            "C:\Users\Admin\AppData\Local\Temp\Metralha's Crypter v3.12.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

      Filesize

      1.3MB

      MD5

      4b2240fb77c6e4bb5dc9dfddd2b45f7c

      SHA1

      afbb9c29e9a9ad28832bd17a8352e813a374e7c7

      SHA256

      bbf66c19da983fed7d268304f54ed76233d636c3de6b5a017baf1c6a74501f07

      SHA512

      9ca6b1279dbebfc2143d6533a89c04acd2632d68c53b2dbb590fd46c94c1ba0cca95e10b6d094dfa98c338a0cec2d91df16fe2c9592a916122ee8d01dc4490e7

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      a75b89d24e7664aab6aac0716aa97c9c

      SHA1

      db68902e044f958e8935ee231d73c70b20648fce

      SHA256

      40f647ffb49a960f7ff2881122c6e0c113b96a338b0b34db3b3ee248491f7bd8

      SHA512

      7d0dc8b9280c0d171295cc34e83126f3ae8c9b4da603cbc6183c4a3efd0f759c0a18e091f165daac7afa20d833f8f16d0442a5823f5a2dd4cc57be541eefff8f

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      28f8bfd95a6054c26ce22e79aecb4146

      SHA1

      6e6e6a1c5aa07acd250070baf856b76abc1c5f4e

      SHA256

      5995aac9ff7075519f890fdd131460276ad775f3d44b3550cf43ba90cbe978a6

      SHA512

      eba44e0d8e1d121d5fe728ae248ef790d8681d680818c76a4aafa923b98ade230a072ef65e724e9908e11dac9bf8ce617de3a4cb5929464976fe3561fc0aebd9

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      53fbbbc6a6dded3494cce882f81155c1

      SHA1

      06a1328a49c668dcf58907e408486808b6c9dfca

      SHA256

      847aa64e263168d11b39240d7ee147fba23feb7f3bc39db7c4aa3f7bc11001b1

      SHA512

      23c3b5bb43820201fb3b586f0c1e59560d9f30db62081f4001a52b5abd88e1db5befd0be132bb0e54a0445a76494e2a6934336e5b84bd117fe32c9d8c541de8e

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      c497d95f673657b97789b1708130b814

      SHA1

      c36c7fbb3f8561cad344415c898971e0a7f33985

      SHA256

      0efbb840f79d15fc778c8ae9dd09c5146afe90b42ed84689fee74f3bb860b8d9

      SHA512

      96c8eabc057523f97eb10cfa142e3422235f4583e717b6d822e8c4c1bb798f54757925344121ebe5d5b9b90450177d124232191a4ca683581d826fcefccd2675

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      c2e070264b702e65a094e27609fcdc33

      SHA1

      32b9a0543e46cc2fd049fb5ed1b95e6824559f76

      SHA256

      702a068bd29a0c67879fafe0b916155ee5d3e52a71a693d72d87b3febead48da

      SHA512

      22e4f389facb67dae7be2b56d92dfad3c36340017118fc8b0ecc30c4d5468c1739ea981498a275884c2e0370ca1206486086d0ccac1f60f3a8d3f036fa440fe2

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      22161f5d0f540e92ce2db67de855be24

      SHA1

      e098398f5dd63ec7133a03726d76983a7c0bb0c5

      SHA256

      6e28a10af97c6a1f2d4204c4d2c38fc8a8aa832e0dd701b6a9835b6533ce48e9

      SHA512

      93e2a9a8d39259892ba9cce3b61da46f844895c10933fa7e373c9cb0c195479f92a9739247368bd1956031f589113510c7ec3f10b755b5f8fdec0912292e85a4

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      38042c44c94234415f7960821e7dd8df

      SHA1

      850a3f1787ac7688e342521ec5d15bc92a26b6f0

      SHA256

      257ad4bebed018627fa2880837b1d51e4d552e01357413e399e67b19264c5d84

      SHA512

      d1fd4a0769935c71c38b3de461a8d6c478228d368e8c0449276319d70f91b4a872214f6f2c0258279f94b378b7d5e4fc1ed4d6f75dcedca1fa3bf13c544e3e46

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      01bf5e34c403959532e44b571e2028ad

