cybergate | e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e

Analysis

max time kernel
92s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 05:11

Target

e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e.dll
Size

612KB
MD5

4c135164ab221e6cfd8290800578432f
SHA1

bfdf17d55112c9b331a442f44c0a1b3a95bf3859
SHA256

e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e
SHA512

35822292fb8a3e9535a571d68a899803136da15eeb72d11dfa1822abdf1b50054ffe8de6d10596fee37e4a7827e18471f670b63822cd9851126187550b541368
SSDEEP

12288:2U5GLE0kuGnESBW+8H9u6vRHO/UUCruWVz/:2U4MtnES78HPuWVz

Score

10^/10

Family

cybergate

Version

v1.04.8

Botnet

hack

sss.servepics.com:53320

Mutex

K2GHPW524P62M8

Attributes

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4912 1568 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4912	1568	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2448 wrote to memory of 1568	2448	rundll32.exe	rundll32.exe
PID 2448 wrote to memory of 1568	2448	rundll32.exe	rundll32.exe
PID 2448 wrote to memory of 1568	2448	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a96683df71dd5f21311792e24eaebf78e37d05b8248ba655f68be01038457e.dll,#1
2⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 616
3⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1568 -ip 1568
1⤵
PID:5028

memory/1568-132-0x0000000000000000-mapping.dmp

Download
memory/1568-133-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1568-134-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download