cybergate | 3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2

Analysis

max time kernel
150s
max time network
62s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe
Size

1.5MB
MD5

a2e8d315ab348efbc79b9a98c2e508d1
SHA1

39be8b4efb65e747565139103ff5f3331fcd454a
SHA256

3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2
SHA512

69bd3f139bccbc5c6c81654ee633c9dd9eae50fe233f44e9247a8aee1b362aa3dd932a05571a3576cd5788fc67dafb827b79661e3d721b655bca06f277b859da
SSDEEP

24576:s7BgnrMXn24ZWNQriUt25TqvJgwLkNZtnTUvJj:slg4m4ZWNww5Tckz5T

Score

10^/10

cybergate pros1 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

pros1

kim2kim.zapto.org:1604

Mutex

U16KA63LM7VX5K

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
techno-techno

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
956	..PIF
1220	ZEUS CRYPTER.EXE

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{704L1467-6E52-G80W-O47O-UX8K3308O75J}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{704L1467-6E52-G80W-O47O-UX8K3308O75J}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	vbc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-85-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral1/memory/2028-89-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral1/memory/2028-98-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral1/memory/1504-103-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral1/memory/1504-106-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral1/memory/1504-110-0x00000000104F0000-0x0000000010560000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe
988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe
988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 2028	956	..PIF	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
956	..PIF
956	..PIF
956	..PIF
956	..PIF
956	..PIF
956	..PIF
956	..PIF
956	..PIF
956	..PIF
956	..PIF
956	..PIF
956	..PIF
2028	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	..PIF
Token: SeDebugPrivilege	1504	explorer.exe
Token: SeDebugPrivilege	1504	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 956	988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe	27
PID 988 wrote to memory of 956	988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe	27
PID 988 wrote to memory of 956	988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe	27
PID 988 wrote to memory of 956	988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe	27
PID 988 wrote to memory of 1220	988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe	28
PID 988 wrote to memory of 1220	988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe	28
PID 988 wrote to memory of 1220	988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe	28
PID 988 wrote to memory of 1220	988	3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe	28
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 956 wrote to memory of 2028	956	..PIF	29
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30
PID 2028 wrote to memory of 1336	2028	vbc.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe
  "C:\Users\Admin\AppData\Local\Temp\3f56a1924679c07d3915211112dc69e810c8fdb23406144aa276f036101ac7d2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\..PIF
    "C:\Users\Admin\AppData\Local\Temp\..PIF"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
- - C:\Users\Admin\AppData\Local\Temp\ZEUS CRYPTER.EXE
    "C:\Users\Admin\AppData\Local\Temp\ZEUS CRYPTER.EXE"
    3⤵
    - Executes dropped EXE
    PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\..PIF

Filesize
547KB

MD5
645bc0cfc6986862eda63ea25766d116

SHA1
ff329af6cccd5a711261ce29b7db992641abd211

SHA256
7d9467b36b2c207c435f954f83f8af3a245fbcadb9729c5de27697b74eaceb3b

SHA512
a2dd064b23fc082f968e82dc0c32ad7230af38f64c8ec205415d23d13a70a916ffa13dd8c1004ad9850caf9892e4a956cd92f64d524aa4118449ac6e0e214ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\..PIF

Filesize
547KB

MD5
645bc0cfc6986862eda63ea25766d116

SHA1
ff329af6cccd5a711261ce29b7db992641abd211

SHA256
7d9467b36b2c207c435f954f83f8af3a245fbcadb9729c5de27697b74eaceb3b

SHA512
a2dd064b23fc082f968e82dc0c32ad7230af38f64c8ec205415d23d13a70a916ffa13dd8c1004ad9850caf9892e4a956cd92f64d524aa4118449ac6e0e214ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
385KB

