Malware Analysis Report

2025-08-10 17:50

Sample ID 221021-h7gdvshcdp
Target 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a
SHA256 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a
Tags
cybergate lamer persistence stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a

Threat Level: Known bad

The file 7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a was found to be: Known bad.

Malicious Activity Summary

cybergate lamer persistence stealer trojan upx

CyberGate, Rebhip

Executes dropped EXE

UPX packed file

Modifies Installed Components in the registry

Adds policy Run key to start application

Checks computer location settings

Loads dropped DLL

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-21 07:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-21 07:22

Reported

2022-10-21 16:28

Platform

win7-20220812-en

Max time kernel

170s

Max time network

208s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
N/A N/A C:\Program Files (x86)\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y77N30K0-I7DI-0K56-6Y56-WPUQT2A78T24} C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y77N30K0-I7DI-0K56-6Y56-WPUQT2A78T24}\StubPath = "C:\\Program Files (x86)\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\install\server.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
File opened for modification C:\Program Files (x86)\install\server.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
File opened for modification C:\Program Files (x86)\install\server.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
File opened for modification C:\Program Files (x86)\install\ C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1032 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1032 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1032 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 1764 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe

"C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe"

C:\Users\Admin\AppData\Local\Temp\Idman.exe

"C:\Users\Admin\AppData\Local\Temp\Idman.exe"

C:\Users\Admin\AppData\Local\Temp\Idman.exe

"C:\Users\Admin\AppData\Local\Temp\Idman.exe"

C:\Program Files (x86)\install\server.exe

"C:\Program Files (x86)\install\server.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.68:4899 tcp
N/A 192.168.1.68:4899 tcp

Files

memory/1032-54-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

memory/1032-55-0x000007FEF2760000-0x000007FEF37F6000-memory.dmp

memory/1764-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Idman.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

memory/1032-58-0x0000000001E86000-0x0000000001EA5000-memory.dmp

memory/1764-59-0x0000000075601000-0x0000000075603000-memory.dmp

memory/1764-60-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Idman.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

\Users\Admin\AppData\Local\Temp\Idman.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

memory/956-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Idman.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

memory/1764-67-0x0000000000220000-0x0000000000277000-memory.dmp

memory/956-68-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1764-69-0x0000000024010000-0x0000000024072000-memory.dmp

memory/956-72-0x0000000024010000-0x0000000024072000-memory.dmp

memory/1764-74-0x0000000000400000-0x0000000000457000-memory.dmp

memory/956-75-0x0000000024010000-0x0000000024072000-memory.dmp

memory/956-76-0x0000000024010000-0x0000000024072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 c5e1bdd86e67331360efe4b1beef79ba
SHA1 4d2d1165550f9bfb94174e5a7a2f3906dbec5cfb
SHA256 18d6d25a2689dbbbdb7315b7bdf0b709bd866d39498dc1e9ea36e1c48277fa96
SHA512 448a4e895d86b40c83907248d739f67abd1dd48d67058471440d168cd53043a27b4cbdab1ce4c06db225a5fa24cc0781f90ce695e4366624fb76c4bf442e0145

C:\Program Files (x86)\install\server.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

\Program Files (x86)\install\server.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

\Program Files (x86)\install\server.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

memory/1880-81-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\install\server.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

memory/956-84-0x0000000004AB0000-0x0000000004B07000-memory.dmp

memory/956-85-0x0000000004AB0000-0x0000000004B07000-memory.dmp

memory/1880-86-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1880-87-0x0000000000400000-0x0000000000457000-memory.dmp

memory/956-88-0x0000000024010000-0x0000000024072000-memory.dmp

memory/956-89-0x0000000004AB0000-0x0000000004B07000-memory.dmp

memory/956-90-0x0000000004AB0000-0x0000000004B07000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-21 07:22

Reported

2022-10-21 16:28

Platform

win10v2004-20220812-en

Max time kernel

193s

Max time network

227s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\install\\server.exe" C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
N/A N/A C:\Program Files (x86)\install\server.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y77N30K0-I7DI-0K56-6Y56-WPUQT2A78T24} C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y77N30K0-I7DI-0K56-6Y56-WPUQT2A78T24}\StubPath = "C:\\Program Files (x86)\\install\\server.exe Restart" C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\install\server.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
File opened for modification C:\Program Files (x86)\install\server.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
File opened for modification C:\Program Files (x86)\install\ C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
File created C:\Program Files (x86)\install\server.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\install\server.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5096 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5096 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe
PID 5116 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\Idman.exe C:\Users\Admin\AppData\Local\Temp\Idman.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe

"C:\Users\Admin\AppData\Local\Temp\7b437cc1875271300de70e1f1581346793d18c6beec8c3251e39e47e882a7f2a.exe"

C:\Users\Admin\AppData\Local\Temp\Idman.exe

"C:\Users\Admin\AppData\Local\Temp\Idman.exe"

C:\Users\Admin\AppData\Local\Temp\Idman.exe

"C:\Users\Admin\AppData\Local\Temp\Idman.exe"

C:\Program Files (x86)\install\server.exe

"C:\Program Files (x86)\install\server.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 568

Network

Country Destination Domain Proto
US 67.24.171.254:80 tcp
US 67.24.171.254:80 tcp
US 93.184.220.29:80 tcp
US 52.182.143.210:443 tcp
US 67.24.171.254:80 tcp
US 67.24.171.254:80 tcp
N/A 192.168.1.68:4899 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
N/A 192.168.1.68:4899 tcp
N/A 192.168.1.68:4899 tcp
N/A 192.168.1.68:4899 tcp
N/A 192.168.1.68:4899 tcp

Files

memory/5096-132-0x00007FF903E50000-0x00007FF904886000-memory.dmp

memory/5116-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Idman.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

memory/5116-135-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Idman.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

memory/4852-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Idman.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

memory/4852-143-0x0000000024010000-0x0000000024072000-memory.dmp

memory/5116-140-0x0000000024010000-0x0000000024072000-memory.dmp

memory/5116-144-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 c5e1bdd86e67331360efe4b1beef79ba
SHA1 4d2d1165550f9bfb94174e5a7a2f3906dbec5cfb
SHA256 18d6d25a2689dbbbdb7315b7bdf0b709bd866d39498dc1e9ea36e1c48277fa96
SHA512 448a4e895d86b40c83907248d739f67abd1dd48d67058471440d168cd53043a27b4cbdab1ce4c06db225a5fa24cc0781f90ce695e4366624fb76c4bf442e0145

C:\Program Files (x86)\install\server.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

C:\Program Files (x86)\install\server.exe

MD5 272f511f152edb6bc58d6d01366c426e
SHA1 cd42a68f76452a98ce81a59eb423775d31862e09
SHA256 8ad6d6732f1c893bf3c04e7d2f68109b95172e3d98507dd28a89b48d58c45566
SHA512 5cf7ad9d89109f9100568fd6050c7e76aff4c1ffbbcd20a7b6f6e5b8737ac616117896f19f672f46497d661220df9335a4ea828931bde289465406193a479c87

memory/1948-147-0x0000000000000000-mapping.dmp

memory/1948-149-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4852-150-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4852-151-0x0000000024010000-0x0000000024072000-memory.dmp

memory/4852-152-0x0000000024010000-0x0000000024072000-memory.dmp