Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 21:35

General

  • Target

    332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe

  • Size

    808KB

  • MD5

    9de9363c50721f3c8eae5a2725f51690

  • SHA1

    f1eb284765f36d9d7c498e43d2403c3af2b2ab6f

  • SHA256

    332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4

  • SHA512

    a36962d9e16873d108a79eaee1e1bfd5dceb2fab54f61a1dae5d859625d0b3bb5a80041c7cbebb90ad1c61f6d7efe90c7d698ab4d17353d68637b54090e85d4a

  • SSDEEP

    12288:cXJYagld8WUxFkyekJfC+R3D5g4OYo4VsJdq3vbFPXswlXV/4JUu8KbEYUDDKvm8:2YFkJqOG4xBxVS

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

stopscammingidiot.no-ip.biz:100

Mutex

G16V88J605XN2M

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    Svchost.exe

  • install_dir

    system32

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Cybergate family
  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe
        "C:\Users\Admin\AppData\Local\Temp\332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Users\Admin\AppData\Local\Temp\390.exe
          C:\Users\Admin\AppData\Local\Temp\390.exe
          3⤵
          • Adds policy Run key to start application
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Boot or Logon Autostart Execution: Active Setup
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1132
          • C:\Users\Admin\AppData\Local\Temp\390.exe
            "C:\Users\Admin\AppData\Local\Temp\390.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2236
            • C:\Windows\SysWOW64\system32\Svchost.exe
              "C:\Windows\system32\system32\Svchost.exe"
              5⤵
              • Executes dropped EXE
              PID:1728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\390.exe

      Filesize

      296KB

      MD5

      6afb13c14bf63d663dbe88d7f1fe0130

      SHA1

      5e707443dc8dfc126f443fa405af457913dec921

      SHA256

      cd5d45fba6c736217301dae95df68b0842223b2781dc4b8aa2c8135903e538c2

      SHA512

      e8d4adb40dcc6291c5eec5af649ac1f3b1c38faa398d8e76617c5bcc29cb2f449554ade6c6daf1f35505ada83c86d9fb473e5899d8bccb814aaa1e931fed2bf3

    • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

      Filesize

      224KB

      MD5

      537f0e7700ff24a57387c521de33180c

      SHA1

      36d53fc26e52246004faae2a05be9e50e061092b

      SHA256

      ec61484dd232a758459a865466127964c4069a288c1ae46ea55baa34ffdbf774

      SHA512

      2a149bc39436028077bf1fadb0cb95cd4e2e9a6b7ef43dd64b7e3f379eff5b1a9bf4e9866ec8c932e43979d20bc23b9f7978419a9a4babf417c218cce3ff6018

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      1e858f05a0d1991b4ed133a5e2cef7e8

      SHA1

      fa1d6f2207710792a7b12240e87fe8be316ae7d4

      SHA256

      1b98785d22173cb1bb9baeae6a0d8113a3dbd0e3d29b1dcaea77b204aab8ec7e

      SHA512

      d415dfcaa7f24ddbbcaa2e58087e601bf5257157192382f4440bdb39f0551f3cfbca60ca0ed370ffa38c7192da5b44cbf1f28a717fb843b9b28fd1b4fbbd8d08

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      03d10db4085517cda570f3cbd9059830

      SHA1

      1e7e07a305a8e6a8c1dd67608194ee8e38e893f5

      SHA256

      4fa709879c5cfaf66f4787add76acb68179a62862d6cdaba8b587655d147ac1f

      SHA512

      ba2f1eb0933d3a848a55c98726470cc23c1066db41c21bda425cc9e8a01a42bc412c113c447606e39cbd4639cef8d3f53db61b7c2715a24d89b66c1c9869e3ad

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      373954e294ec33eff9315a07c72df016

      SHA1

      600c591ebb9b51048d262b35bd258e20c3802cfd

      SHA256

      88d3644b2febe02a82a4503b63c81a1f7beba748858ea6758a4b909e733ec82b

      SHA512

      05ec77fadb3cc516239ae349285b6c513879df2756f045da0dab04b8ff6eb08f4d43739b4b667eae2bf0b2db03961551872b2e3bdb57c4c5c2dcd6e5a7723c0c

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      0e48969da6936b4bab3c6aff2751eb8b

