cybergate | a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6

General

Target

a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe
Size

356KB
MD5

7bf7a3959ad1b024a2b22ccd5d4387a0
SHA1

34a0476e3339707a75c4b852c535a3177ad4da51
SHA256

a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6
SHA512

b254a0cdead57e7a28784ce402b4424f19a33c5ffe457d67ba35d174795f670257d124a9d0133d22107f1e287bc6635f8944bfdd5407b7477e436a9d68d7cf47
SSDEEP

6144:VTfq8aL+jyORFsyRw5nVgOrkTxPcv/BnAtTHIw2hPVd+t3kfWeIDvxH5wCK/VVRA:Vi83ayaHkTOHETHz2fm8RIjxZU/VVRXw

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victime

C2

moi1000.no-ip.biz:1000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
system32
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
t?tulo da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

1.exe1.exe

pid process

1740 1.exe
1648 1.exe

pid	process
1740	1.exe
1648	1.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{23D13804-45T6-234L-70IB-PD4GC24DWNN8}	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23D13804-45T6-234L-70IB-PD4GC24DWNN8}\StubPath = "C:\\Windows\\system32\\system32\\win32.exe Restart"	1.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1648-63-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1648-65-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1648-67-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1648-70-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1648-73-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1648-74-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral1/memory/1648-78-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1648-84-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1648-89-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe

pid	process
1480	a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe
1480	a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\system32\\win32.exe"	1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\system32\\win32.exe"	1.exe

Drops file in System32 directory 2 IoCs

Processes:

1.exe

description ioc process

File created C:\Windows\SysWOW64\system32\win32.exe 1.exe
File opened for modification C:\Windows\SysWOW64\system32\win32.exe 1.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1.exe

description pid process target process

PID 1740 set thread context of 1648 1740 1.exe 1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\system32\win32.exe	1.exe
File opened for modification	C:\Windows\SysWOW64\system32\win32.exe	1.exe

description	pid	process	target process
PID 1740 set thread context of 1648	1740	1.exe	1.exe

NTFS ADS 1 IoCs

Processes:

a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe

description	ioc	process
File opened for modification	C:\Extracted\.L:x”QbŸV Ÿã5\G´;CK(P5M{'ŠÝÅ°Ïªt¦®£ H50cxl+ºå©Fb=½•8—[5÷\|>Y±úØðŸ+Ì"Î–„LÕþt¿K}ìÏÎl2‘ÙŽÈ~ß7ÐKtÆvàƒžÁò÷Ú;p´²ÁÙ=²ëc÷³µ‰ªµ–1!„* 0Mjˆ8ÁÉø{<Šd†ý>\¸YªŽI6…£ÙâdÇJf¹{°ÁøÐã¥¡GŒïMFá,Ì)ò“ê5béÖuÉÇÒ°ô[K ‘¼œ	a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

1648 1.exe
1648 1.exe

Suspicious behavior: MapViewOfSection 23 IoCs

Processes:

1.exe

pid	process
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe
1648	1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1.exe

description pid process

Token: SeDebugPrivilege 1648 1.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1.exeDllHost.exe

pid process

1648 1.exe
1836 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1.exe

pid process

1740 1.exe

description	pid	process
Token: SeDebugPrivilege	1648	1.exe

pid	process
1740	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe1.exe1.exe

description	pid	process	target process
PID 1480 wrote to memory of 1740	1480	a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe	1.exe
PID 1480 wrote to memory of 1740	1480	a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe	1.exe
PID 1480 wrote to memory of 1740	1480	a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe	1.exe
PID 1480 wrote to memory of 1740	1480	a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe	1.exe
PID 1740 wrote to memory of 1648	1740	1.exe	1.exe
PID 1740 wrote to memory of 1648	1740	1.exe	1.exe
PID 1740 wrote to memory of 1648	1740	1.exe	1.exe
PID 1740 wrote to memory of 1648	1740	1.exe	1.exe
PID 1740 wrote to memory of 1648	1740	1.exe	1.exe
PID 1740 wrote to memory of 1648	1740	1.exe	1.exe
PID 1740 wrote to memory of 1648	1740	1.exe	1.exe
PID 1740 wrote to memory of 1648	1740	1.exe	1.exe
PID 1648 wrote to memory of 368	1648	1.exe	wininit.exe
PID 1648 wrote to memory of 368	1648	1.exe	wininit.exe
PID 1648 wrote to memory of 368	1648	1.exe	wininit.exe
PID 1648 wrote to memory of 368	1648	1.exe	wininit.exe
PID 1648 wrote to memory of 368	1648	1.exe	wininit.exe
PID 1648 wrote to memory of 368	1648	1.exe	wininit.exe
PID 1648 wrote to memory of 376	1648	1.exe	csrss.exe
PID 1648 wrote to memory of 376	1648	1.exe	csrss.exe
PID 1648 wrote to memory of 376	1648	1.exe	csrss.exe
PID 1648 wrote to memory of 376	1648	1.exe	csrss.exe
PID 1648 wrote to memory of 376	1648	1.exe	csrss.exe
PID 1648 wrote to memory of 376	1648	1.exe	csrss.exe
PID 1648 wrote to memory of 416	1648	1.exe	winlogon.exe
PID 1648 wrote to memory of 416	1648	1.exe	winlogon.exe
PID 1648 wrote to memory of 416	1648	1.exe	winlogon.exe
PID 1648 wrote to memory of 416	1648	1.exe	winlogon.exe
PID 1648 wrote to memory of 416	1648	1.exe	winlogon.exe
PID 1648 wrote to memory of 416	1648	1.exe	winlogon.exe
PID 1648 wrote to memory of 460	1648	1.exe	services.exe
PID 1648 wrote to memory of 460	1648	1.exe	services.exe
PID 1648 wrote to memory of 460	1648	1.exe	services.exe
PID 1648 wrote to memory of 460	1648	1.exe	services.exe
PID 1648 wrote to memory of 460	1648	1.exe	services.exe
PID 1648 wrote to memory of 460	1648	1.exe	services.exe
PID 1648 wrote to memory of 476	1648	1.exe	lsass.exe
PID 1648 wrote to memory of 476	1648	1.exe	lsass.exe
PID 1648 wrote to memory of 476	1648	1.exe	lsass.exe
PID 1648 wrote to memory of 476	1648	1.exe	lsass.exe
PID 1648 wrote to memory of 476	1648	1.exe	lsass.exe
PID 1648 wrote to memory of 476	1648	1.exe	lsass.exe
PID 1648 wrote to memory of 484	1648	1.exe	lsm.exe
PID 1648 wrote to memory of 484	1648	1.exe	lsm.exe
PID 1648 wrote to memory of 484	1648	1.exe	lsm.exe
PID 1648 wrote to memory of 484	1648	1.exe	lsm.exe
PID 1648 wrote to memory of 484	1648	1.exe	lsm.exe
PID 1648 wrote to memory of 484	1648	1.exe	lsm.exe
PID 1648 wrote to memory of 596	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 596	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 596	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 596	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 596	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 596	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 672	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 672	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 672	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 672	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 672	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 672	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 724	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 724	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 724	1648	1.exe	svchost.exe
PID 1648 wrote to memory of 724	1648	1.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1832

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
3⤵
- Suspicious use of FindShellTrayWindow
PID:1836

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe
"C:\Users\Admin\AppData\Local\Temp\a863503b3ade528eb3985046b4b9b324528eea8bed9a22569c0ba3b5189e0dd6.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1480

C:\Extracted\1.exe
"C:\Extracted\1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740

C:\Extracted\1.exe
"C:\Extracted\1.exe"
3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1648

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\1.exe
Filesize
303KB

MD5
f6e6fcab82bab9eaa5521a07bb5c3713

SHA1
fdf70d41897ee5d8e62993c2b1300e1743483262

SHA256
5453da881f5383035d5c3ed4ab4e4aaad5bf1ed2bfdd960cf5ac0db9fc02d38d

SHA512
a8457c866d9ce246d2569fceddbd1c29ade3973262e84805093315adb9ed621ce339c0846d0d3a461a1f910de9c9b92806645546a52b02dd9f072b65151145ae

Download Submit
C:\Extracted\1.exe
Filesize
303KB

MD5
f6e6fcab82bab9eaa5521a07bb5c3713

SHA1
fdf70d41897ee5d8e62993c2b1300e1743483262

SHA256
5453da881f5383035d5c3ed4ab4e4aaad5bf1ed2bfdd960cf5ac0db9fc02d38d

SHA512
a8457c866d9ce246d2569fceddbd1c29ade3973262e84805093315adb9ed621ce339c0846d0d3a461a1f910de9c9b92806645546a52b02dd9f072b65151145ae

Download Submit
C:\Extracted\1.exe
Filesize
303KB

MD5
f6e6fcab82bab9eaa5521a07bb5c3713

SHA1
fdf70d41897ee5d8e62993c2b1300e1743483262

SHA256
5453da881f5383035d5c3ed4ab4e4aaad5bf1ed2bfdd960cf5ac0db9fc02d38d

SHA512
a8457c866d9ce246d2569fceddbd1c29ade3973262e84805093315adb9ed621ce339c0846d0d3a461a1f910de9c9b92806645546a52b02dd9f072b65151145ae

Download Submit
\Extracted\1.exe
Filesize
303KB

MD5
f6e6fcab82bab9eaa5521a07bb5c3713

SHA1
fdf70d41897ee5d8e62993c2b1300e1743483262

SHA256
5453da881f5383035d5c3ed4ab4e4aaad5bf1ed2bfdd960cf5ac0db9fc02d38d

SHA512
a8457c866d9ce246d2569fceddbd1c29ade3973262e84805093315adb9ed621ce339c0846d0d3a461a1f910de9c9b92806645546a52b02dd9f072b65151145ae

Download Submit
\Extracted\1.exe
Filesize
303KB

MD5
f6e6fcab82bab9eaa5521a07bb5c3713

SHA1
fdf70d41897ee5d8e62993c2b1300e1743483262

SHA256
5453da881f5383035d5c3ed4ab4e4aaad5bf1ed2bfdd960cf5ac0db9fc02d38d

SHA512
a8457c866d9ce246d2569fceddbd1c29ade3973262e84805093315adb9ed621ce339c0846d0d3a461a1f910de9c9b92806645546a52b02dd9f072b65151145ae

Download Submit
memory/1212-87-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1480-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1480-82-0x000000007EFA0000-0x000000007EFA9000-memory.dmp

Filesize
36KB

Download
memory/1480-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1480-79-0x000000007EFA0000-0x000000007EFA9000-memory.dmp

Filesize
36KB

Download
memory/1480-76-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1480-77-0x0000000001F50000-0x0000000001F5C000-memory.dmp

Filesize
48KB

Download
memory/1480-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1648-62-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1648-73-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1648-74-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1648-70-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1648-68-0x000000000045B214-mapping.dmp

Download
memory/1648-78-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1648-67-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1648-65-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1648-63-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1648-84-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1648-89-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1740-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1740-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads