Edit tour

Windows Analysis Report
250428-dq9xmaztft.bin.exe

Overview

General Information

Sample name:	250428-dq9xmaztft.bin.exe
Analysis ID:	1675861
MD5:	dbc7c9b64696b92d0b551b08ba21cc45
SHA1:	cd3fb7070e07b640df6a297fbdb6274345a3cf62
SHA256:	3db2b13eb95ac2759b948f25b423ee1965b9c8e0badddea010a73bbb4bcd4300
Tags:	user-UNP4CK
Infos:

Detection

CyberGate

Score:	80
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CyberGate RAT

Contain functionality to detect virtual machines

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

One or more processes crash

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

250428-dq9xmaztft.bin.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe" MD5: DBC7C9B64696B92D0B551B08BA21CC45)

WerFault.exe (PID: 7700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 476 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CyberGate	According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access tothe victims system. Attackers can remotely connect to the compromised system from anywherearound the world. The Malware author generally uses this program to steal private informationlike passwords, files, etc. It might also be used to install malicious software on the compromisedsystems.	No Attribution	https://blog.cyber5w.com/cybergate-malware-analysis https://blog.reversinglabs.com/blog/rats-in-the-library https://citizenlab.ca/2015/12/packrat-report/ https://sectrio.com/wp-content/uploads/2021/08/cybergate-threat-report.pdf https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process	https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_CyberGate_517aac7d	unknown	unknown	0xb140:$a1: IELOGIN.abc 0x8ee8:$a2: xxxyyyzzz.dat 0xb0e8:$a3: _x_X_PASSWORDLIST_X_x_ 0x6f30:$a4: L$_RasDefaultCredentials#0 0x9db4:$a5: \signons1.txt
00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_CyberGate_9996d800	unknown	unknown	0x9fa2:$a1: 24 08 8B 44 24 08 83 C4 14 5D 5F 5E 5B C3 55 8B EC 83 C4 F0
Process Memory Space: 250428-dq9xmaztft.bin.exe PID: 7624	JoeSecurity_CyberGate	Yara detected CyberGate RAT	Joe Security
Process Memory Space: 250428-dq9xmaztft.bin.exe PID: 7624	Windows_Trojan_CyberGate_517aac7d	unknown	unknown	0x7d5a:$a1: IELOGIN.abc 0x7943:$a2: xxxyyyzzz.dat 0x7cff:$a3: _x_X_PASSWORDLIST_X_x_ 0x7d26:$a3: _x_X_PASSWORDLIST_X_x_ 0x760f:$a4: L$_RasDefaultCredentials#0 0x7b7b:$a5: \signons1.txt

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 250428-dq9xmaztft.bin.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 250428-dq9xmaztft.bin.exe	Virustotal: Detection: 58%			Perma Link
Source: 250428-dq9xmaztft.bin.exe	ReversingLabs: Detection: 86%

Source: 250428-dq9xmaztft.bin.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud

Yara detected CyberGate RAT

Source: Yara match	File source: 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 250428-dq9xmaztft.bin.exe PID: 7624, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_517aac7d Author: unknown
Source: 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 Author: unknown
Source: Process Memory Space: 250428-dq9xmaztft.bin.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_CyberGate_517aac7d Author: unknown

Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 476

Source: 250428-dq9xmaztft.bin.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_517aac7d reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = 3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825, id = 517aac7d-2737-4917-9aa1-c0bd1c3e9801, last_modified = 2022-04-12
Source: 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CyberGate_9996d800 reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = eb39d2ff211230aedcf1b5ec0d1dfea108473cc7cba68f5dc1a88479734c02b0, id = 9996d800-a833-4535-972b-3ee320215bb6, last_modified = 2022-04-12
Source: Process Memory Space: 250428-dq9xmaztft.bin.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_CyberGate_517aac7d reference_sample = 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365, os = windows, severity = x86, creation_date = 2022-02-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CyberGate, fingerprint = 3d998bda8e56de6fd6267abdacffece8bcf1c62c2e06540a54244dc6ea816825, id = 517aac7d-2737-4917-9aa1-c0bd1c3e9801, last_modified = 2022-04-12

Source: classification engine

Classification label: mal80.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7624

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\35e63d88-21d9-4e04-a279-386848f23e62

Jump to behavior

Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 250428-dq9xmaztft.bin.exe	Virustotal: Detection: 58%
Source: 250428-dq9xmaztft.bin.exe	ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe "C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe"
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 476

Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Section loaded: rasman.dll	Jump to behavior

Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00404846 push 00404874h; ret	0_2_0040486C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00404848 push 00404874h; ret	0_2_0040486C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_004048E4 push 00404910h; ret	0_2_00404908
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_004050EC push 00405118h; ret	0_2_00405110
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_0040B080 push 0040B0ACh; ret	0_2_0040B0A4
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_004058A8 push 004058D4h; ret	0_2_004058CC
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00409948 push 00409974h; ret	0_2_0040996C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00407100 push 0040712Ch; ret	0_2_00407124
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00408918 push 00408954h; ret	0_2_0040894C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_0040891C push 00408954h; ret	0_2_0040894C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00407138 push 00407164h; ret	0_2_0040715C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_004071C4 push 004071F0h; ret	0_2_004071E8
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_0040718C push 004071B8h; ret	0_2_004071B0
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_0040898E push 004089BCh; ret	0_2_004089B4
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00408990 push 004089BCh; ret	0_2_004089B4
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_0040720A push 00407238h; ret	0_2_00407230
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_0040720C push 00407238h; ret	0_2_00407230
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00404216 push 00404244h; ret	0_2_0040423C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00404218 push 00404244h; ret	0_2_0040423C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_0040BAD0 push 0040BB00h; ret	0_2_0040BAF8
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00407AE8 push 00407B24h; ret	0_2_00407B1C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00407AEC push 00407B24h; ret	0_2_00407B1C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_004032B8 push 004032F2h; ret	0_2_004032EA
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00406B10 push 00406B48h; ret	0_2_00406B40
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_0040345C push 00403494h; ret	0_2_0040348C
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00404C88 push 00404E05h; ret	0_2_00404DFD
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_004034A0 push 004034CCh; ret	0_2_004034C4
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_004045CB push 004045F8h; ret	0_2_004045F0
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_004045CC push 004045F8h; ret	0_2_004045F0
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00404644 push 00404697h; ret	0_2_0040468F
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_0040AE50 push 0040AE88h; ret	0_2_0040AE80

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe

Code function: VBoxService.exe VBoxService.exe

0_2_004051CC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 250428-dq9xmaztft.bin.exe, 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLLS3
Source: 250428-dq9xmaztft.bin.exe, 250428-dq9xmaztft.bin.exe, 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLL

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: 250428-dq9xmaztft.bin.exe, 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exeS3
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: 250428-dq9xmaztft.bin.exe, 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exe
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe

Code function: 0_2_00401000 LdrInitializeThunk,

0_2_00401000

Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_004056DC mov eax, dword ptr fs:[00000030h]	0_2_004056DC
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00405684 mov eax, dword ptr fs:[00000030h]	0_2_00405684
Source: C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe	Code function: 0_2_00405770 mov eax, dword ptr fs:[00000030h]	0_2_00405770

Source: 250428-dq9xmaztft.bin.exe, 250428-dq9xmaztft.bin.exe, 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWnd
Source: 250428-dq9xmaztft.bin.exe, 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: explorer.exeexplorer.exeshell_traywndopenU
Source: 250428-dq9xmaztft.bin.exe, 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Shell_TrayWndU
Source: 250428-dq9xmaztft.bin.exe, 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: _PERSISTShell_TrayWndexplorer.exeU
Source: 250428-dq9xmaztft.bin.exe, 250428-dq9xmaztft.bin.exe, 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: shell_traywnd

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected CyberGate RAT

Source: Yara match	File source: 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 250428-dq9xmaztft.bin.exe PID: 7624, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	221 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
250428-dq9xmaztft.bin.exe	58%	Virustotal		Browse
250428-dq9xmaztft.bin.exe	86%	ReversingLabs	Win32.Worm.Rebhip
250428-dq9xmaztft.bin.exe	100%	Avira	TR/Llac.hqa

