cybergate | 825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c

General

Target

825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
Size

454KB
MD5

5b747bea00230414e196afd29ffd9cf7
SHA1

a1bff5c84bdb5895f693e7239735f93c81629c77
SHA256

825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c
SHA512

18e004758d760a26641186dfd4ac8d140a131f59d77f29e02c0b9e120d64e1cca80e8d1f5675a92f44031fd6fc78de9648d9da14da8fd158fe15314ea8ba0bfa
SSDEEP

6144:FEYZenDUvNOYa+qmbjqsPGp3OJbsGynZO3ehp6k7+4Kgkw2D+QBOBw1VIfQFS2wx:Xen4vMJMqmeHZEepuw2apORD8

Score

10^/10

cybergate q persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

q

C2

looost.no-ip.biz:90

Mutex

K0672GC34DW2QD

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
explorer
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Molebox Virtualization software 1 IoCs

Detects file using Molebox Virtualization software.

Processes:

resource	yara_rule
C:\Windows\explorer\explorer.exe	molebox

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\explorer\\explorer.exe"	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\explorer\\explorer.exe"	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y4B8154T-12QC-W8EP-5X24-2BRJ22F3T834}	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y4B8154T-12QC-W8EP-5X24-2BRJ22F3T834}\StubPath = "C:\\Windows\\explorer\\explorer.exe Restart"	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/836-63-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral1/memory/836-69-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/956-74-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/956-75-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/956-80-0x0000000010490000-0x0000000010502000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

Processes:

825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

description	ioc	process
File created	C:\Windows\explorer\explorer.exe	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
File opened for modification	C:\Windows\explorer\explorer.exe	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
File opened for modification	C:\Windows\explorer\explorer.exe	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
File opened for modification	C:\Windows\explorer\	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

pid process

956 825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

pid	process
956	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

description	pid	process
Token: SeBackupPrivilege	956	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
Token: SeRestorePrivilege	956	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
Token: SeDebugPrivilege	956	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
Token: SeDebugPrivilege	956	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe

description	pid	process	target process
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe
PID 836 wrote to memory of 748	836	825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
"C:\Users\Admin\AppData\Local\Temp\825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe
"C:\Users\Admin\AppData\Local\Temp\825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
236KB

MD5
2d5e4b1bf6e02021ab35c7e00ca84622

SHA1
703bfb7a92a0d093fa1f8a9fba0bb783f42f8dec

SHA256
fcc830275c5c3860dfc6a91dbc93a6b6d51cd6954a0fbcb6a6367a76a808453b

SHA512
7600839db864321df3bba3f56962696e3d45652c45a6378f6b799a2cbd7925604d438701f01d3df852e8e56586255cf4ff9f110b4861dc1ba95025875c633e15

Download Submit
C:\Windows\explorer\explorer.exe
Filesize
454KB

MD5
5b747bea00230414e196afd29ffd9cf7

SHA1
a1bff5c84bdb5895f693e7239735f93c81629c77

SHA256
825f7b53d5ff21207e0d650a6e1d18c34f9a87f9839bd33ec4635ec312e9743c

SHA512
18e004758d760a26641186dfd4ac8d140a131f59d77f29e02c0b9e120d64e1cca80e8d1f5675a92f44031fd6fc78de9648d9da14da8fd158fe15314ea8ba0bfa

Download Submit
memory/836-59-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/836-69-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/836-58-0x0000000001EC0000-0x0000000001FC0000-memory.dmp

Filesize
1024KB

Download
memory/836-54-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/836-60-0x0000000001D00000-0x0000000001E00000-memory.dmp

Filesize
1024KB

Download
memory/836-61-0x0000000002110000-0x0000000002210000-memory.dmp

Filesize
1024KB

Download
memory/836-63-0x0000000010410000-0x0000000010482000-memory.dmp

Filesize
456KB

Download
memory/836-79-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/836-78-0x0000000001BD0000-0x0000000001C1E000-memory.dmp

Filesize
312KB

Download
memory/836-57-0x0000000001EB1000-0x0000000001EB5000-memory.dmp

Filesize
16KB

Download
memory/836-55-0x0000000001BD0000-0x0000000001C1E000-memory.dmp

Filesize
312KB

Download
memory/836-56-0x0000000001CF1000-0x0000000001CF5000-memory.dmp

Filesize
16KB

Download
memory/956-75-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/956-74-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/956-72-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download
memory/956-68-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/956-67-0x0000000000000000-mapping.dmp

Download
memory/956-80-0x0000000010490000-0x0000000010502000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads