cybergate | e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d

General

Target

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe
Size

458KB
MD5

7655b168be775811d0ed9a9f4ba083b8
SHA1

4e6a0112b568b49ae3261e700a92e3efc3cf86bd
SHA256

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d
SHA512

08215ceaf3ce46bddc232a44dabae3ccb5a47acd76d47c63d394ce10ca6d25957f0f66acb7e6f24be2cee3e89e2989c67c417893e40cbc21027b1aabd56f5c25
SSDEEP

12288:ZnMi8dvwFdYrYLHme6YazdickUw3R84GYFRLFPJNa:ZMdvwoQm4azdnMTRnN

Score

10^/10

cybergate mikael persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

mikael

C2

mike2375.no-ip.org:7777

Mutex

231V04PN37A683

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
237566

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 1 IoCs

Processes:

worm.exe

pid process

2352 worm.exe

pid	process
2352	worm.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3320-151-0x0000000010410000-0x0000000010482000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmpnetk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmpnet32.exe"	vbc.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

worm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	worm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	worm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Universal = "0"	worm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe

description	pid	process	target process
PID 1400 set thread context of 4764	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 set thread context of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

worm.exe

description pid process

Token: SeDebugPrivilege 2352 worm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

4764 vbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2352	worm.exe

pid	process
4764	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exevbc.exe

description	pid	process	target process
PID 1400 wrote to memory of 4764	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 4764	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 4764	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 4764	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 4764	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 4764	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 4764	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 4764	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3156	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	cmd.exe
PID 1400 wrote to memory of 3156	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	cmd.exe
PID 1400 wrote to memory of 3156	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	cmd.exe
PID 1400 wrote to memory of 2352	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	worm.exe
PID 1400 wrote to memory of 2352	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	worm.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 1400 wrote to memory of 3320	1400	e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe	vbc.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe
PID 3320 wrote to memory of 1500	3320	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe
"C:\Users\Admin\AppData\Local\Temp\e65fb6954206168b9b7acfbedbcfea29b92cf5f761f7622f1eec54eca0573c2d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:3156

C:\Users\Admin\AppData\Local\Temp\worm.exe
"C:\Users\Admin\AppData\Local\Temp\worm.exe"
2⤵
- Executes dropped EXE
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fp.txt
Filesize
102B

MD5
029fc237aa7e0bf9dfb836c6d4c7585e

SHA1
313fce40bbf6569841c9f4e0540ea4735b930772

SHA256
7582701b63c953b3769daee8037ffbfcf727f859813a6642d8e068be75f4dcd0

SHA512
b337b0ac1cadc9b999a9b681d22dad91db08e3e6507a80237a6e9ddc378a1039cdcea4dd7f391d962a8db0689c933c6982b38231af50651e9d1b1a3c5c06082e

Download Submit
C:\Users\Admin\AppData\Local\Temp\worm.exe
Filesize
27KB

MD5
ebe3cf3363224eccb1b4f3f101ccf5e2

SHA1
131eed3f288b4cfd04eabaa0fae7ecbdeeaf3a74

SHA256
71bfb0019a175f9af11e5c9d32dd062593b3ddc5fbef48bc393feebcc4af4354

SHA512
f55165ac91fd39e425de6164ffa6ab8cb9b6205a731e851f2c66fa77fe37f6534ec0b207bf77da8174d257a2a18936cb6cb218b6d606064bacbefd2606b97346

Download Submit
C:\Users\Admin\AppData\Local\Temp\worm.exe
Filesize
27KB

MD5
ebe3cf3363224eccb1b4f3f101ccf5e2

SHA1
131eed3f288b4cfd04eabaa0fae7ecbdeeaf3a74

SHA256
71bfb0019a175f9af11e5c9d32dd062593b3ddc5fbef48bc393feebcc4af4354

SHA512
f55165ac91fd39e425de6164ffa6ab8cb9b6205a731e851f2c66fa77fe37f6534ec0b207bf77da8174d257a2a18936cb6cb218b6d606064bacbefd2606b97346

Download Submit
memory/1400-156-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1400-141-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1400-132-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2352-148-0x0000000000D90000-0x0000000000D9E000-memory.dmp

Filesize
56KB

Download
memory/2352-157-0x00007FFB7F2D0000-0x00007FFB7FD91000-memory.dmp

Filesize
10.8MB

Download
memory/2352-142-0x0000000000000000-mapping.dmp

Download
memory/3148-155-0x0000000000000000-mapping.dmp

Download
memory/3156-140-0x0000000000000000-mapping.dmp

Download
memory/3320-145-0x0000000000000000-mapping.dmp

Download
memory/3320-147-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3320-146-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3320-149-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3320-151-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/3320-158-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4764-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4764-134-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4764-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads