cybergate | 7ef8a647eee5935219cea3f21cdc5a1fe28a53b177c6d3280e5ee8f2304b3e5c

General

Target

7C09DCEBD6136A6A73A96EAC91568DCC.exe
Size

789KB
MD5

7c09dcebd6136a6a73a96eac91568dcc
SHA1

4e197a783345969df826faaca772b065530bd6c5
SHA256

7ef8a647eee5935219cea3f21cdc5a1fe28a53b177c6d3280e5ee8f2304b3e5c
SHA512

c5c180756342e3a5456d19084e6bd75ac5ed73068566e89c0e5d25aa740893306aca48ffb25e320a605e53f942c1299767da4e9f215f8d31f53b2c2ce5327c22

Score

10^/10

cybergate remote stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

asade.no-ip.org:25565

Mutex

D4T52W8MT863F7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
rdns
install_file
windows
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
erterterter
regkey_hklm
sdsdfsdf

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 1 IoCs

Processes:

7C09DCEBD6136A6A73A96EAC91568DCC.exe

pid process

1192 7C09DCEBD6136A6A73A96EAC91568DCC.exe

pid	process
1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1620-78-0x0000000010480000-0x00000000104F0000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

7C09DCEBD6136A6A73A96EAC91568DCC.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\484.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\484.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe

Loads dropped DLL 1 IoCs

Processes:

7C09DCEBD6136A6A73A96EAC91568DCC.exe

pid process

1632 7C09DCEBD6136A6A73A96EAC91568DCC.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

7C09DCEBD6136A6A73A96EAC91568DCC.exe

description pid process target process

PID 1632 set thread context of 1192 1632 7C09DCEBD6136A6A73A96EAC91568DCC.exe 7C09DCEBD6136A6A73A96EAC91568DCC.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 1620 explorer.exe
Token: SeDebugPrivilege 1620 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7C09DCEBD6136A6A73A96EAC91568DCC.exe

pid process

1192 7C09DCEBD6136A6A73A96EAC91568DCC.exe

pid	process
1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe

description	pid	process	target process
PID 1632 set thread context of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe

description	pid	process
Token: SeDebugPrivilege	1620	explorer.exe
Token: SeDebugPrivilege	1620	explorer.exe

pid	process
1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7C09DCEBD6136A6A73A96EAC91568DCC.exe7C09DCEBD6136A6A73A96EAC91568DCC.exe

description	pid	process	target process
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1632 wrote to memory of 1192	1632	7C09DCEBD6136A6A73A96EAC91568DCC.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE
PID 1192 wrote to memory of 1200	1192	7C09DCEBD6136A6A73A96EAC91568DCC.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe
  "C:\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe
    "C:\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe

MD5
7c09dcebd6136a6a73a96eac91568dcc

SHA1
4e197a783345969df826faaca772b065530bd6c5

SHA256
7ef8a647eee5935219cea3f21cdc5a1fe28a53b177c6d3280e5ee8f2304b3e5c

SHA512
c5c180756342e3a5456d19084e6bd75ac5ed73068566e89c0e5d25aa740893306aca48ffb25e320a605e53f942c1299767da4e9f215f8d31f53b2c2ce5327c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

MD5
7222c3ebffd72960efc25483cd0dcfbf

SHA1
4e0fe4f0908e7661dea79beb207adb9976cce274

SHA256
3c0f135e19597809f770176302f07cb9f209c755be0685a84b7d92cb2736e555

SHA512
96f287c7f338c2aba5481e2319c96154f1289dda610e8c64856fd56fa0e18f4c0198e863c127dc1f6cb688ff24cd8bcb71ea6e4979e60cbbc97644b857a3a4d7

Download Submit
\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe

MD5
7c09dcebd6136a6a73a96eac91568dcc

SHA1
4e197a783345969df826faaca772b065530bd6c5

SHA256
7ef8a647eee5935219cea3f21cdc5a1fe28a53b177c6d3280e5ee8f2304b3e5c

SHA512
c5c180756342e3a5456d19084e6bd75ac5ed73068566e89c0e5d25aa740893306aca48ffb25e320a605e53f942c1299767da4e9f215f8d31f53b2c2ce5327c22

Download Submit
memory/1192-67-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1192-65-0x0000000000409860-mapping.dmp

Download
memory/1192-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1192-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1620-71-0x0000000000000000-mapping.dmp

Download
memory/1620-73-0x0000000074A01000-0x0000000074A03000-memory.dmp

Filesize
8KB

Download
memory/1620-75-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1620-76-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1620-77-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/1620-78-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1632-60-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1632-62-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads