cybergate | 708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe
Size

407KB
MD5

6afa8fc0c50ca00b9c9e44ead4a53d20
SHA1

8f8d6f886b138271c0910d1ebe1d765a7d074368
SHA256

708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f
SHA512

ba3c49693c9cfab653f2b382d9a60b2d86ebf32e03bf21bbab40b3b04c0245dcb30120e66dab0237974eda61271b079ad8c6c33480023658161c9a850e36ac8a
SSDEEP

12288:yUYrtmqS/fQ17WKuqN3QPYTV0/K1p8HgXY8w:yZrtrS/Y6B+3QPYT6KN

Score

10^/10

cybergate keepvid persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Keepvid

paradiszamal.no-ip.info:15963

Mutex

PTK63LKF5T63AR

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
97420

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Executes dropped EXE 3 IoCs

pid	Process
2020	WinUpdate.exe
3908	WinUpdate.exe
404	WinUpdate.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2020-143-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3908-146-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3908-149-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/3908-153-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WinUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\inv.exe"	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3908	WinUpdate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	3908	WinUpdate.exe
Token: SeRestorePrivilege	3908	WinUpdate.exe
Token: SeDebugPrivilege	3908	WinUpdate.exe
Token: SeDebugPrivilege	3908	WinUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 1664 wrote to memory of 2020	1664	708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe	85
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86
PID 2020 wrote to memory of 3908	2020	WinUpdate.exe	86

C:\Users\Admin\AppData\Local\Temp\708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe
"C:\Users\Admin\AppData\Local\Temp\708a1a74d7dc1e3094a29ffac0165a2799c66f9f2d29bf21fe8ecc8945a9396f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Roaming\WinUpdate.exe
  C:\Users\Admin\AppData\Roaming\WinUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Roaming\WinUpdate.exe
    "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
  - - C:\Users\Admin\AppData\Roaming\WinUpdate.exe
      "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
      4⤵
      Executes dropped EXE
      PID:404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
ae8860b5e0332ec1835640299d729dba

SHA1
87d6966f10aec9dc64a4a6de3bf9098479ca7f1d

SHA256
b6eecda81e2b00bcfa22b071bddcf724ef7a1cdfc55fa4c48c4b13554e197832

SHA512
186b08f308a2290b4c0d9d297a1cc019a48e1e2812eb8b880e7a77033b8da838eb997f250724acb1cf3e2925161b4315a2ae3a4df5789474a63290d3a359a687

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate.exe

Filesize
1KB

MD5
0df5b5319b99007441a57e8fd0b8727b

SHA1
73f1d54d460f84a68973e3a6fb56959dd853be5b

SHA256
27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

SHA512
563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate.exe

Filesize
1KB

MD5
0df5b5319b99007441a57e8fd0b8727b

SHA1
73f1d54d460f84a68973e3a6fb56959dd853be5b

SHA256
27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

SHA512
563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate.exe

Filesize
1KB

MD5
0df5b5319b99007441a57e8fd0b8727b

SHA1
73f1d54d460f84a68973e3a6fb56959dd853be5b

SHA256
27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

SHA512
563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate.exe

Filesize
1KB

MD5
0df5b5319b99007441a57e8fd0b8727b

SHA1
73f1d54d460f84a68973e3a6fb56959dd853be5b

SHA256
27a7ef5bf4f9f5f9ef0a302ac52863759b09541812196fb819b8b5779b029ffc

SHA512
563a801957a073c1ccfc90a420cc1345f695dbf85ce0afdc5a1cb4d6ef479cdf9dde178d3c2d6216638b4a6a05e32dacc6f0bf8c3b097416b495b9642e1ef9a6

Download Submit
memory/1664-138-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/1664-152-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2020-136-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2020-137-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2020-139-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2020-143-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2020-147-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2020-133-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3908-149-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3908-146-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/3908-153-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download