cybergate | 6ed70d36fec88b0566c345d3fd02563bfd9fd4beaf90802ac76d63c30db96217

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ed70d36fec88b0566c345d3fd02563bfd9fd4beaf90802ac76d63c30db96217.exe
Size

882KB
MD5

671344de77b6c3997f9ae63f2371f5e6
SHA1

1a70b8f53e1bc7e6034534756b75bcea17b943af
SHA256

6ed70d36fec88b0566c345d3fd02563bfd9fd4beaf90802ac76d63c30db96217
SHA512

1ad550d5e23a7a86de7f423f3580a5b76e6f917fe88ebba8fae0293cb4b64b4f49cf8c5ea74bd9b82364812e1a0fec084b32fdd46f20df54c93385f07a5f044a
SSDEEP

12288:64su2IyR8hkw8lKTGPM3LeFv6ibeEO5hJpQcmY/Wf8FszBNjianrtmJ:64sb18+OGPMaed59b/neF9iixmJ

Score

10^/10

cybergate 17june persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

17june

127.0.0.1:289

netbios.serveftp.com:289

Mutex

07P343Y8BIT72J

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
driver
install_file
svchost32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
karu
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\drivers\\svchost32.exe\\driver\\svchost32.exe"	Crypted.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\drivers\\svchost32.exe\\driver\\svchost32.exe"	Crypted.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\drivers\svchost32.exe\driver\svchost32.exe	Crypted.exe
File opened for modification	\??\c:\windows\SysWOW64\drivers\svchost32.exe\driver\svchost32.exe	explorer.exe
File opened for modification	\??\c:\windows\SysWOW64\drivers\svchost32.exe\driver\	explorer.exe
File created	\??\c:\windows\SysWOW64\drivers\svchost32.exe\driver\svchost32.exe	Crypted.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	Crypted.exe
176	svchost32.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B251542H-N7T1-H3BL-N68A-817Y2NG787H7}\StubPath = "c:\\windows\\system32\\drivers\\svchost32.exe\\driver\\svchost32.exe Restart"	Crypted.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{B251542H-N7T1-H3BL-N68A-817Y2NG787H7}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B251542H-N7T1-H3BL-N68A-817Y2NG787H7}\StubPath = "c:\\windows\\system32\\drivers\\svchost32.exe\\driver\\svchost32.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{B251542H-N7T1-H3BL-N68A-817Y2NG787H7}	Crypted.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1940-137-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral2/memory/1940-142-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/4872-145-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/4872-148-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/1940-151-0x00000000104F0000-0x0000000010551000-memory.dmp	upx
behavioral2/memory/2772-154-0x00000000104F0000-0x0000000010551000-memory.dmp	upx
behavioral2/memory/2772-155-0x00000000104F0000-0x0000000010551000-memory.dmp	upx
behavioral2/memory/2772-158-0x00000000104F0000-0x0000000010551000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6ed70d36fec88b0566c345d3fd02563bfd9fd4beaf90802ac76d63c30db96217.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\windows\\system32\\drivers\\svchost32.exe\\driver\\svchost32.exe"	Crypted.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\windows\\system32\\drivers\\svchost32.exe\\driver\\svchost32.exe"	Crypted.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Crypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4276	176	WerFault.exe	86

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1940	Crypted.exe
1940	Crypted.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	explorer.exe
Token: SeDebugPrivilege	2772	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1940	Crypted.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1940	1180	6ed70d36fec88b0566c345d3fd02563bfd9fd4beaf90802ac76d63c30db96217.exe	83
PID 1180 wrote to memory of 1940	1180	6ed70d36fec88b0566c345d3fd02563bfd9fd4beaf90802ac76d63c30db96217.exe	83
PID 1180 wrote to memory of 1940	1180	6ed70d36fec88b0566c345d3fd02563bfd9fd4beaf90802ac76d63c30db96217.exe	83
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30
PID 1940 wrote to memory of 2740	1940	Crypted.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2740
- C:\Users\Admin\AppData\Local\Temp\6ed70d36fec88b0566c345d3fd02563bfd9fd4beaf90802ac76d63c30db96217.exe
  "C:\Users\Admin\AppData\Local\Temp\6ed70d36fec88b0566c345d3fd02563bfd9fd4beaf90802ac76d63c30db96217.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Adds policy Run key to start application
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      PID:4872
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Drops file in Drivers directory
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2772
    - - C:\windows\SysWOW64\drivers\svchost32.exe\driver\svchost32.exe
        
