cybergate | 70a9324fd74829cb87228210962e4b68747f6203b4de74e061d67fc4b7f5da51

General

Target

23B164D8C48B45A03A7E80640E53A233.exe
Size

312KB
MD5

23b164d8c48b45a03a7e80640e53a233
SHA1

0a2e835662940927e63d510e955839e4ffdf0b69
SHA256

70a9324fd74829cb87228210962e4b68747f6203b4de74e061d67fc4b7f5da51
SHA512

91bc27fb283068a358986c03be925404f2eac56016da52c99cf3df519dbadb08d52f83b5ea654cd39d6b56c8bc2e3cf1b6306e98167d7c4facd22fcc298ac7fb

Score

10^/10

cybergate persistence stealer trojan upx

Malware Config

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23B164D8C48B45A03A7E80640E53A233.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	23B164D8C48B45A03A7E80640E53A233.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\SVCHOST.exe"	23B164D8C48B45A03A7E80640E53A233.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	23B164D8C48B45A03A7E80640E53A233.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\SVCHOST.exe"	23B164D8C48B45A03A7E80640E53A233.exe

Executes dropped EXE 1 IoCs

Processes:

SVCHOST.exe

pid process

1008 SVCHOST.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1008	SVCHOST.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\??\c:\dir\install\install\SVCHOST.exe	upx
behavioral2/memory/3048-154-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
C:\dir\install\install\SVCHOST.exe	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23B164D8C48B45A03A7E80640E53A233.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	23B164D8C48B45A03A7E80640E53A233.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\SVCHOST.exe"	23B164D8C48B45A03A7E80640E53A233.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	23B164D8C48B45A03A7E80640E53A233.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\SVCHOST.exe"	23B164D8C48B45A03A7E80640E53A233.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

576 1008 WerFault.exe SVCHOST.exe

pid	pid_target	process	target process
576	1008	WerFault.exe	SVCHOST.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

23B164D8C48B45A03A7E80640E53A233.exe

pid process

384 23B164D8C48B45A03A7E80640E53A233.exe

pid	process
384	23B164D8C48B45A03A7E80640E53A233.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

23B164D8C48B45A03A7E80640E53A233.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	384	23B164D8C48B45A03A7E80640E53A233.exe
Token: SeDebugPrivilege	384	23B164D8C48B45A03A7E80640E53A233.exe
Token: SeRestorePrivilege	576	WerFault.exe
Token: SeBackupPrivilege	576	WerFault.exe
Token: SeDebugPrivilege	576	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

23B164D8C48B45A03A7E80640E53A233.exe

pid process

2256 23B164D8C48B45A03A7E80640E53A233.exe

pid	process
2256	23B164D8C48B45A03A7E80640E53A233.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

23B164D8C48B45A03A7E80640E53A233.exe

description	pid	process	target process
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE
PID 2256 wrote to memory of 3040	2256	23B164D8C48B45A03A7E80640E53A233.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\23B164D8C48B45A03A7E80640E53A233.exe
"C:\Users\Admin\AppData\Local\Temp\23B164D8C48B45A03A7E80640E53A233.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:3048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\23B164D8C48B45A03A7E80640E53A233.exe
"C:\Users\Admin\AppData\Local\Temp\23B164D8C48B45A03A7E80640E53A233.exe"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\dir\install\install\SVCHOST.exe
"C:\dir\install\install\SVCHOST.exe"
4⤵
- Executes dropped EXE
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 652
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
MD5
130e99a265bad9ae46a3c07f5f119b26

SHA1
ce5907b4275bda3b33a2df9d76d731c79f88289a

SHA256
79f36982d1a5015380674bb36e6d6655de966e8e9e51c643f0a97c4a60afca34

SHA512
99ae064e03e55d1c940d864070edb9be595e22e5ebaae3f0916105eaa205abfdb54c4d5b527a7c4dca1dfcc3c33da5098627593a1cc306d87b2a64630d45e6f5

Download Submit
C:\dir\install\install\SVCHOST.exe
MD5
23b164d8c48b45a03a7e80640e53a233

SHA1
0a2e835662940927e63d510e955839e4ffdf0b69

SHA256
70a9324fd74829cb87228210962e4b68747f6203b4de74e061d67fc4b7f5da51

SHA512
91bc27fb283068a358986c03be925404f2eac56016da52c99cf3df519dbadb08d52f83b5ea654cd39d6b56c8bc2e3cf1b6306e98167d7c4facd22fcc298ac7fb

Download Submit
\??\c:\dir\install\install\SVCHOST.exe
MD5
23b164d8c48b45a03a7e80640e53a233

SHA1
0a2e835662940927e63d510e955839e4ffdf0b69

SHA256
70a9324fd74829cb87228210962e4b68747f6203b4de74e061d67fc4b7f5da51

SHA512
91bc27fb283068a358986c03be925404f2eac56016da52c99cf3df519dbadb08d52f83b5ea654cd39d6b56c8bc2e3cf1b6306e98167d7c4facd22fcc298ac7fb

Download Submit
memory/384-157-0x0000000000000000-mapping.dmp

Download
memory/384-168-0x00000000007F0000-0x000000000093A000-memory.dmp

Filesize
1.3MB

Download
memory/1008-158-0x0000000000000000-mapping.dmp

Download
memory/3048-116-0x0000000000000000-mapping.dmp

Download
memory/3048-117-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3048-120-0x0000000003570000-0x00000000036A6000-memory.dmp

Filesize
1.2MB

Download
memory/3048-122-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3048-125-0x0000000003570000-0x00000000036A6000-memory.dmp

Filesize
1.2MB

Download
memory/3048-154-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads