Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08-04-2024 22:37
General
-
Target
42BE3BED9261FBAE0A0AED767EBD88C0.exe
-
Size
202KB
-
MD5
42be3bed9261fbae0a0aed767ebd88c0
-
SHA1
6630748f26ac9e3a8d19cb43eeacd77d506b1808
-
SHA256
c1d29284b6d4ae244712dd49661841b36a6de2387cad6ab55388b22769151878
-
SHA512
bf522bb82bdee59a355043b0af17c42bf79b1d4e59120d3fb9ffcb96aad369d221b60af1106b29c51286a94d95ccfc80cc69421590c20a9984c73d61174a7c7b
-
SSDEEP
3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIGYcsD6RA5E3bKKiCf3e0kYrOV:QLV6Bta6dtJmakIM5gcs8A5ELiUfoZ
Malware Config
Extracted
cybergate
v1.02.1
Lammer
appdiscordgg.duckdns.org:81
appdiscordgg.duckdns.org:80
Pluguin
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
Microsoft
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
-
message_box_title
LAMMER
-
password
123
-
regkey_hkcu
Microsoft
-
regkey_hklm
Microsoft
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\42BE3BED9261FBAE0A0AED767EBD88C0.exe"C:\Users\Admin\AppData\Local\Temp\42BE3BED9261FBAE0A0AED767EBD88C0.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
282KB
MD59b0975e52c196e91d4bee83ec4a2d950
SHA1e049054e78b39dbc0d0b69ae88e03a86bab502a2
SHA256cd3ad6a8b2816ffcb6e38662071a3304562543e735fc730852316838c3ffefce
SHA51291d38e6b53dac21ad2dd1010e86957a76d890efe8e9cc4dee55d03055a73a86764bd17b183d8c604d0ab7eae792d0cd6d5e5d74e7037200f9267da20db643751
-
memory/1888-0-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1888-1-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1888-2-0x0000000001E40000-0x0000000001E80000-memory.dmpFilesize
256KB
-
memory/1888-7-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1888-8-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1888-9-0x0000000001E40000-0x0000000001E80000-memory.dmpFilesize
256KB