Malware Analysis Report

2025-08-10 17:47

Sample ID 221021-hkwv2agbgm
Target be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9
SHA256 be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9
Tags
cybergate cybergate15444 stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9

Threat Level: Known bad

The file be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9 was found to be: Known bad.

Malicious Activity Summary

cybergate cybergate15444 stealer trojan

CyberGate, Rebhip

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-10-21 06:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-21 06:48

Reported

2022-10-21 15:34

Platform

win7-20220901-en

Max time kernel

44s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe
PID 1696 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe
PID 1696 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe
PID 1696 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe
PID 1696 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe
PID 1696 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe

"C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe"

C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe

"C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe" "

Network

N/A

Files

memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

memory/980-55-0x0000000000400000-0x000000000044F000-memory.dmp

memory/980-58-0x000000000040E1A8-mapping.dmp

memory/980-57-0x0000000000400000-0x000000000044F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-21 06:48

Reported

2022-10-21 15:35

Platform

win10v2004-20220812-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe

"C:\Users\Admin\AppData\Local\Temp\be16763da84381a64d8811a8e1500229735b0188f323816133d530304d6f46d9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 628 -ip 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 264

Network

Country Destination Domain Proto
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.253.208.120:80 tcp
US 8.8.8.8:53 d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

N/A