        "C:\windows\system32\drivers\svchost32.exe\driver\svchost32.exe"
        5⤵
        Executes dropped EXE
        
        PID:176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 176 -s 564
        6⤵
        Program crash
        
        PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 176 -ip 176
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
283KB

MD5
0d362674e3653d9d2c7bec8c47847b0b

SHA1
bc8c0a9a63dbb3ed46ec637cc503ac95f8f0bc1a

SHA256
147a9945553eb6a5af7d6ca063a1c5d7e74782c0a27086a68133fd6e5908180e

SHA512
8e65958c42bd4841f09f8ea5e5ca34f88dbd3b08a637783aef7fd093a0cb4cb3963ed772e12481096f6a13d0d4dfaf70d0c5211d96a45482367bd034a7d421f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
283KB

MD5
0d362674e3653d9d2c7bec8c47847b0b

SHA1
bc8c0a9a63dbb3ed46ec637cc503ac95f8f0bc1a

SHA256
147a9945553eb6a5af7d6ca063a1c5d7e74782c0a27086a68133fd6e5908180e

SHA512
8e65958c42bd4841f09f8ea5e5ca34f88dbd3b08a637783aef7fd093a0cb4cb3963ed772e12481096f6a13d0d4dfaf70d0c5211d96a45482367bd034a7d421f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
222KB

MD5
f530ef9fcfa101a11923b09731662d67

SHA1
3c3b4f691c602d4d7bde0c906d493f8d1107d6f1

SHA256
6df028e2ea6ce7a59582b069676f468dd74ad1240971acb346cc3e90b64f120e

SHA512
cb87473cc5a791ec722691c73a99cdf6f2d8a3f17535ced305689e070e3eff34fd59b8116d8854cba8414b3cb2ce17e1ad8a54a1f21553a8e8ed8325ad67fc34

Download Submit
C:\Windows\SysWOW64\drivers\svchost32.exe\driver\svchost32.exe

Filesize
283KB

MD5
0d362674e3653d9d2c7bec8c47847b0b

SHA1
bc8c0a9a63dbb3ed46ec637cc503ac95f8f0bc1a

SHA256
147a9945553eb6a5af7d6ca063a1c5d7e74782c0a27086a68133fd6e5908180e

SHA512
8e65958c42bd4841f09f8ea5e5ca34f88dbd3b08a637783aef7fd093a0cb4cb3963ed772e12481096f6a13d0d4dfaf70d0c5211d96a45482367bd034a7d421f7

Download Submit
\??\c:\windows\SysWOW64\drivers\svchost32.exe\driver\svchost32.exe

Filesize
283KB

MD5
0d362674e3653d9d2c7bec8c47847b0b

SHA1
bc8c0a9a63dbb3ed46ec637cc503ac95f8f0bc1a

SHA256
147a9945553eb6a5af7d6ca063a1c5d7e74782c0a27086a68133fd6e5908180e

SHA512
8e65958c42bd4841f09f8ea5e5ca34f88dbd3b08a637783aef7fd093a0cb4cb3963ed772e12481096f6a13d0d4dfaf70d0c5211d96a45482367bd034a7d421f7

Download Submit
memory/1180-132-0x00007FFF37FA0000-0x00007FFF389D6000-memory.dmp

Filesize
10.2MB

Download
memory/1940-137-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/1940-142-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/1940-151-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/2772-154-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/2772-155-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/2772-158-0x00000000104F0000-0x0000000010551000-memory.dmp

Filesize
388KB

Download
memory/4872-145-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/4872-148-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download