cybergate | c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded

General

Target

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe
Size

477KB
MD5

0a439518508b71a31e998795f18f295b
SHA1

563284a57eb6cd232ab48e87f9a939c92c787092
SHA256

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded
SHA512

9ab7179dc6b636b1b0a753e31160e14dac488c2a53c50c19207dc6d869f0d661119b6bbfa8b0a9a522aa8f7869bea0a5a7e1cb5b10efeabad36123a9dd25fb1b
SSDEEP

12288:uSWoLbZA5VA34r6i8V0TxgkY5vpXxR8nJOf0bM+FBE8YSTKNfXj:uSWckVAIv8V0KzlP2wc5jIfz

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

C2

takutaku.no-ip.biz:3002

Mutex

2T662FOSL4A557

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
nevermind

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1740 vbc.exe
1504 vbc.exe

pid	process
1740	vbc.exe
1504	vbc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1740-74-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral1/memory/1740-83-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/1504-88-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/1504-89-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/1504-92-0x0000000010490000-0x0000000010502000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exevbc.exe

pid process

2040 c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe
1740 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe
1740	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe"	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

description	pid	process	target process
PID 2040 set thread context of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1740 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

1504 vbc.exe

pid	process
1740	vbc.exe

pid	process
1504	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeBackupPrivilege	1504	vbc.exe
Token: SeRestorePrivilege	1504	vbc.exe
Token: SeDebugPrivilege	1504	vbc.exe
Token: SeDebugPrivilege	1504	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exevbc.exe

description	pid	process	target process
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2040 wrote to memory of 1740	2040	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe
PID 1740 wrote to memory of 1460	1740	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe
"C:\Users\Admin\AppData\Local\Temp\c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
236KB

MD5
14669e18a056e6379ceaff80958a60ab

SHA1
b5a80f77ec9ff78b6cf272b2015eda54908b665a

SHA256
39658cc3fc41873ab7f8de216a9b2043e954548246575505d6cb446f34343f65

SHA512
20ee3f3ef1d0f937ad8257277fecbc0bbbb4d79dec60e083af507e4d5420ee97b30df9500695f1e2d9e6d6c28febbf8a8ae737cc156b85fc45988371df91da7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1504-92-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1504-89-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1504-88-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1504-86-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1504-80-0x0000000000000000-mapping.dmp

Download
memory/1740-62-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-63-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-69-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-70-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-57-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-72-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-74-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/1740-66-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-67-0x000000000040A0C4-mapping.dmp

Download
memory/1740-90-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-61-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-83-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1740-60-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1740-58-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2040-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2040-71-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-55-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads