cybergate | 7ef8a647eee5935219cea3f21cdc5a1fe28a53b177c6d3280e5ee8f2304b3e5c

Analysis

max time kernel
150s
max time network
140s
platform
windows10_x64
resource
win10v20210408
submitted
24-07-2021 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7C09DCEBD6136A6A73A96EAC91568DCC.exe
Size

789KB
MD5

7c09dcebd6136a6a73a96eac91568dcc
SHA1

4e197a783345969df826faaca772b065530bd6c5
SHA256

7ef8a647eee5935219cea3f21cdc5a1fe28a53b177c6d3280e5ee8f2304b3e5c
SHA512

c5c180756342e3a5456d19084e6bd75ac5ed73068566e89c0e5d25aa740893306aca48ffb25e320a605e53f942c1299767da4e9f215f8d31f53b2c2ce5327c22

Score

10^/10

cybergate remote stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

asade.no-ip.org:25565

Mutex

D4T52W8MT863F7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
rdns
install_file
windows
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
erterterter
regkey_hklm
sdsdfsdf

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Executes dropped EXE 1 IoCs

pid	Process
648	7C09DCEBD6136A6A73A96EAC91568DCC.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/576-131-0x0000000010480000-0x00000000104F0000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\779.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\779.exe	7C09DCEBD6136A6A73A96EAC91568DCC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 860 set thread context of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	explorer.exe
Token: SeDebugPrivilege	576	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
648	7C09DCEBD6136A6A73A96EAC91568DCC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 860 wrote to memory of 648	860	7C09DCEBD6136A6A73A96EAC91568DCC.exe	75
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28
PID 648 wrote to memory of 2644	648	7C09DCEBD6136A6A73A96EAC91568DCC.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2644
- C:\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe
  "C:\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe
    "C:\Users\Admin\AppData\Local\Temp\7C09DCEBD6136A6A73A96EAC91568DCC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-131-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/576-130-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/576-129-0x0000000002CA0000-0x0000000002DD6000-memory.dmp

Filesize
1.2MB

Download
memory/576-127-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/576-128-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/648-123-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/648-120-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/860-114-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/860-119-0x00000000023D0000-0x00000000023D7000-memory.dmp

Filesize
28KB

Download
memory/860-118-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/860-117-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/860-116-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download