MD5
4fbdb071a978fedf709e3bec176a195c

SHA1
94d7f8b854ac21b69f597c4f1017fd52e311145b

SHA256
4e8848d77369ee3c7d5332a5da6ab33fcf890d9f7051ed8222ee5523995d6b68

SHA512
7ed22da0e05007549fcc2cfdc33bd1254b857a83fa41edcf3192b5516dde98c74f19956e3f94549c7486ba2d5f93bc74f7b2982e08e6433beec30e760db9869e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEUS CRYPTER.EXE

Filesize
946KB

MD5
4d1e194218bac0be78d20141d323f940

SHA1
ec7ceda13a3e3ef5e0f38ee06c57fc04f4230d2d

SHA256
6e626d198b05038345fbc37e3a6a2bb6b62af47fbcb5f1bdcfa6b84f9555c285

SHA512
1424b3c9611c8fde23f8566f34af781a4389500d7dccda99cc8c8a15024c34f73a10492d5fa55caf000fcfbebce0515a791101caa61f1c6a31653169d29c6e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZEUS CRYPTER.EXE

Filesize
946KB

MD5
4d1e194218bac0be78d20141d323f940

SHA1
ec7ceda13a3e3ef5e0f38ee06c57fc04f4230d2d

SHA256
6e626d198b05038345fbc37e3a6a2bb6b62af47fbcb5f1bdcfa6b84f9555c285

SHA512
1424b3c9611c8fde23f8566f34af781a4389500d7dccda99cc8c8a15024c34f73a10492d5fa55caf000fcfbebce0515a791101caa61f1c6a31653169d29c6e36

Download Submit
\??\c:\directory\CyberGate\install\server.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\..PIF

Filesize
547KB

MD5
645bc0cfc6986862eda63ea25766d116

SHA1
ff329af6cccd5a711261ce29b7db992641abd211

SHA256
7d9467b36b2c207c435f954f83f8af3a245fbcadb9729c5de27697b74eaceb3b

SHA512
a2dd064b23fc082f968e82dc0c32ad7230af38f64c8ec205415d23d13a70a916ffa13dd8c1004ad9850caf9892e4a956cd92f64d524aa4118449ac6e0e214ec9

Download Submit
\Users\Admin\AppData\Local\Temp\..PIF

Filesize
547KB

MD5
645bc0cfc6986862eda63ea25766d116

SHA1
ff329af6cccd5a711261ce29b7db992641abd211

SHA256
7d9467b36b2c207c435f954f83f8af3a245fbcadb9729c5de27697b74eaceb3b

SHA512
a2dd064b23fc082f968e82dc0c32ad7230af38f64c8ec205415d23d13a70a916ffa13dd8c1004ad9850caf9892e4a956cd92f64d524aa4118449ac6e0e214ec9

Download Submit
\Users\Admin\AppData\Local\Temp\ZEUS CRYPTER.EXE

Filesize
946KB

MD5
4d1e194218bac0be78d20141d323f940

SHA1
ec7ceda13a3e3ef5e0f38ee06c57fc04f4230d2d

SHA256
6e626d198b05038345fbc37e3a6a2bb6b62af47fbcb5f1bdcfa6b84f9555c285

SHA512
1424b3c9611c8fde23f8566f34af781a4389500d7dccda99cc8c8a15024c34f73a10492d5fa55caf000fcfbebce0515a791101caa61f1c6a31653169d29c6e36

Download Submit
memory/956-68-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/956-82-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/988-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1220-70-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-109-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-108-0x00000000007C6000-0x00000000007D7000-memory.dmp

Filesize
68KB

Download
memory/1220-61-0x0000000000000000-mapping.dmp

Download
memory/1244-92-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1504-95-0x0000000000000000-mapping.dmp

Download
memory/1504-110-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/1504-106-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/1504-103-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/1504-97-0x00000000719C1000-0x00000000719C3000-memory.dmp

Filesize
8KB

Download
memory/2028-75-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-98-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/2028-85-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/2028-89-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/2028-74-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-72-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-81-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-83-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-79-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-71-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-78-0x0000000000409860-mapping.dmp

Download
memory/2028-107-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-67-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-77-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download