cybergate | 0d68775758fbc35efadb19385a37f3416f9bc4eed739db247bca8d6f533688a2

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 23:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0d68775758fbc35efadb19385a37f3416f9bc4eed739db247bca8d6f533688a2.exe
Size

1.0MB
MD5

82882978f08dff13080bddec012c5be0
SHA1

937999868d03dccfec01bf93b29ef389f7e183bf
SHA256

0d68775758fbc35efadb19385a37f3416f9bc4eed739db247bca8d6f533688a2
SHA512

de042d2c5adf3fa0c1ea8f679be808cefb9799a93f49c30b9d6e27be74f29dfae580fd0319dda18fa0c04026c2c8708180c502df4bce1fc6f1dfa35197a87d59
SSDEEP

24576:pswmwP9tWpBSUoHkNXqF4TkY5OkoFOYmALkwpOkob:St+9ATreyYUOkvz8Ok8

Score

10^/10

cybergate hacked persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.02.1

Botnet

HaCkEd

trojandoblood.no-ip.org:4000

Mutex

Pluguin

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./
ftp_interval
30
injected_process
explorer.exe
install_dir
Microsoft
install_file
system32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
VOCÊ FOI HACKEADO ...SEU SISTEMA SERÁ FORMATADO.
message_box_title
LAMMER
password
123
regkey_hkcu
Avirnt
regkey_hklm
Avgnt

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Encryptado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\system32.exe"	Encryptado.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Encryptado.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\system32.exe"	Encryptado.exe

Executes dropped EXE 3 IoCs

pid	Process
2272	Encryptado.exe
2344	Encryptado.exe
2740	system32.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V0Y5GVWX-NW2S-E0RD-L72E-2LD8444NP3VG}	Encryptado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V0Y5GVWX-NW2S-E0RD-L72E-2LD8444NP3VG}\StubPath = "C:\\Windows\\Microsoft\\system32.exe Restart"	Encryptado.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{V0Y5GVWX-NW2S-E0RD-L72E-2LD8444NP3VG}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{V0Y5GVWX-NW2S-E0RD-L72E-2LD8444NP3VG}\StubPath = "C:\\Windows\\Microsoft\\system32.exe"	explorer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2272-142-0x0000000024010000-0x0000000024070000-memory.dmp	upx
behavioral2/memory/2272-147-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/1256-150-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/1256-153-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/2272-157-0x00000000240D0000-0x0000000024130000-memory.dmp	upx
behavioral2/memory/2344-160-0x00000000240D0000-0x0000000024130000-memory.dmp	upx
behavioral2/memory/2344-161-0x00000000240D0000-0x0000000024130000-memory.dmp	upx
behavioral2/memory/2344-164-0x00000000240D0000-0x0000000024130000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0d68775758fbc35efadb19385a37f3416f9bc4eed739db247bca8d6f533688a2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Encryptado.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Encryptado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avgnt = "C:\\Windows\\Microsoft\\system32.exe"	Encryptado.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	Encryptado.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avirnt = "C:\\Windows\\Microsoft\\system32.exe"	Encryptado.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft\system32.exe	Encryptado.exe
File opened for modification	C:\Windows\Microsoft\system32.exe	Encryptado.exe
File opened for modification	C:\Windows\Microsoft\system32.exe	Encryptado.exe
File opened for modification	C:\Windows\Microsoft\	Encryptado.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1116	2740	WerFault.exe	90

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Encryptado.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2272	Encryptado.exe
2272	Encryptado.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2344	Encryptado.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	Encryptado.exe
Token: SeDebugPrivilege	2344	Encryptado.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2272	Encryptado.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2272	1260	0d68775758fbc35efadb19385a37f3416f9bc4eed739db247bca8d6f533688a2.exe	83
PID 1260 wrote to memory of 2272	1260	0d68775758fbc35efadb19385a37f3416f9bc4eed739db247bca8d6f533688a2.exe	83
PID 1260 wrote to memory of 2272	1260	0d68775758fbc35efadb19385a37f3416f9bc4eed739db247bca8d6f533688a2.exe	83
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24
PID 2272 wrote to memory of 2416	2272	Encryptado.exe	24

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\0d68775758fbc35efadb19385a37f3416f9bc4eed739db247bca8d6f533688a2.exe
  "C:\Users\Admin\AppData\Local\Temp\0d68775758fbc35efadb19385a37f3416f9bc4eed739db247bca8d6f533688a2.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\Encryptado.exe
    "C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\Encryptado.exe
      "C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2344
    - - C:\Windows\Microsoft\system32.exe
        
