cybergate | 795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe
Size

554KB
MD5

06eeb722cab18d21f286a6f8ea8eb3f0
SHA1

c4f897fccfd4c6fda6c52ec62fcab99aa98e68d4
SHA256

795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2
SHA512

c56911f0813070e451dc179cf0f5c7a068063b930f97d8236aa8c5bbd62f3b5b10807fed1850f5543b68e04e453afb0a384e12afb1bdcf979ce0377d60988ed4
SSDEEP

12288:LNQR2iAMVCa6zlecx4OU7X971Jh3bz+Jj7hj7iM6RE21:LRinG0cx4l1zrz+37it221

Score

10^/10

cybergate inf_spr_1105 stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.4

Botnet

INF_SPR_1105

clippico.zapto.org:33881

Mutex

O42N0CEL7YE6W6

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
FlashPlayerPlugin_11_6_602_179.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
27042704
regkey_hkcu
FlashPlayerPlugin

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2732-140-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral2/memory/4432-143-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral2/memory/4432-144-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral2/memory/4432-149-0x0000000010410000-0x0000000010480000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3712 set thread context of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4432	applaunch.exe
Token: SeDebugPrivilege	4432	applaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 3712 wrote to memory of 2732	3712	795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe	81
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83
PID 2732 wrote to memory of 4432	2732	applaunch.exe	83

C:\Users\Admin\AppData\Local\Temp\795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe
"C:\Users\Admin\AppData\Local\Temp\795f7667440ee9329a44fca679b66252039e03b1d4c6ced1bf9a481358997de2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bOXCw.vbs"
  2⤵
  PID:2684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
234KB

MD5
32a5d4b124065c9b7b1a24d5b7c37146

SHA1
930c9576064fd9745b6b2ee7ffc346163f4dfa8a

SHA256
8913e477d810a044f656381d46daf238216ac06afac7c1d642e96a1ed98851cf

SHA512
86a2ecfe712a53b678e9aaada4ee803c1b061ef2e222d23ba45d348d4be79f12dcef893a7ce29e611c7f3a9276242de8be27b876dcf5172226dee3548c61ad4d

Download Submit
C:\Users\Admin\AppData\Roaming\bOXCw.vbs

Filesize
430B

MD5
87dec7079660df904d34820c07f4ddb1

SHA1
f81ed2a496848c1c08309fd8f2a28669c510803e

SHA256
57a09972612380c050946ed6b374a88a75e4d7c78883badee36d37e29aa37935

SHA512
d626535be6ba9cc432b59010fabefa70de06b4176c12a252e5eee91dc8c33009d2eb1b4343743c07bcdb427c661fb64f78c785bfcc567383dc7a05da490e9149

Download Submit
memory/2732-135-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2732-136-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2732-137-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2732-140-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/3712-133-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/3712-132-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/3712-148-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4432-144-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/4432-143-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/4432-149-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download