cybergate | 1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206

Analysis

max time kernel
176s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
Size

888KB
MD5

a0efe7e5c16f631870d5d29b5992a020
SHA1

70afc709e34a9a9cddcebfe0237520d9efb95b76
SHA256

1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206
SHA512

3dfb6122e1656a8c8da52a0cd72d20cf8df0595a6761fea9a94e2ab362c009940515243c16984397c18f1a41e3f3af7fd16a7ed7780e64d05ddc91f25e4e9c34
SSDEEP

12288:dHlDbtDorPevhdQivIi3kTy/lZyNDaHBgwM3dBE5c:dHlD1gPeJdVv73azDwGX

Score

10^/10

cybergate rs3 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

RS3

blueparrot.no-ip.biz:87

Mutex

61FUA6146NINT0

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
winessentials.exe
install_dir
install
install_file
Windowslive.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
c1ndy123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\g4HYvpm3b00GZB2I\\zhgctAGmVRpS.exe\",explorer.exe"	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cvtres.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Winessentials\\install\\Windowslive.exe"	cvtres.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\Winessentials\\install\\Windowslive.exe"	cvtres.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	Windowslive.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AVDRR2M-O003-70KB-8I13-0477ML04F252}	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AVDRR2M-O003-70KB-8I13-0477ML04F252}\StubPath = "c:\\directory\\Winessentials\\install\\Windowslive.exe Restart"	cvtres.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2696-140-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2696-145-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3672-148-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3672-150-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3672-155-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\Winessentials\\install\\Windowslive.exe"	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	cvtres.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\Winessentials\\install\\Windowslive.exe"	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
2696	cvtres.exe
2696	cvtres.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3672	cvtres.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
Token: SeBackupPrivilege	3672	cvtres.exe
Token: SeRestorePrivilege	3672	cvtres.exe
Token: SeDebugPrivilege	3672	cvtres.exe
Token: SeDebugPrivilege	3672	cvtres.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2032 wrote to memory of 2696	2032	1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe	85
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86
PID 2696 wrote to memory of 4648	2696	cvtres.exe	86

C:\Users\Admin\AppData\Local\Temp\1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe
"C:\Users\Admin\AppData\Local\Temp\1ec545c89fb3a8ffdbdd7fa804c8222f55f032cbc38ec761cab366418ef49206.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4648
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
  - - C:\directory\Winessentials\install\Windowslive.exe
      "C:\directory\Winessentials\install\Windowslive.exe"
      4⤵
      Executes dropped EXE
      PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
1dc2681ba094f15c8e53112112c6f0d9

SHA1
8647c3afb6cf4f52e8a7f4d323eb1710628d935b

SHA256
9796e58057363c1d0d8911328c9021486bcaa6e4d2627394b086ee65ba7dc0d6

SHA512
6d9790e70e2a7aa1b75bd7df297d93efa10f74ea050916ed82aad29f270b39cdfb8124c510a9e91739cd1dea788de1cc18b698fc733940260fdca4784b59a58d

Download Submit
C:\directory\Winessentials\install\Windowslive.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\directory\Winessentials\install\Windowslive.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/2032-133-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2032-132-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/2696-138-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-140-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2696-137-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-145-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2696-136-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-149-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-135-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3672-150-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3672-148-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/3672-155-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download