      SHA1

      4fcf4713ba4de5e508d0a0f143591d300f3066dd

      SHA256

      07b2f5d16f0eb7d43f116795431077d628b1fefcaefbcd39c835d667f8b68100

      SHA512

      226a97e067e3c1c70b7cf5b5da735c4b4816044ae07c10b6a89f5fadd3c684a040201ecddf79ff1712a62ee88b5348f56d8860922a64adff9136fa83d63b6c88

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      c0503a53438dc857f52038d5405330d5

      SHA1

      71d78109118890b5ff7817d6faebd631b20f4ac1

      SHA256

      6071cafd334e997ae113083efc81fc9707973a18bcff79f27b1e15ae70778d3b

      SHA512

      49618b84b17ce743a40820d44eeba090fe928405cd3b85e98e46fc5b539943bbb15806087e862afdd838f9fa681e157ddaff3dc6986e0b0b2ed770cc3caa0a64

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      30a697f75218c41eca32084228f92ddb

      SHA1

      e4257c9f705a5ec1fbeefeed133d1e6d9b214bc9

      SHA256

      b762c70386cd80da862d1ac8e9e55d0283d7636109b75d46135af2237e97b8f6

      SHA512

      9b86a31c3f435550c606652b2ad255e113009c2b5d054eee132dcf18683a76b74097b79fce55d59d536b4552285d6639283d6dc227881eecb6ed772f94182d88

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      091e769d5b6b963113a4600fce207ee2

      SHA1

      cba93dbbb1da605a9272b12fbfd1a526ae592bc4

      SHA256

      5086de679b4efee8ecb45c095af61852d7b6e192bff17a1b1dd0dd4047d4b6fc

      SHA512

      b1c333511bcd265d06a3dfd0fa483488b3eac463fc90195d5e6ec9a0e17dc5e89c7921dd6bffa344cdef0bbc71dd6b350bfc70b005e14bf4c9876f59d119ea35

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      d234f3248a211df6cb5595de6cecce27

      SHA1

      9bfbc1df2b8feb9e0a54691e54f4f94ff18869af

      SHA256

      c2af8be8035f6a6b27d9594ce0cf943472e6e491d42a538da6267b708936c2a0

      SHA512

      8b94500cc8f1b526ba1bac2391dadcad1cd80c324cb2ea529c6a8e0f2ba7c5e66295722ca86c63bcfb173b1705d705c26f20b5bfac7c036df829174d396102b5

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      65393e15b56ac0aa4b014b4be227c668

      SHA1

      fc13390bda76ff36c19bb9633b2fc253fe2a7e78

      SHA256

      2c05f8ef4a06f5f7d9d3f160c73ee371a33ac7463e76ddd40842e1373d73d8e1

      SHA512

      c0e1920f1c7aed72eb659d458dac62f3facc595f90253ad0b770c68049f7c95e35f2dfac1cd4b07edc3179b97d734b1ed8fe54d9849e4894b8040eb5b7f17cca

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      f41453b84c71c8d452eea3d910fca1cb

      SHA1

      4a6b3727e97cc086d3bcee6c6f43a3f33e9b562a

      SHA256

      0809eabd3c6dc0d179ba5df176ec6572e092f54bd5bfe2e4379ca99ff72a1bc1

      SHA512

      ac323bd597c2de7e17a706df2be9e94eaed0c99dacfb6e0ea2a42d68fa49aa7be67abafbd86d4497c8b951fbece65ded48379d3f7ddb30c0ff4a29f8da172095

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      911591c7049739394bab4f79a1aef95b

      SHA1

      a2607b077e9738247833a256df9c2b7a2e49977a

      SHA256

      fdc5e8ca9462dfe7d7523452e8f60d2df0b24dd5101ebde9ec5b6f269f650169

      SHA512

      9231528a0e6d6c5b38769f100bac29341f2133027c7d8e03e98066cc6315d1f965f5ba8909cb7133bf1ef005fa1189c192f62986eeee63d3aefada93764d8012

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      417413f7b4b9cfe85a87ba0dda1cbf9e

      SHA1

      31d348e11353cefdde591d4a89013f7f470a0216

      SHA256

      1e55632a6aa5f6bd633751632e71be9f41eee9f0a8c2e2cdd57fcb3525f705e6

      SHA512

      12e19fbf8af2a2e6b53f1aec109fac22aaccf41bbba202df862ce84887de06d471df134b16c828cb2cd202f88fc1ac18dc25a25c9af6a18ef01602bf9b65eed7

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      ac7cd5f90f764dd3069a56a64728c7f9

