cybergate | 4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b

Analysis

max time kernel
152s
max time network
73s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 05:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe
Size

1.1MB
MD5

5c7ab43562abd792a3766707c060edef
SHA1

23858be8cfc893b5ee3965a3d38fc21d352a1659
SHA256

4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b
SHA512

0a2aa495efeb19aa4c0a23d449d260b294bd413dd2dad59d5e1b65a3f92bd9e33dade0e975b566936420abc529799f71d8d0b6b2548ba1f1d31ae509c26eafe1
SSDEEP

12288:vcD667Q4dLOSwCDfJqlE6uGiGSAlVLuBRzXA2oAMHVB66EYAUTS9D/ksSzQRs2z:vWLtwCc26uGi2VCHXSBzTaDMsAQRH

Score

10^/10

cybergate shark-vic persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.7 Final

Botnet

shark-vic

shark-tchingo.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe

Executes dropped EXE 1 IoCs

pid	Process
2876	server.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe

Loads dropped DLL 2 IoCs

pid	Process
1200	explorer.exe
1200	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	explorer.exe
Token: SeDebugPrivilege	1200	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19
PID 1976 wrote to memory of 1400	1976	4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe	19

C:\Users\Admin\AppData\Local\Temp\4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe
"C:\Users\Admin\AppData\Local\Temp\4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- - C:\dir\install\install\server.exe
    "C:\dir\install\install\server.exe"
    3⤵
    - Executes dropped EXE
    PID:2876

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
588KB

MD5
0e9de26cdd0414161f46bd534b493f05

SHA1
5c54036c6ad5d8fc02ef67fc5b85df832418fcea

SHA256
96fd37a2a695fa014341511ae0b5f92df1633a111e0a1b0de2b5f123829a08e2

SHA512
4f37be453e21dac7514468ef59c66f87bcc96400f2cc01adebdbbdd6dde0c16f6ef0c6d456864811fbc67fbb4147da329ae298a39156f2756639e0f95ccdd935

Download Submit
C:\dir\install\install\server.exe

Filesize
1.1MB

MD5
5c7ab43562abd792a3766707c060edef

SHA1
23858be8cfc893b5ee3965a3d38fc21d352a1659

SHA256
4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b

SHA512
0a2aa495efeb19aa4c0a23d449d260b294bd413dd2dad59d5e1b65a3f92bd9e33dade0e975b566936420abc529799f71d8d0b6b2548ba1f1d31ae509c26eafe1

Download Submit
C:\dir\install\install\server.exe

Filesize
1.1MB

MD5
5c7ab43562abd792a3766707c060edef

SHA1
23858be8cfc893b5ee3965a3d38fc21d352a1659

SHA256
4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b

SHA512
0a2aa495efeb19aa4c0a23d449d260b294bd413dd2dad59d5e1b65a3f92bd9e33dade0e975b566936420abc529799f71d8d0b6b2548ba1f1d31ae509c26eafe1

Download Submit
\dir\install\install\server.exe

Filesize
1.1MB

MD5
5c7ab43562abd792a3766707c060edef

SHA1
23858be8cfc893b5ee3965a3d38fc21d352a1659

SHA256
4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b

SHA512
0a2aa495efeb19aa4c0a23d449d260b294bd413dd2dad59d5e1b65a3f92bd9e33dade0e975b566936420abc529799f71d8d0b6b2548ba1f1d31ae509c26eafe1

Download Submit
\dir\install\install\server.exe

Filesize
1.1MB

MD5
5c7ab43562abd792a3766707c060edef

SHA1
23858be8cfc893b5ee3965a3d38fc21d352a1659

SHA256
4269d969a7dc7004e6d36cdd847abe4c3de5e56ca6422c41b37c8b29d13a469b

SHA512
0a2aa495efeb19aa4c0a23d449d260b294bd413dd2dad59d5e1b65a3f92bd9e33dade0e975b566936420abc529799f71d8d0b6b2548ba1f1d31ae509c26eafe1

Download Submit
memory/1200-68-0x0000000074F51000-0x0000000074F53000-memory.dmp

Filesize
8KB

Download
memory/1200-86-0x0000000008D30000-0x0000000008E49000-memory.dmp

Filesize
1.1MB

Download
memory/1200-91-0x0000000008D30000-0x0000000008E49000-memory.dmp

Filesize
1.1MB

Download
memory/1200-78-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1200-90-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1200-87-0x0000000008D30000-0x0000000008E49000-memory.dmp

Filesize
1.1MB

Download
memory/1400-63-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/1976-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/1976-57-0x0000000010410000-0x000000001046C000-memory.dmp

Filesize
368KB

Download
memory/1976-69-0x0000000010470000-0x00000000104CC000-memory.dmp

Filesize
368KB

Download
memory/1976-77-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2876-88-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2876-89-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download