cybergate | 4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc

General

Target

4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe
Size

776KB
MD5

6950c7661fbe679ffa1e84abfe1a0b80
SHA1

87b391dc9f8cec35d3422500816719ebf39339f4
SHA256

4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc
SHA512

a529e302f0e0a24fb177cfa4279ad8fc0e19a09c0425a9175ce8fa2b0bde58db498a3ec2bb2f61668f5e3946d79d8e200426f0b42c9a253d8b205a3377cf4af6
SSDEEP

12288:gXuaWe+Uzq+5keKmlHpKydeZJ7aUBTqKgYv+L3pdnxZaq:gXRW/gUZJLTXGz

Score

10^/10

cybergate zombie persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Zombie

C2

xortdan.no-ip.org:85

Mutex

T74RW012J0848D

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
lopas

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 1 IoCs

Processes:

Svchost.exe

pid process

3488 Svchost.exe

pid	process
3488	Svchost.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{O6532OUJ-8G75-672F-C3U0-133O654S7DN3}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{O6532OUJ-8G75-672F-C3U0-133O654S7DN3}\StubPath = "C:\\Windows\\Windir\\Svchost.exe Restart"	vbc.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2744-138-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2744-140-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2744-142-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2744-143-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2744-145-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2744-150-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3652-153-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2744-154-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3652-155-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3652-160-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe

pid	process
3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe
3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe
3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe
3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe

description	pid	process	target process
PID 3340 set thread context of 2744	3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Windows\Windir\Svchost.exe vbc.exe
File opened for modification C:\Windows\Windir\Svchost.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

2744 vbc.exe
2744 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

3652 vbc.exe

description	ioc	process
File created	C:\Windows\Windir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\Windir\Svchost.exe	vbc.exe

pid	process
2744	vbc.exe
2744	vbc.exe

pid	process
3652	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeBackupPrivilege	3652	vbc.exe
Token: SeRestorePrivilege	3652	vbc.exe
Token: SeDebugPrivilege	3652	vbc.exe
Token: SeDebugPrivilege	3652	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exevbc.exe

description	pid	process	target process
PID 3340 wrote to memory of 2744	3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe	vbc.exe
PID 3340 wrote to memory of 2744	3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe	vbc.exe
PID 3340 wrote to memory of 2744	3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe	vbc.exe
PID 3340 wrote to memory of 2744	3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe	vbc.exe
PID 3340 wrote to memory of 2744	3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe	vbc.exe
PID 3340 wrote to memory of 2744	3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe	vbc.exe
PID 3340 wrote to memory of 2744	3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe	vbc.exe
PID 3340 wrote to memory of 2744	3340	4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe	vbc.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe
PID 2744 wrote to memory of 3732	2744	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe
"C:\Users\Admin\AppData\Local\Temp\4ffaf26aa6b91cf037df0e1c565235b8e369ce5bc7ed8daf590ce29d3f6dd0bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:3732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\Windir\Svchost.exe
"C:\Windows\Windir\Svchost.exe"
4⤵
- Executes dropped EXE
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
621c26bb7e0d60eaa6a094764ed97536

SHA1
83bf598f3d4cc33fa855d8326dc2c4dd28e40aa9

SHA256
b600f3e20650b15482d0ab1b82d35c0dba8bcb6d03b531d92d44fb78f995b1c9

SHA512
707973f1d09cab39d75745c23290259c496b10e0985bd9bcb0269b2124995b4dab8609434c21acf87999a53b6f3735a7d5e09aeee2ec10cb5c3c9a0d8a9ba548

Download Submit
C:\Users\Admin\AppData\Local\Temp\User32.dll
Filesize
18KB

MD5
5fa07d6c6384d703766d7935de68850e

SHA1
62f28a572b4d1d359db7017235912ad2599b8c1d

SHA256
120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f

SHA512
7775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\User32.dll
Filesize
18KB

MD5
5fa07d6c6384d703766d7935de68850e

SHA1
62f28a572b4d1d359db7017235912ad2599b8c1d

SHA256
120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f

SHA512
7775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\User32.dll
Filesize
18KB

MD5
5fa07d6c6384d703766d7935de68850e

SHA1
62f28a572b4d1d359db7017235912ad2599b8c1d

SHA256
120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f

SHA512
7775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\User32.dll
Filesize
18KB

MD5
5fa07d6c6384d703766d7935de68850e

SHA1
62f28a572b4d1d359db7017235912ad2599b8c1d

SHA256
120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f

SHA512
7775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4

Download Submit
C:\Windows\Windir\Svchost.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\Windir\Svchost.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/2744-143-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2744-140-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2744-142-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2744-137-0x0000000000000000-mapping.dmp

Download
memory/2744-145-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2744-138-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2744-150-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2744-154-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3340-141-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/3340-132-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/3488-158-0x0000000000000000-mapping.dmp

Download
memory/3652-153-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3652-155-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3652-149-0x0000000000000000-mapping.dmp

Download
memory/3652-160-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads