cybergate | 89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474

Analysis

max time kernel
151s
max time network
145s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe
Size

997KB
MD5

940de291ba050ebfd3de908807471667
SHA1

a6e61ce6868f576ac1fc80594d492525bd08f503
SHA256

89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474
SHA512

51355bb19918077e135cf607bb6514686acc8f7215ed00fb5f72d4ca2a684711f69870678001df4e9d99e9c502b203f74c0ec6dd53cf6168c5912430465c6e78
SSDEEP

24576:voaLVERAqmCsSMpRc33NR7Z0PxJusnNK8+3d1pbCT:voaRYMpR03rb3DVCT

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

tranair.no-ip.biz:200

Mutex

4AA240JG40C2MQ

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
rundll32
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\rundll32"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\rundll32"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DLXE5YH3-NB64-3R3I-5CXS-PQ6GOV3YPJ2H}\StubPath = "C:\\Windows\\install\\rundll32"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DLXE5YH3-NB64-3R3I-5CXS-PQ6GOV3YPJ2H}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DLXE5YH3-NB64-3R3I-5CXS-PQ6GOV3YPJ2H}\StubPath = "C:\\Windows\\install\\rundll32 Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{DLXE5YH3-NB64-3R3I-5CXS-PQ6GOV3YPJ2H}	explorer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/900-75-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral1/memory/900-84-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/1292-89-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/1292-92-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/900-94-0x0000000000230000-0x00000000002A2000-memory.dmp	upx
behavioral1/memory/900-95-0x0000000000230000-0x00000000002A2000-memory.dmp	upx
behavioral1/memory/900-97-0x0000000000230000-0x00000000002A2000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\install\rundll32	vbc.exe
File opened for modification	C:\Windows\install\rundll32	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
900	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
900	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1292	explorer.exe
Token: SeRestorePrivilege	1292	explorer.exe
Token: SeBackupPrivilege	900	vbc.exe
Token: SeRestorePrivilege	900	vbc.exe
Token: SeDebugPrivilege	900	vbc.exe
Token: SeDebugPrivilege	900	vbc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1944	DllHost.exe
900	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 1996 wrote to memory of 900	1996	89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe	28
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15
PID 900 wrote to memory of 1216	900	vbc.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe
  "C:\Users\Admin\AppData\Local\Temp\89edc984126ace6cfad8ef5786f4911a45a3e8d3f308e6bd32ff2375cc4b2474.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Suspicious use of AdjustPrivilegeToken
      PID:1292

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
236KB

MD5
836754dcca17341da5af4156148a84ed

SHA1
938028082d57e2790a48beeb3fec1d887ce059c4

SHA256
7664bc6be366f3352d6f9f1bc0b18c0e5a8de569773a20de6117c919ac28bcf1

SHA512
e0d71b545a23f138c8b1655120c4e8c5bd397207a1982e6d42eb0190b884b69b6914cc65cf4ca454d86742a78dde67b3c0c676b128d46825a4c9aefe3d977117

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hi.jpg

Filesize
156KB

MD5
712fda7e117074c4bd76bb5813d5fffc

SHA1
48bc96830d5a98b1ed3f329a2a22d0174d34aa3c

SHA256
396f8e9b5b5c98004e9bedc9770590d577435c0d7369ce3b457e954a81d14043

SHA512
4b9e22e9a36fd0132a8d16f18ea679b5ec317e7602601104e4e7b4bc7ad78e9d26acfec2c7754783b3bca8496b1f6584afa187404697a5b98561088b76b75f03

Download Submit
C:\Windows\install\rundll32

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/900-70-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-57-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-60-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-61-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-62-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-63-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-66-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-69-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-68-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-97-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download
memory/900-96-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-58-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/900-75-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/900-95-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download
memory/900-94-0x0000000000230000-0x00000000002A2000-memory.dmp

Filesize
456KB

Download
memory/900-84-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1216-78-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/1292-83-0x0000000074DB1000-0x0000000074DB3000-memory.dmp

Filesize
8KB

Download
memory/1292-89-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1292-92-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/1996-56-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-55-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-72-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-54-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download