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1675861
Start date and time:	2025-04-28 05:20:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	250428-dq9xmaztft.bin.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.190.190.195, 184.29.183.29, 131.253.33.254, 20.12.23.50
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 250428-dq9xmaztft.bin.exe, PID 7624 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
23:21:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_250428-dq9xmaztf_63b54218f390fa8d7f1f68ee4c967f71c3c597b_65355785_bbdf38c1-6b06-47b0-a849-3b5360e8a887\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7828806772333771
Encrypted:	false
SSDEEP:	96:zxFpyyPs+hhk7Mf3QXIDcQvc6QcEVcw3cE/n+HbHg/uAnQO32k8q9w7N/4oRgmOm:NDZPe0BU/gjZgnqzuiF7Z24IO8XiV
MD5:	0E6C22725B84CE00F7CA23EA6A678733
SHA1:	4856048877B8D968BF5ED7656AAA217358E17123
SHA-256:	1EFEAF5FB47A739D23EC3E112D769ACA99524BDD9A0AD64D94F2BF1F8F12F593
SHA-512:	8D220DF34EFD98501F8DBC09A48489A0E5FB71D3AD1E692785AFF5E7A8C6B510B23F6362E1F8C129A5F9B21AD0E059F3BC243A3CB1F46732BD9BB9811E6C64B0
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.0.2.8.4.0.7.5.9.3.1.7.3.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.9.0.2.8.4.0.7.6.2.7.5.4.7.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.d.f.3.8.c.1.-.6.b.0.6.-.4.7.b.0.-.a.8.4.9.-.3.b.5.3.6.0.e.8.a.8.8.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.a.0.0.1.8.3.-.a.4.4.6.-.4.c.f.d.-.9.5.0.b.-.a.2.2.f.1.5.0.3.e.c.0.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.5.0.4.2.8.-.d.q.9.x.m.a.z.t.f.t...b.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.c.8.-.0.0.0.1.-.0.0.1.8.-.a.2.d.1.-.a.4.9.9.e.c.b.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.2.b.8.d.b.a.2.4.7.5.3.6.0.e.e.4.3.2.9.b.0.5.c.9.b.e.f.f.e.4.0.0.0.0.0.f.f.f.f.!.0.0.0.0.c.d.3.f.b.7.0.7.0.e.0.7.b.6.4.0.d.f.6.a.2.9.7.f.b.d.b.6.2.7.4.3.4.5.a.3.c.f.6.2.!.2.5.0.4.2.8.-.d.q.9.x.m.a.z.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER47BA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Apr 28 03:21:16 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	35854
Entropy (8bit):	1.9458937226745838
Encrypted:	false
SSDEEP:	192:ketGA6vtT/6OcrHk1M9E7tiQh6ZoXhi+M:T03DFcro7tiQ46X2
MD5:	71951CA9EE38A029B831B7488CA8FCD8
SHA1:	38E875C56D270CBDC00368A9471DF96A008A5C37
SHA-256:	7B5744EF4596D61F40E61A7AF510AF50AFE355B94323061284B1B5928175002F
SHA-512:	287994237A91CBC8E304E270AD82664DF92C2F1B361D9DAE8C5226D5E5BDE787B1BF5E8A141DA44752392C65D6F962820C1F94B8DB3B37CCE45FAE1503FD57B0
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......,..h........................................."..........T.......8...........T........... ....x..........,...........................................................................................eJ..............GenuineIntel............T...........+..h.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4828.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.6979608503546157
Encrypted:	false
SSDEEP:	192:R6l7wVeJtL6b6Y6qSUeOgmfa9prH89bmxsftim:R6lXJR6b6Y3SUeOgmfaYmqfZ
MD5:	54F7BB1D7890D3612BCBF7D9DC4DA50E
SHA1:	FC51BD8AED12217537CC81F324A26BA72D869A82
SHA-256:	BBEA8BA6FD0F53A37FDCC6E2C8280963BB1B52202E2BEFD35680000C54496F06
SHA-512:	898C491F064142A24BFEB3D0AB603E0D5111BCF8586B5A2C7842BFE630609C9B6A104AC2BA5FD60F14EFB0E171CB9B20279950DEDA46F1C57B2C678917A9E0D4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4887.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4656
Entropy (8bit):	4.479126513855226
Encrypted:	false
SSDEEP:	96:uIjf+I7br7VYJfbmb2b8OgPbabgh2z2ydd:uIiYbr7CfKSQOkm04S4
MD5:	90A6065E3D971EB5DF5CA052BE1357F7
SHA1:	63144AC865C47F5695A1E3854AD90B950E820794
SHA-256:	3A1F576373257FD2D54B81315E4243638A862583E0DC65701EEC9E40906C173F
SHA-512:	1A0158A0F54D29BD829936CF716B2EA010357B308BB0BF355A5F401D2A114A48E4C3A5508BE815B7AA6C6D5DE6A9415FF23897EC0DF89077EA0D98B24A516E9F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="824783" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4687398842376025
Encrypted:	false
SSDEEP:	6144:AIXfpi67eLPU9skLmb0b4QWSPKaJG8nAgejZMMhA2gX4WABlVuNHdwBCswSbk:FXD94QWlLZMM6YFUt+k
MD5:	695EC25C00A71FB0D3E64DEFAA776484
SHA1:	5BA580E386EA69DE3037F7235F8C083F6FDB5D50
SHA-256:	8035FCE8B763A0BF05C5144476DFCE1E33647C399EDCDF1A4300DAAC80D826F0
SHA-512:	5F89F0BA5D77EC0BCD7ADD0E909DED97C4B937EEA1A7B185DBFBF91F3C49FADFFB064EA1FE3E3862E8ACDC273E9426CF7EE98FE4D2A74F4B931F978F060BBB0E
Malicious:	false
Reputation:	low
Preview:	regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..................................................................................................................................................................................................................................................................................................................................................p.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.74964605238861
TrID:	Win32 Executable (generic) a (10002005/4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	250428-dq9xmaztft.bin.exe
File size:	278'528 bytes
MD5:	dbc7c9b64696b92d0b551b08ba21cc45
SHA1:	cd3fb7070e07b640df6a297fbdb6274345a3cf62
SHA256:	3db2b13eb95ac2759b948f25b423ee1965b9c8e0badddea010a73bbb4bcd4300
SHA512:	c2a8126be4ee92756c2101570043076542f3e3e61f511f07e762a8730c8c97d26295fd3f64d522b4aac670693cf3342d219e65a5cab854ae8b6022e2beaba057
SSDEEP:	6144:Mk4qmr73P0MqUgOtiehS+jjr4vbdG/08yG2UI9:/9gPq7jajHUtUI
TLSH:	844412D7E58DE8EDE4A34D345B29D0F46CEF2166A630BB348D0FC7E565390D2688920B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4535d0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cba5bd52b3e624400ffe41eb22644b79

