cybergate | 816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8

General

Target

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
Size

2.6MB
MD5

546769859cbe499ca5a2cf5fc84234a7
SHA1

7e725d4ed01753bab0897e0d7e7d205f746006e3
SHA256

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8
SHA512

b6064389a377f1bb88655db6ca1482f44e5af584f2278049ba1f6e9fe4c3efc4efb790b58e7be00577ac49720c4e107e4b1c38a218ce67e71e3fd2214846c006
SSDEEP

49152:/bCjPKNqQq1YA7nCflADKnxCvRC0bbw9Dr20tzHqEKWHfQ60rV0PPcJ:zCjPKNEZn0C5dw9DSrwo6YJ

Score

10^/10

cybergate vpn30112014 persistence spyware stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

VPN30112014

C2

joujounette974.ddns.net:8027

Mutex

CCFNROF7GT3773

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "%AppData%\\plugin-container.exe,explorer.exe"	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe Flash Player = "%AppData%\\plugin-container.exe"	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

Executes dropped EXE 3 IoCs

Processes:

CY.EXEHC.EXEHIDDEN SIGHT.EXE

pid process

1980 CY.EXE
4816 HC.EXE
1772 HIDDEN SIGHT.EXE

pid	process
1980	CY.EXE
4816	HC.EXE
1772	HIDDEN SIGHT.EXE

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1980-149-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral2/memory/1980-154-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/996-157-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/996-160-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/996-166-0x0000000010480000-0x00000000104F0000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Flash Player = "%AppData%\\plugin-container.exe"	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

description	pid	process	target process
PID 2928 set thread context of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 996 explorer.exe
Token: SeDebugPrivilege 996 explorer.exe

description	pid	process
Token: SeDebugPrivilege	996	explorer.exe
Token: SeDebugPrivilege	996	explorer.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exeCY.EXE

pid	process
2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
1980	CY.EXE

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

pid	process
2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

HC.EXE

pid process

4816 HC.EXE
4816 HC.EXE

pid	process
4816	HC.EXE
4816	HC.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exesvchost.exeCY.EXE

description	pid	process	target process
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2928 wrote to memory of 2112	2928	816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe	svchost.exe
PID 2112 wrote to memory of 1980	2112	svchost.exe	CY.EXE
PID 2112 wrote to memory of 1980	2112	svchost.exe	CY.EXE
PID 2112 wrote to memory of 1980	2112	svchost.exe	CY.EXE
PID 2112 wrote to memory of 4816	2112	svchost.exe	HC.EXE
PID 2112 wrote to memory of 4816	2112	svchost.exe	HC.EXE
PID 2112 wrote to memory of 1772	2112	svchost.exe	HIDDEN SIGHT.EXE
PID 2112 wrote to memory of 1772	2112	svchost.exe	HIDDEN SIGHT.EXE
PID 2112 wrote to memory of 1772	2112	svchost.exe	HIDDEN SIGHT.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE
PID 1980 wrote to memory of 3092	1980	CY.EXE	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe
"C:\Users\Admin\AppData\Local\Temp\816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe"
2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\CY.EXE
"C:\Users\Admin\AppData\Local\Temp\CY.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\explorer.exe
explorer.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Users\Admin\AppData\Local\Temp\HC.EXE
"C:\Users\Admin\AppData\Local\Temp\HC.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
"C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE"
4⤵
- Executes dropped EXE
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
385KB

MD5
6d33f9966a320ca51fdc50f438d6c1a0

SHA1
a439e886fd4783ed9805ce94272a3cce6875aac5

SHA256
f109ca470c23312aa7bdbfc661c535b808884b5fcccc9310bfa563130edaad7f

SHA512
2ab85a01ee3187f23747303f310d68621b1f11437dc31ee8940b1cc6a1bec3fde36214a059eb12e219cb8f55755dbe22ad0b8f315e0b9a3a307e87e084b68f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CY.EXE
Filesize
428KB

MD5
20e131ef927533d9a1ff79126d528584

SHA1
d9122523f6e06b24f6e06a90bd5a226f496cfb92

SHA256
40f958bb58ff8c7da9384959e96985077c33d8f7a9aecf8575758dd4ba19cf8a

SHA512
9bad09738db20253cb98996f68ac12ab0fc435dbbb63b70090fb4424be7564c51363822dafc22e3c9039a37d38cd3d03ad7c930240cc472a597c11860dedb3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CY.EXE
Filesize
428KB

MD5
20e131ef927533d9a1ff79126d528584

SHA1
d9122523f6e06b24f6e06a90bd5a226f496cfb92

SHA256
40f958bb58ff8c7da9384959e96985077c33d8f7a9aecf8575758dd4ba19cf8a

SHA512
9bad09738db20253cb98996f68ac12ab0fc435dbbb63b70090fb4424be7564c51363822dafc22e3c9039a37d38cd3d03ad7c930240cc472a597c11860dedb3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HC.EXE
Filesize
72KB

MD5
82c18853a10769cc29d6bca6c6c70aee

SHA1
441bd8c2bc52f7dc8329ae319b2ee4e5e3badc16

SHA256
bd2b7d6930082bf9c463870d783021e860d9632bbfc85d2239929aca17ad79ce

SHA512
dc5532408ee5dbc450b8c63160d2740378ec54ceb12ac6ad0167c9f78c500008992aaef818b79cbcd374437fd2eeb9ef63fe8e5ea4ef0990e3ccc34c10a35a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HC.EXE
Filesize
72KB

MD5
82c18853a10769cc29d6bca6c6c70aee

SHA1
441bd8c2bc52f7dc8329ae319b2ee4e5e3badc16

SHA256
bd2b7d6930082bf9c463870d783021e860d9632bbfc85d2239929aca17ad79ce

SHA512
dc5532408ee5dbc450b8c63160d2740378ec54ceb12ac6ad0167c9f78c500008992aaef818b79cbcd374437fd2eeb9ef63fe8e5ea4ef0990e3ccc34c10a35a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDDEN SIGHT.EXE
Filesize
1.3MB

MD5
d57c0b186f317542fe21e13b415afd0e

SHA1
573039eab32ee2fc5e1dc7d0e49ba42599133537

SHA256
15a877e08c08605b2bcb75ccb1e40d97cdbd9e10c0911e282d2637ae49793525

SHA512
9efb47475bf66b6110bb8deac221212c28cac4c41f720ebfb701a2932edfbc00fb683d00bdd7c67465ad78f670dd0e8e935d1cc33c739b708bec162dda777735

Download Submit
memory/996-157-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/996-166-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/996-160-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/996-153-0x0000000000000000-mapping.dmp

Download
memory/1772-165-0x0000000005EF0000-0x0000000005F46000-memory.dmp

Filesize
344KB

Download
memory/1772-164-0x0000000005C60000-0x0000000005C6A000-memory.dmp

Filesize
40KB

Download
memory/1772-163-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/1772-143-0x0000000000000000-mapping.dmp

Download
memory/1772-159-0x0000000005BC0000-0x0000000005C5C000-memory.dmp

Filesize
624KB

Download
memory/1772-162-0x0000000006210000-0x00000000067B4000-memory.dmp

Filesize
5.6MB

Download
memory/1772-147-0x0000000000CD0000-0x0000000000E1C000-memory.dmp

Filesize
1.3MB

Download
memory/1980-137-0x0000000000000000-mapping.dmp

Download
memory/1980-154-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1980-149-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/2112-146-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2112-133-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2112-132-0x0000000000000000-mapping.dmp

Download
memory/2112-134-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2112-135-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2112-136-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4816-161-0x00007FFC99320000-0x00007FFC99D56000-memory.dmp

Filesize
10.2MB

Download
memory/4816-140-0x0000000000000000-mapping.dmp

Download
memory/4816-167-0x0000000000EEA000-0x0000000000EEF000-memory.dmp

Filesize
20KB

Download
memory/4816-168-0x0000000000EEA000-0x0000000000EEF000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads