cybergate | d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae

General

Target

d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe
Size

503KB
MD5

80a46e98cfa4fc8d93fdb5ab42913e8e
SHA1

840c5193fd1d1569db809db8081f3c3a40928727
SHA256

d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae
SHA512

264134075a3830d8058564f0effe3ca86decf3e9bbb54472a79fe028bb7427dafb19bbaf465a5dc6aa326bdb59b496d1ce1fad0cee646332c686da3116533e20
SSDEEP

12288:uFXS2fxugbRlyVL8wsjSo82v4MhCUMEOs3fDN8s3zAwqL/5No:XCHUgqoh9Oi58tNo

Score

10^/10

cybergate h persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

h

C2

rushaan.no-ip.org:80

127.0.0.1:80

127.0.0.1:100

Mutex

8TAV3B23760774

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
kernel
install_file
svhost
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
9425012255

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\kernel\\svhost"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\kernel\\svhost"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24V8N4NC-HO22-W6MY-HR4U-0ULDBKQ42KOI}\StubPath = "C:\\Windows\\kernel\\svhost Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{24V8N4NC-HO22-W6MY-HR4U-0ULDBKQ42KOI}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24V8N4NC-HO22-W6MY-HR4U-0ULDBKQ42KOI}\StubPath = "C:\\Windows\\kernel\\svhost"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{24V8N4NC-HO22-W6MY-HR4U-0ULDBKQ42KOI}	vbc.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1080-73-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1080-82-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1340-87-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1340-88-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1080-90-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1080-96-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1056-101-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1056-105-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1340-106-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1056-107-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Update = "C:\\Users\\Admin\\AppData\\Roaming\\L3G!T-Labs\\jdvs\\0.0.0.0\\Java Update.exe"	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\rundll32.exe"	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe

description	pid	process	target process
PID 1476 set thread context of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Windows\kernel\svhost vbc.exe
File opened for modification C:\Windows\kernel\svhost vbc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1080 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

1056 vbc.exe

description	ioc	process
File created	C:\Windows\kernel\svhost	vbc.exe
File opened for modification	C:\Windows\kernel\svhost	vbc.exe

pid	process
1080	vbc.exe

pid	process
1056	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exevbc.exe

description	pid	process
Token: SeBackupPrivilege	1340	explorer.exe
Token: SeRestorePrivilege	1340	explorer.exe
Token: SeBackupPrivilege	1056	vbc.exe
Token: SeRestorePrivilege	1056	vbc.exe
Token: SeDebugPrivilege	1056	vbc.exe
Token: SeDebugPrivilege	1056	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

1080 vbc.exe

pid	process
1080	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exevbc.exe

description	pid	process	target process
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1476 wrote to memory of 1080	1476	d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe	vbc.exe
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE
PID 1080 wrote to memory of 1380	1080	vbc.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe
"C:\Users\Admin\AppData\Local\Temp\d9f3b1c1c711bf673104d56810d4b1da201d80380d416702cd8f4e756d4f8eae.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1476

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1964

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
87921c39c3f124d2d214ad1978471264

SHA1
d3133a3e6936d72786dc7d97085eecd3a8305904

SHA256
faf1ca93f644df52f79cb0913d1dad872f4d9c08a803c60a6ffa8397f3b960d9

SHA512
d45cd493ebe41a213efc2095e2d78ab912df4d636140387efb7be2c1c70988988eef6c204ee441f9e31d3f301d07cefc17df6e315910789fcc6b7fdb97b3061e

Download Submit
C:\Windows\kernel\svhost
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1056-94-0x0000000000000000-mapping.dmp

Download
memory/1056-107-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1056-105-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1056-101-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1080-96-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1080-82-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1080-63-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-65-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-66-0x000000000040E1A8-mapping.dmp

Download
memory/1080-67-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-56-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-70-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-71-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-73-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1080-57-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-59-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-60-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-102-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-61-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1080-90-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1340-88-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1340-87-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1340-81-0x00000000746A1000-0x00000000746A3000-memory.dmp

Filesize
8KB

Download
memory/1340-79-0x0000000000000000-mapping.dmp

Download
memory/1340-106-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1380-76-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1476-68-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-55-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads