cybergate | 444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e

Analysis

max time kernel
154s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe
Size

2.4MB
MD5

8809a4a1ea93bd00e285537b667be695
SHA1

e188033f765e93fd006bbf7d24df90558c9b4e45
SHA256

444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e
SHA512

17d1606a8deaf0e5b27aa2ac79fba47ebd5c972f0675537ad8b4e90839b394f346cb0266382f6520e3a94c2735bbd001cd104f68e1961cf5c22d986cb665915a
SSDEEP

49152:+moLw7thjaodvMM+ZizIHcamGI+YJ3gYju9SFw5u:PoytA4UM+ZizIHcBGUJQg0+h

Score

10^/10

cybergate ki evasion persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

rhkrdlf.codns.com:8000

Mutex

T574NUUW0H2LS1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	windows.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	server.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	windows.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	windows.exe

Executes dropped EXE 3 IoCs

pid	Process
2028	windows.exe
2232	foxserver.exe
5092	server.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7WP3FMV-DOYG-RY0J-7K6E-2K10R74L515N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7WP3FMV-DOYG-RY0J-7K6E-2K10R74L515N}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	windows.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7WP3FMV-DOYG-RY0J-7K6E-2K10R74L515N}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K7WP3FMV-DOYG-RY0J-7K6E-2K10R74L515N}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe"	explorer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2028-142-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2028-147-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4924-150-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4924-151-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/2028-156-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/3608-159-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/3608-165-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral2/memory/4924-168-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/3608-170-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine	server.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine	windows.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2028	windows.exe
5092	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
756	5092	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2028	windows.exe
2028	windows.exe
2028	windows.exe
2028	windows.exe
5092	server.exe
5092	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3608	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4924	explorer.exe
Token: SeRestorePrivilege	4924	explorer.exe
Token: SeBackupPrivilege	3608	explorer.exe
Token: SeRestorePrivilege	3608	explorer.exe
Token: SeDebugPrivilege	3608	explorer.exe
Token: SeDebugPrivilege	3608	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	windows.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2232	foxserver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2028	4800	444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe	81
PID 4800 wrote to memory of 2028	4800	444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe	81
PID 4800 wrote to memory of 2028	4800	444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe	81
PID 4800 wrote to memory of 2232	4800	444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe	82
PID 4800 wrote to memory of 2232	4800	444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe	82
PID 4800 wrote to memory of 2232	4800	444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe	82
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54
PID 2028 wrote to memory of 2640	2028	windows.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe
  "C:\Users\Admin\AppData\Local\Temp\444809a4b0c23e087887feeff065e7c3b4c39d37e41a002dee4c0f7e2020b70e.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\windows.exe
    "C:\windows.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Suspicious use of AdjustPrivilegeToken
      PID:4924
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3608
    - - C:\directory\CyberGate\install\server.exe
        
        "C:\directory\CyberGate\install\server.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:5092
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 772
        6⤵
        Program crash
        
        PID:756
- - C:\foxserver.exe
    "C:\foxserver.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5092 -ip 5092
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
7c7261023415d682b52e200532aa2f24

SHA1
312010f4675054e6fccf9a8beda19b42e34ad59d

SHA256
4ea8a9572a8d02df1b899b285bf6c5aaf254bb393c37ed04301b42b195e020c3

SHA512
d3a07fbcda8769623524e630e75c599e42bb09871c887898751b1548ee66b7347145b333fc4592e77c623e758a00d4ffb8884148b761c9c62f2b623679af8fb3

Download Submit
C:\directory\CyberGate\install\server.exe

Filesize
1.0MB

MD5
ee6444ed154169c95dbc9a7eb23e2f44

SHA1
1e78051c1a8312573b96685fd4b3b51b5733bc1a

SHA256
74ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4

SHA512
c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c

Download Submit
C:\foxserver.exe

Filesize
3.3MB

MD5
21771115fc06f673950bc12c8af47b10

SHA1
208c2b72cf3295fe2607bfde8082daee38a24ed3

SHA256
ce9bae3731cb8398bccdeb7ea83b006ad2a1b8ec632d9c432fab0724583250c3

SHA512
8b49408e41c7d5708e99900a79bbdbf7b042e84875b0b397c4691f73b0b4b3577babb6bec8a676454d197b1004fda804bf8625997a280a2a02a69ca5a437484a

Download Submit
C:\foxserver.exe

Filesize
3.3MB

MD5
21771115fc06f673950bc12c8af47b10

SHA1
208c2b72cf3295fe2607bfde8082daee38a24ed3

SHA256
ce9bae3731cb8398bccdeb7ea83b006ad2a1b8ec632d9c432fab0724583250c3

SHA512
8b49408e41c7d5708e99900a79bbdbf7b042e84875b0b397c4691f73b0b4b3577babb6bec8a676454d197b1004fda804bf8625997a280a2a02a69ca5a437484a

Download Submit
C:\windows.exe

Filesize
1.0MB

MD5
ee6444ed154169c95dbc9a7eb23e2f44

SHA1
1e78051c1a8312573b96685fd4b3b51b5733bc1a

SHA256
74ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4

SHA512
c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c

Download Submit
C:\windows.exe

Filesize
1.0MB

MD5
ee6444ed154169c95dbc9a7eb23e2f44

SHA1
1e78051c1a8312573b96685fd4b3b51b5733bc1a

SHA256
74ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4

SHA512
c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c

Download Submit
\??\c:\directory\CyberGate\install\server.exe

Filesize
1.0MB

MD5
ee6444ed154169c95dbc9a7eb23e2f44

SHA1
1e78051c1a8312573b96685fd4b3b51b5733bc1a

SHA256
74ddfbfc86112b68ac050c7d733a6b4a1ef0f53360c34170c406214f642115f4

SHA512
c24534b1872beca028262ecd74f3c93fd5b752e64e6160b79e84708f693dc84af14b997d1312419043d60a74dbfcbf72d322c71229ba0802f229811b5bbef71c

Download Submit
memory/2028-140-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2028-156-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/2028-142-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2028-139-0x0000000077090000-0x0000000077233000-memory.dmp

Filesize
1.6MB

Download
memory/2028-147-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2028-161-0x0000000077090000-0x0000000077233000-memory.dmp

Filesize
1.6MB

Download
memory/2028-160-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2028-138-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2028-132-0x0000000000000000-mapping.dmp

Download
memory/2232-135-0x0000000000000000-mapping.dmp

Download
memory/3608-155-0x0000000000000000-mapping.dmp

Download
memory/3608-165-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/3608-170-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/3608-159-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/4924-168-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4924-146-0x0000000000000000-mapping.dmp

Download
memory/4924-150-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4924-151-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/5092-164-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/5092-162-0x0000000000000000-mapping.dmp

Download
memory/5092-166-0x0000000077090000-0x0000000077233000-memory.dmp

Filesize
1.6MB

Download
memory/5092-167-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/5092-169-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/5092-171-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/5092-172-0x0000000077090000-0x0000000077233000-memory.dmp

Filesize
1.6MB

Download