        "C:\Windows\Microsoft\system32.exe"
        5⤵
        Executes dropped EXE
        
        PID:2740
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 576
        6⤵
        Program crash
        
        PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2740 -ip 2740
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Encryptado.exe

Filesize
831KB

MD5
8dc72a1cf0f52fcc9592fc0495ece69d

SHA1
abff43bbad8b4f7386cf1cc306640cf7cb8dce6e

SHA256
f6eaddc80594a9ff59a5b9304e7e11146bddc7d104b04c51df5bd32e4b127fa4

SHA512
97b7d63e93ec1205b42cbc4467456e977ce274e6bfddbca092daf3fd6d69b87169d984f6101d9089004841c4e6e18521a4c2b53ca91c047c7586627e6eb5e36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encryptado.exe

Filesize
831KB

MD5
8dc72a1cf0f52fcc9592fc0495ece69d

SHA1
abff43bbad8b4f7386cf1cc306640cf7cb8dce6e

SHA256
f6eaddc80594a9ff59a5b9304e7e11146bddc7d104b04c51df5bd32e4b127fa4

SHA512
97b7d63e93ec1205b42cbc4467456e977ce274e6bfddbca092daf3fd6d69b87169d984f6101d9089004841c4e6e18521a4c2b53ca91c047c7586627e6eb5e36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encryptado.exe

Filesize
831KB

MD5
8dc72a1cf0f52fcc9592fc0495ece69d

SHA1
abff43bbad8b4f7386cf1cc306640cf7cb8dce6e

SHA256
f6eaddc80594a9ff59a5b9304e7e11146bddc7d104b04c51df5bd32e4b127fa4

SHA512
97b7d63e93ec1205b42cbc4467456e977ce274e6bfddbca092daf3fd6d69b87169d984f6101d9089004841c4e6e18521a4c2b53ca91c047c7586627e6eb5e36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
221KB

MD5
62f61f5b11341c55bdf387af40543076

SHA1
d7af4318086d184ebe048b846a3f5a5c32e45053

SHA256
2f1611f183d31238762301fe37a2414be11179e2dbace07f3603b2d833c40310

SHA512
d55dc3f6f547f6750c5f3b99e720f18e46753ba8f6b4b1df3157b0765fa167c068829aebae13c0d9c02761036642abdcfbb7dcb910e690e2023d0bee627400d8

Download Submit
C:\Windows\Microsoft\system32.exe

Filesize
831KB

MD5
8dc72a1cf0f52fcc9592fc0495ece69d

SHA1
abff43bbad8b4f7386cf1cc306640cf7cb8dce6e

SHA256
f6eaddc80594a9ff59a5b9304e7e11146bddc7d104b04c51df5bd32e4b127fa4

SHA512
97b7d63e93ec1205b42cbc4467456e977ce274e6bfddbca092daf3fd6d69b87169d984f6101d9089004841c4e6e18521a4c2b53ca91c047c7586627e6eb5e36d

Download Submit
C:\Windows\Microsoft\system32.exe

Filesize
831KB

MD5
8dc72a1cf0f52fcc9592fc0495ece69d

SHA1
abff43bbad8b4f7386cf1cc306640cf7cb8dce6e

SHA256
f6eaddc80594a9ff59a5b9304e7e11146bddc7d104b04c51df5bd32e4b127fa4

SHA512
97b7d63e93ec1205b42cbc4467456e977ce274e6bfddbca092daf3fd6d69b87169d984f6101d9089004841c4e6e18521a4c2b53ca91c047c7586627e6eb5e36d

Download Submit
memory/1256-153-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/1256-150-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/1260-135-0x00000000079F0000-0x0000000007A82000-memory.dmp

Filesize
584KB

Download
memory/1260-132-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/1260-137-0x0000000007AF0000-0x0000000007B46000-memory.dmp

Filesize
344KB

Download
memory/1260-136-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/1260-134-0x0000000007FA0000-0x0000000008544000-memory.dmp

Filesize
5.6MB

Download
memory/1260-133-0x0000000007950000-0x00000000079EC000-memory.dmp

Filesize
624KB

Download
memory/2272-147-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/2272-157-0x00000000240D0000-0x0000000024130000-memory.dmp

Filesize
384KB

Download
memory/2272-142-0x0000000024010000-0x0000000024070000-memory.dmp

Filesize
384KB

Download
memory/2344-160-0x00000000240D0000-0x0000000024130000-memory.dmp

Filesize
384KB

Download
memory/2344-161-0x00000000240D0000-0x0000000024130000-memory.dmp

Filesize
384KB

Download
memory/2344-164-0x00000000240D0000-0x0000000024130000-memory.dmp

Filesize
384KB

Download