      SHA1

      7774963632978cba8975626c05c7b5cf29b50ffe

      SHA256

      116d308c7771f85e03a82ee78cf285f8de8feb26e236ac0f1a4755dbb28b4548

      SHA512

      2ee7287dd20ba6d2a249a1d87ade5ddf3f324bb15279e099067491dbc0df7d1f424f5e6b6db3f633fa74bf7d2e3c53fd837815b6906d427a476bc0792fd1b475

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      34bbde9f103d7bcffece01a8349c9328

      SHA1

      b3d5b9a8597455d9abc17d79e12853b8c0620c20

      SHA256

      b3dcc84b95aa4d2edb00e2cc81ae60e9c2fe2e17c29b5c4a4113f1c2d9f84a69

      SHA512

      39a875ec1d0578fd4f4ced5eea65f4e6331f662ff6693e6213c9fe8ebc3024c6d101e134533202fa1876244e8565e90b73983f4f2c8d65029bd6cda17c028c11

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      fc8b17671cc1c540ba24d84dd33b9e99

      SHA1

      e200f00fc859461856fe0434ad6ad31331471f13

      SHA256

      5c57430ff013a486361372c945d64b92b12acea4c6de47b26e275dee6af79b0c

      SHA512

      0915b57632916fb5a11f51e8b2d7c7da1f1ffa8128f8f4b2d4cdbc700e6076a90eefc5a80c9b5ccc0edf0b679a2afed64bec5796b4fc7a9908ed8760225ab06f

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      fc30c471af787a509ba543200f9fbdaf

      SHA1

      89ab2ad4d73a5a0214bfa47c191be1425f6a39c8

      SHA256

      9ca221daaab8cb801a9e2a95fe129ac315be2310314eb8e74b343962fa7a1078

      SHA512

      d7b594fcd4ddda3ddc741412abd39c066a5e6420d0ce6da6612d371c6357ccd448def0a3490ce1dde65d4664afe883e9282b683d434ded0c4f44080c9163b9bd

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      8f250c95aedd0545331d5f10310eb013

      SHA1

      45429e5c7bb233a1df6461e2580199099f2af8bc

      SHA256

      0033913cbb7922f181599bb998c791aba3260238bfa6d659e7ce38dd119f4bea

      SHA512

      0ca57fd1b7ba683708b6ff51df601861c7e8eff104e575b8d162d6e0a1edff2ea9f30c62ef8ffaf45e02aba6fccfbd52320956e6d7a55517a50bdeeafdd74c89

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      bf6d907d583a5dc58cdf2848d5abda67

      SHA1

      874d0c1ce640e7e2405fd980ca5a021536d65ad6

      SHA256

      f76613277035a507d87f80f133a818d48386573eeb4cf121af7fc07a79464840

      SHA512

      35f554c9567a99c396cb305649234e4685f8952282dab1c36d3668fae2bb96239196c070c6d74f17fc3660dfd1fd185a212085026fa000832dad518d386ba9e2

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      98382862ac04d5bfaa9eeb55ee08251e

      SHA1

      ffb7fbb6cdfde351dd7eb9c8c4463797d7b1aae0

      SHA256

      69fc26781d44c8a86f3f61f2bc95222405a0c3d85f476039d77638ee9eb97918

      SHA512

      c283e147486d1ca8af34e74d064515ff31e27d472bce3d7f21ff5c1e210f87929088288888a18d71a3a9f88ae2d00070238dbdaf818a072b010c419962997a94

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      a9aca66fbd28e3d921743a8a98770f13

      SHA1

      652c51635552b6b4276f47e3620bbbd67d343195

      SHA256

      b2ee6efc6a39621fd685e407b23f7cf91ce30eb45bd49f5373e9cda800fd8381

      SHA512

      06d5af8ffa09de1b966d5b06b530ceff7ea7852725c0ae818bc09dd3d080a7e6e9678f4afd84e6a5e981a39b19235f3691d131de10a216bdf90dee7914b7f796

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      46e11af47b3fb5e844d9d0638041f567

      SHA1

      5bc0b4df12682ac7b6c66911eb0e5e21d7ebc8b0

      SHA256

      550fc11bef0f1a1242958c507c9370b0adce117f6a86541be367836104ce3b08

      SHA512

      09b68e0b0831dbd0ae08ec99cf6c8da48f7234637e990cf12c731078ec0deb13c9e801e41b990bbc4aecacf8a29d2260460fc0c045af0f766ec21b6f9236c989

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      6382cbe3f59261bcd18b3dcb0c0541d6

      SHA1

      dc81ee7528ef463b4ebd412836b82c67c87bc868

      SHA256

      e0f7f40db8f4c3098b6ff1a0a4f20b7f7b37f20f12cae5da572955afe48c3c6c

      SHA512

      64cf7db8025f23b83a045dbf8d9affa89c457193c8e512746609f9c4a59abf1823bda5555108017e24f7968a6c03c370a4ff505b41531f7e811ffa4d2f0cb24c

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      eba36b2caf774b17d1c6a872c22663a0

      SHA1

      236b6e325490684a8bb2268975e5cd24957bb8f2

      SHA256

      b8601fd1bf2edf3026c4eca69ab09b0e6b06d5bd45a8a772abcb8ea9dff76a80

      SHA512

      0f251cb81f3aeee2c52a38522db0a1f5bebb6f13fd0b367e5c6a3d9ab8f8bfc7610389ccf7e0853d309ea3ae24c409535ffbc10fffd3b9ec95595a33e1dc59fd

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      8f3c24c32576de06579b3aed766a664b

      SHA1

      a84c2f0f321722c2037d31ac32ef1f599a6753f9

      SHA256

      fc935cb3f3f61614f4b29a8827e01a16763db0118d0b550265a9af01f1e7b407

      SHA512

      dd2503d60632c431602120cd1003b024c1f4c911c0d21e59ce039f8201eabcf13560289a84f60bb7f35477b4e4735e344e2800fdbefb866f0cc893de442a2af8

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      fd43772f2536e66de1e0ba547f468f96

      SHA1

      400cd306435ebaeb2cd2f98f50f38368bbec8c68

      SHA256

      e0f9d8f446422a525ace379d087d74a25a0f38607c3f25cbaf6d63ad18487913

      SHA512

      032a18b68cbae9c8676653d24bfe11f977f65f910123c6ca78456dd1749305736afdffc5d4686d1f8fcb71e8151a443d61c5b28d2a3078f284740708de7047d0

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      939a8444728fea2088a276f4f0f35b91

      SHA1

      5f6dbffb92285ae3607cce4f6a91b8467b1649ec

      SHA256

      76b0f144c40cf68745fe2f2a567f4e9bc6553700cdd7f7cffe86f37d706d1663

      SHA512

      100e1ccc988c08ebb46f6f2892fc427322f72c83bb703dc7ca89863390372f1b225dc917bd2f7e5e8e5f9558e208db803e3a3a0ad382817a6c96550a756815c4

    • C:\Users\Admin\AppData\Local\Temp\Admin7

      Filesize

      8B

      MD5

      f43331d13b9025126af9c5dfad8938f0

      SHA1

      7ab4ed32b06312a85aa71a641220737f70ebe0f6

      SHA256

      4fabe42627ff95196e22a44cab025d0e6611ee9cb12eaa73eb37a8001a20f20e

      SHA512

      2dbff28957b463337a4c12013c01600d81a2d67afcac98baf163c4b72a9fbe64aa679d752d29c13a5df3ad6417b56ea76a1ac25598b1a6ab8fa79e560c5d467e

    • C:\Users\Admin\AppData\Roaming\Adminlog.dat

      Filesize

      15B

      MD5

      bf3dba41023802cf6d3f8c5fd683a0c7

      SHA1

      466530987a347b68ef28faad238d7b50db8656a5

      SHA256

      4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

      SHA512

      fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

    • memory/1132-273-0x00000000000E0000-0x00000000000E1000-memory.dmp

      Filesize

      4KB

    • memory/1132-255-0x00000000000A0000-0x00000000000A1000-memory.dmp

      Filesize

      4KB

    • memory/1132-914-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

    • memory/1132-558-0x0000000010480000-0x00000000104E5000-memory.dmp

      Filesize

      404KB

    • memory/1184-12-0x0000000002E20000-0x0000000002E21000-memory.dmp

      Filesize

      4KB

    • memory/2260-0-0x000007FEF646E000-0x000007FEF646F000-memory.dmp

      Filesize

      4KB

    • memory/2260-7-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

    • memory/2260-902-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

    • memory/2676-11-0x0000000010410000-0x0000000010475000-memory.dmp

      Filesize

      404KB