      SHA1

      9e10796f886399467bd72494d1937a6a8e1a6c1f

      SHA256

      c0a3f4b7b9b09479800cd790855d08b88dc7fdf82dcf2a1ae97593b7832663ec

      SHA512

      43574d56949960458751531824d61dddb2184f2337e74d9635b7a8fedcf4c61da6fd5be54267bca0e03f5799390a43efa875ada42c91d5477ccfe9bb24df10a6

    • C:\Users\Admin\AppData\Local\Temp\XxX.xXx

      Filesize

      8B

      MD5

      cf15a3fed2d09361032daacf62b2379c

      SHA1

      6e4b5f19b7b834726c5e102960b1ffc3b9de6a5d

      SHA256

      d8343c70a3ffd22017a7a4f905b88eb8d763c350f9d811d748b73df9e18e5439

      SHA512

      cb2512b88fca11dcd7f727e4c16e6ac696e8a869438ee36b697eeb880328ad35e8c4f0b5373f5b14e0c016802bf21d8124e3c384bc0c3bb3ff5b3192cd7ce92e

    • C:\Users\Admin\AppData\Roaming\logs.dat

      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

    • C:\Windows\SysWOW64\install\server.exe

      Filesize

      584KB

      MD5

      8b363511ac765476b0f44f924ce0be8e

      SHA1

      3267a8122cbb7f141938bb4e7acb0000b26b0fb6

      SHA256

      2b69bde0a2e3fac3a33c543af6d4d70d6006bc6d4f1d2cef4ee19d43f7cd9630

      SHA512

      9d5fcb1d75c5f32182c84027dabdf0151d7f44e3320a35d9fd3f82333bb26d631e5748681774acbc53c7c768953f749727558991c5f2be975bcab44958b736a0

    • \Users\Admin\AppData\Local\Temp\Metralha's Crypter v3.12.exe

      Filesize

      696KB

      MD5

      877abd9b81976255de04d02548ce6d8e

      SHA1

      d685dd24c2e86b032c1cc65ebd182977c634714b

      SHA256

      eb557bf81450de09da90f346d1b478a06d5c0d4a6ac200f458b3ac5a90fe2309

      SHA512

      42d6550d97cfede4cb680e521d2cc2c36271ce02bb216b3f26cee0371d70f0dad8d13473028413b7c150f80d4f926f77d1f3a3941648482be2e02c9e285aa552

    • \Windows\SysWOW64\install\server.exe

      Filesize

      1.6MB

      MD5

      ceefcf02c92ab1bb3042b882e9a6637e

      SHA1

      ac138746d5c3b5ca777cb4e7a057c6b84aaac76b

      SHA256

      08bbf2e4657271c35a06e2288aa82fdfa663e06b98f3f5189d8749f03e3d9ba4

      SHA512

      fcf0fd0099bec688db085d528de1c8a13a6cd13f023bf833260125d222482c7dbc84f24cd0db4a4a01149f67ecba5896e44df8ac7fcfd6f275759c3fc87ae316

    • memory/1440-3405-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/1440-3408-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/1552-3403-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/1668-3357-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/1668-88-0x0000000000220000-0x000000000023E000-memory.dmp

      Filesize

      120KB

    • memory/1668-75-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/1668-18-0x0000000000220000-0x000000000023E000-memory.dmp

      Filesize

      120KB

    • memory/1668-12-0x0000000010410000-0x000000001046C000-memory.dmp

      Filesize

      368KB

    • memory/1668-8-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/1668-7-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/1668-5-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/1668-3-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/2548-33-0x0000000000330000-0x0000000000331000-memory.dmp

      Filesize

      4KB

    • memory/2548-3529-0x000000000A2A0000-0x000000000A2BE000-memory.dmp

      Filesize

      120KB

    • memory/2548-3409-0x0000000010470000-0x00000000104CC000-memory.dmp

      Filesize

      368KB

    • memory/2548-3392-0x000000000A2A0000-0x000000000A2BE000-memory.dmp

      Filesize

      120KB

    • memory/2548-3355-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2548-3356-0x0000000010470000-0x00000000104CC000-memory.dmp

      Filesize

      368KB

    • memory/2548-26-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

    • memory/2548-20-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

    • memory/2984-0-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2984-6-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

    • memory/2984-4-0x0000000000230000-0x000000000024E000-memory.dmp

      Filesize

      120KB