Entrypoint Preview

Instruction
pushad
mov esi, 00410000h
lea edi, dword ptr [esi-0000F000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F72ECB3EB12h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F72ECB3EB09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F72ECB3EAEFh
mov eax, 00000001h
add ebx, ebx
jne 00007F72ECB3EB09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F72ECB3EB0Dh
jne 00007F72ECB3EB2Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F72ECB3EB21h
dec eax
add ebx, ebx
jne 00007F72ECB3EB09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F72ECB3EAD6h
add ebx, ebx
jne 00007F72ECB3EB09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F72ECB3EB54h
xor ecx, ecx
sub eax, 03h
jc 00007F72ECB3EB13h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F72ECB3EB77h
sar eax, 1
mov ebp, eax
jmp 00007F72ECB3EB0Dh
add ebx, ebx
jne 00007F72ECB3EB09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F72ECB3EACEh
inc ecx
add ebx, ebx
jne 00007F72ECB3EB09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F72ECB3EAC0h
add ebx, ebx
jne 00007F72ECB3EB09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F72ECB3EAF1h
jne 00007F72ECB3EB0Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F72ECB3EAE6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [eax+eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x540f8	0x274	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x10000	0x44000	0x43800	335d859e02c8bd405046f81f3ffa6471	False	0.9712239583333333	data	7.7524604698030055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x1000	0x400	3020cd185afa956fe5de9b5693c4ea9d	False	0.435546875	data	3.538710451959907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x140f8	0x10	Non-ISO extended-ASCII text, with no line terminators	1.5625
RT_RCDATA	0x14108	0x184	data	1.0283505154639174
RT_RCDATA	0x1428c	0x39714	data	0.9697174478502576

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll	LsaClose
crypt32.dll	CryptUnprotectData
ole32.dll	CoTaskMemFree
oleaut32.dll	SysFreeString
pstorec.dll	PStoreCreateInstance
rasapi32.dll	RasEnumEntriesA
shell32.dll	SHGetSpecialFolderPathA
user32.dll	ToAscii

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• 250428-dq9xmaztft.bin.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• 250428-dq9xmaztft.bin.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: 250428-dq9xmaztft.bin.exePID: 7624, Parent PID: 3964

Function Logs

General

Target ID:	0
Start time:	23:21:15
Start date:	27/04/2025
Path:	C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\250428-dq9xmaztft.bin.exe"
Imagebase:	0x400000
File size:	278'528 bytes
MD5 hash:	DBC7C9B64696B92D0B551B08BA21CC45
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_CyberGate_517aac7d, Description: unknown, Source: 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_CyberGate_9996d800, Description: unknown, Source: 00000000.00000002.1194682545.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 250428-dq9xmaztft.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_250428-dq9xmaztf_63b54218f390fa8d7f1f68ee4c967f71c3c597b_65355785_bbdf38c1-6b06-47b0-a849-3b5360e8a887\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER47BA.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4828.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4887.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
250428-dq9xmaztft.bin.exe