cybergate | 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206

Analysis

max time kernel
151s
max time network
108s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
Size

888KB
MD5

a0efe7e5c16f631870d5d29b5992a020
SHA1

70afc709e34a9a9cddcebfe0237520d9efb95b76
SHA256

1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206
SHA512

3dfb6122e1656a8c8da52a0cd72d20cf8df0595a6761fea9a94e2ab362c009940515243c16984397c18f1a41e3f3af7fd16a7ed7780e64d05ddc91f25e4e9c34
SSDEEP

12288:dHlDbtDorPevhdQivIi3kTy/lZyNDaHBgwM3dBE5c:dHlD1gPeJdVv73azDwGX

Score

10^/10

cybergate rs3 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

RS3

blueparrot.no-ip.biz:87

Mutex

61FUA6146NINT0

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
winessentials.exe
install_dir
install
install_file
Windowslive.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
c1ndy123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\g4HYvpm3b00GZB2I\\uWpZFcJV50V3.exe\",explorer.exe"	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Winessentials\\install\\Windowslive.exe"	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cvtres.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Winessentials\\install\\Windowslive.exe"	cvtres.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cvtres.exe

Executes dropped EXE 1 IoCs

pid	Process
1720	Windowslive.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AVDRR2M-O003-70KB-8I13-0477ML04F252}	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AVDRR2M-O003-70KB-8I13-0477ML04F252}\StubPath = "c:\\directory\\Winessentials\\install\\Windowslive.exe Restart"	cvtres.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1064-75-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1064-81-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/692-87-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/692-93-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/692-94-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
692	cvtres.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\Winessentials\\install\\Windowslive.exe"	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	cvtres.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\Winessentials\\install\\Windowslive.exe"	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
1064	cvtres.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
692	cvtres.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
Token: SeBackupPrivilege	692	cvtres.exe
Token: SeRestorePrivilege	692	cvtres.exe
Token: SeDebugPrivilege	692	cvtres.exe
Token: SeDebugPrivilege	692	cvtres.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1944 wrote to memory of 1064	1944	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	28
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29
PID 1064 wrote to memory of 320	1064	cvtres.exe	29

C:\Users\Admin\AppData\Local\Temp\1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
"C:\Users\Admin\AppData\Local\Temp\1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:692
  - - C:\directory\Winessentials\install\Windowslive.exe
      "C:\directory\Winessentials\install\Windowslive.exe"
      4⤵
      Executes dropped EXE
      PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
1dc2681ba094f15c8e53112112c6f0d9

SHA1
8647c3afb6cf4f52e8a7f4d323eb1710628d935b

SHA256
9796e58057363c1d0d8911328c9021486bcaa6e4d2627394b086ee65ba7dc0d6

SHA512
6d9790e70e2a7aa1b75bd7df297d93efa10f74ea050916ed82aad29f270b39cdfb8124c510a9e91739cd1dea788de1cc18b698fc733940260fdca4784b59a58d

Download Submit
C:\directory\Winessentials\install\Windowslive.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\directory\Winessentials\install\Windowslive.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\directory\Winessentials\install\Windowslive.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/692-94-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/692-93-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/692-87-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/692-84-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1064-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-75-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1064-58-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-81-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1064-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-86-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1064-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1944-73-0x0000000000555000-0x0000000000566000-memory.dmp

Filesize
68KB

Download
memory/1944-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1944-57-0x0000000000555000-0x0000000000566000-memory.dmp

Filesize
68KB

Download
memory/1944-56-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-55-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download