cybergate | c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded

General

Target

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe
Size

477KB
MD5

0a439518508b71a31e998795f18f295b
SHA1

563284a57eb6cd232ab48e87f9a939c92c787092
SHA256

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded
SHA512

9ab7179dc6b636b1b0a753e31160e14dac488c2a53c50c19207dc6d869f0d661119b6bbfa8b0a9a522aa8f7869bea0a5a7e1cb5b10efeabad36123a9dd25fb1b
SSDEEP

12288:uSWoLbZA5VA34r6i8V0TxgkY5vpXxR8nJOf0bM+FBE8YSTKNfXj:uSWckVAIv8V0KzlP2wc5jIfz

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

C2

takutaku.no-ip.biz:3002

Mutex

2T662FOSL4A557

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
nevermind

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

4344 vbc.exe
1696 vbc.exe

pid	process
4344	vbc.exe
1696	vbc.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4344-142-0x0000000010410000-0x0000000010482000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe"	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

description	pid	process	target process
PID 2600 set thread context of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe
File created	C:\Windows\assembly\Desktop.ini	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

4344 vbc.exe
4344 vbc.exe

pid	process
4344	vbc.exe
4344	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exevbc.exe

description	pid	process	target process
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 2600 wrote to memory of 4344	2600	c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe	vbc.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe
PID 4344 wrote to memory of 2012	4344	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe
"C:\Users\Admin\AppData\Local\Temp\c07c0ff42073d5568e8bc07ab0ead445779c9f11b86f6b87ad2a849790a83ded.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
3⤵
- Executes dropped EXE
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1696-146-0x0000000000000000-mapping.dmp

Download
memory/2600-138-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/2600-133-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/2600-148-0x0000000075360000-0x0000000075911000-memory.dmp

Filesize
5.7MB

Download
memory/4344-137-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4344-132-0x0000000000000000-mapping.dmp

Download
memory/4344-139-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4344-140-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4344-142-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/4344-134-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads