cybergate | e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d

General

Target

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe
Size

458KB
MD5

7655b168be775811d0ed9a9f4ba083b8
SHA1

4e6a0112b568b49ae3261e700a92e3efc3cf86bd
SHA256

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d
SHA512

08215ceaf3ce46bddc232a44dabae3ccb5a47acd76d47c63d394ce10ca6d25957f0f66acb7e6f24be2cee3e89e2989c67c417893e40cbc21027b1aabd56f5c25
SSDEEP

12288:ZnMi8dvwFdYrYLHme6YazdickUw3R84GYFRLFPJNa:ZMdvwoQm4azdnMTRnN

Score

10^/10

cybergate mikael persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

mikael

C2

mike2375.no-ip.org:7777

Mutex

231V04PN37A683

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
237566

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 1 IoCs

Processes:

worm.exe

pid process

1732 worm.exe

pid	process
1732	worm.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/524-90-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral1/memory/524-96-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/612-101-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/612-103-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/612-107-0x0000000010490000-0x0000000010502000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe

pid process

2032 e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmpnetk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmpnet32.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

worm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	worm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	worm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Universal = "0"	worm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe

description	pid	process	target process
PID 2032 set thread context of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 set thread context of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1080 1732 WerFault.exe worm.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier cmd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

612 vbc.exe

pid	pid_target	process	target process
1080	1732	WerFault.exe	worm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier	cmd.exe

pid	process
612	vbc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

vbc.exeworm.exe

description	pid	process
Token: SeBackupPrivilege	612	vbc.exe
Token: SeRestorePrivilege	612	vbc.exe
Token: SeDebugPrivilege	612	vbc.exe
Token: SeDebugPrivilege	612	vbc.exe
Token: SeDebugPrivilege	1732	worm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1924 vbc.exe

pid	process
1924	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exevbc.exe

description	pid	process	target process
PID 2032 wrote to memory of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 1924	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 368	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	cmd.exe
PID 2032 wrote to memory of 368	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	cmd.exe
PID 2032 wrote to memory of 368	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	cmd.exe
PID 2032 wrote to memory of 368	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	cmd.exe
PID 2032 wrote to memory of 1732	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	worm.exe
PID 2032 wrote to memory of 1732	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	worm.exe
PID 2032 wrote to memory of 1732	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	worm.exe
PID 2032 wrote to memory of 1732	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	worm.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 2032 wrote to memory of 524	2032	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe
PID 524 wrote to memory of 1444	524	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe
"C:\Users\Admin\AppData\Local\Temp\e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:368

C:\Users\Admin\AppData\Local\Temp\worm.exe
"C:\Users\Admin\AppData\Local\Temp\worm.exe"
2⤵
- Executes dropped EXE
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1732 -s 1764
3⤵
- Program crash
PID:1080

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
236KB

MD5
21c12c2dce94ffce920fdf18f2848962

SHA1
ec83cb0e2b89cfd3ad2fdcfc658329457fb6c502

SHA256
e340c003d52edd06026e16c4697fd3fc7f06923e2d037eecaf20a5f1865031c5

SHA512
f563b7c3e9754dfbdfef727c13af36b5c4c8126e7315b9c55d9105c577ddd2165a54bd9a7299e43610855b387b3b889382a605c284ab86245e01ac80d5044bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fp.txt
Filesize
102B

MD5
029fc237aa7e0bf9dfb836c6d4c7585e

SHA1
313fce40bbf6569841c9f4e0540ea4735b930772

SHA256
7582701b63c953b3769daee8037ffbfcf727f859813a6642d8e068be75f4dcd0

SHA512
b337b0ac1cadc9b999a9b681d22dad91db08e3e6507a80237a6e9ddc378a1039cdcea4dd7f391d962a8db0689c933c6982b38231af50651e9d1b1a3c5c06082e

Download Submit
C:\Users\Admin\AppData\Local\Temp\worm.exe
Filesize
27KB

MD5
ebe3cf3363224eccb1b4f3f101ccf5e2

SHA1
131eed3f288b4cfd04eabaa0fae7ecbdeeaf3a74

SHA256
71bfb0019a175f9af11e5c9d32dd062593b3ddc5fbef48bc393feebcc4af4354

SHA512
f55165ac91fd39e425de6164ffa6ab8cb9b6205a731e851f2c66fa77fe37f6534ec0b207bf77da8174d257a2a18936cb6cb218b6d606064bacbefd2606b97346

Download Submit
C:\Users\Admin\AppData\Local\Temp\worm.exe
Filesize
27KB

MD5
ebe3cf3363224eccb1b4f3f101ccf5e2

SHA1
131eed3f288b4cfd04eabaa0fae7ecbdeeaf3a74

SHA256
71bfb0019a175f9af11e5c9d32dd062593b3ddc5fbef48bc393feebcc4af4354

SHA512
f55165ac91fd39e425de6164ffa6ab8cb9b6205a731e851f2c66fa77fe37f6534ec0b207bf77da8174d257a2a18936cb6cb218b6d606064bacbefd2606b97346

Download Submit
\Users\Admin\AppData\Local\Temp\worm.exe
Filesize
27KB

MD5
ebe3cf3363224eccb1b4f3f101ccf5e2

SHA1
131eed3f288b4cfd04eabaa0fae7ecbdeeaf3a74

SHA256
71bfb0019a175f9af11e5c9d32dd062593b3ddc5fbef48bc393feebcc4af4354

SHA512
f55165ac91fd39e425de6164ffa6ab8cb9b6205a731e851f2c66fa77fe37f6534ec0b207bf77da8174d257a2a18936cb6cb218b6d606064bacbefd2606b97346

Download Submit
memory/368-68-0x0000000000000000-mapping.dmp

Download
memory/524-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-84-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-104-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-96-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/524-90-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/524-88-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-86-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-82-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-73-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-74-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-76-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-77-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-83-0x000000000040A0C4-mapping.dmp

Download
memory/524-79-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/524-80-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/612-99-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/612-107-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/612-103-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/612-101-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/612-94-0x0000000000000000-mapping.dmp

Download
memory/1080-106-0x0000000000000000-mapping.dmp

Download
memory/1732-105-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1732-87-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/1732-70-0x0000000000000000-mapping.dmp

Download
memory/1924-59-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1924-61-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1924-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1924-67-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1924-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1924-62-0x0000000000401240-mapping.dmp

Download
memory/2032-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-85-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads