cybergate | 824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f

Analysis

max time kernel
152s
max time network
68s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe
Size

949KB
MD5

676b2cd05e641e3eac05ae3e2f9a4fd0
SHA1

82d9da10dbf62d65513e1286333f0585491e914a
SHA256

824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f
SHA512

d68d6fc183458e636d734177b82565f0419a74d5c35c08f8ff97dd491977f99ff8b4549955e161d3bccade59c57246f928368ed72635049b7474378f129a8dae
SSDEEP

12288:9NPEpj1NvjDdZDiQYXMqE4Xvb3BySDZVmKSUPuqWeahQeAWeBY:95EDdiQYXMq97BySrmxqrMvP

Score

10^/10

cybergate inf_spr_0106 stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.4

Botnet

INF_SPR_0106

clippico.zapto.org:33881

Mutex

BBQJ4HII2D46NL

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
FlashPlayerPlugin_11_6_602_179.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
27042704
regkey_hkcu
FlashPlayerPlugin

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1744-82-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1872-87-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1872-89-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/1872-90-0x0000000010410000-0x0000000010480000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	applaunch.exe
Token: SeDebugPrivilege	1872	applaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1744	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	28
PID 1760 wrote to memory of 1732	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	29
PID 1760 wrote to memory of 1732	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	29
PID 1760 wrote to memory of 1732	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	29
PID 1760 wrote to memory of 1732	1760	824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe	29
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31
PID 1744 wrote to memory of 1872	1744	applaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe
"C:\Users\Admin\AppData\Local\Temp\824cd81bb1f2e09a9948fd4713a7e330e0eed613c707a746aff07ac8a02f9a7f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YiafN.vbs"
  2⤵
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
234KB

MD5
fe3a60c68d5d289537d7f577b7b41509

SHA1
a6c123640a3ba69dd3ec4e827f3d126926614f94

SHA256
3c0e800cd82fcc2cf7168cc91c55a48e9d977b7f6b16a8df701a15037ba5c224

SHA512
f90910c8d772a5d3cb924bb7b2fea2b57c394cd3cb4dec4c3f74c1e02e9cd7d5dacc8b20425dc24395d4c0f8f08ce6cd8d3a125fd7481df77f11911229272a13

Download Submit
C:\Users\Admin\AppData\Roaming\YiafN.vbs

Filesize
448B

MD5
ecf01140383176c2bef9230e582abe31

SHA1
e0d093025188f9b015957248602fa9d72d02295b

SHA256
1a9a96a3ad5dea6540d0c9dc87e6c5f257f5abb55c7f1bd95783ff2bb13bb235

SHA512
e48e246b7a6d03fc38dca7dceb0d4f713a9ce8936fa06f8905d9a909e3a48fafc2d623f38df9b14defdc63186f4eb48635af79be41d21b0dad448e03db9b005e

Download Submit
memory/1744-60-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-73-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-61-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-63-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-69-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-67-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-65-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-82-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1744-71-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-57-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1744-78-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/1744-56-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1760-75-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1760-55-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/1872-85-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1872-87-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1872-89-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1872-90-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download