cybergate | cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c

Analysis

max time kernel
205s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe
Size

552KB
MD5

b1c5c7e1e68a9fa96181913679b4bdbc
SHA1

7b7ff433011cb9e00e3dbbacd3de90c5509e53a1
SHA256

cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c
SHA512

ca8116bbf18aff88fc21a789a9dfbf0c00cec955a272c9359c357f393f41a3d864969b14a0000f9eceebcdcb5fa1334b9d71420a00229c59b3284d25bb58820f
SSDEEP

12288:aSNwanCWMXw2tLteRwjkxuSNB6giWmjVv3XJx:aSGanCgSgwYiDFH

Score

10^/10

cybergate mike persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

mike

iamgreatl33t.no-ip.org:1723

Mutex

EUB6MQ52B01S78

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
blade
install_file
csc.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\blade\\csc.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\blade\\csc.exe"	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
5100	csc.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6I11880P-I0T7-VD4L-OEX4-5WS33A6434J2}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6I11880P-I0T7-VD4L-OEX4-5WS33A6434J2}\StubPath = "C:\\blade\\csc.exe Restart"	vbc.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1436-134-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1436-136-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1436-137-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1436-139-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1436-141-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/1436-146-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/1436-149-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4188-150-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4188-151-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4188-154-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\blade\\csc.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\blade\\csc.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3484 set thread context of 1436	3484	cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe	81

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	4188	vbc.exe
Token: SeRestorePrivilege	4188	vbc.exe
Token: SeDebugPrivilege	4188	vbc.exe
Token: SeDebugPrivilege	4188	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 1436	3484	cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe	81
PID 3484 wrote to memory of 1436	3484	cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe	81
PID 3484 wrote to memory of 1436	3484	cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe	81
PID 3484 wrote to memory of 1436	3484	cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe	81
PID 3484 wrote to memory of 1436	3484	cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe	81
PID 3484 wrote to memory of 1436	3484	cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe	81
PID 3484 wrote to memory of 1436	3484	cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe	81
PID 3484 wrote to memory of 1436	3484	cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe	81
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82
PID 1436 wrote to memory of 3816	1436	vbc.exe	82

C:\Users\Admin\AppData\Local\Temp\cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe
"C:\Users\Admin\AppData\Local\Temp\cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3816
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
  - - C:\blade\csc.exe
      "C:\blade\csc.exe"
      4⤵
      Executes dropped EXE
      PID:5100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
137e95613ebd406a01bda0b8ac115d95

SHA1
2dd73595f7ca917a8d4d0f983055e8efc893c683

SHA256
60d3235643c895b206c5f342b3e3c308660c84b1ed0caf183d34513b5b1a5df2

SHA512
a3af999a4adcdb93f4fd7383050a07cb952f7f60f0148ae7659d2c0368332c247a98e5ab1655936cc80361ca75f5b74ef43908c0d7222ec82852627f0dfdc240

Download Submit
C:\blade\csc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\blade\csc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1436-139-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1436-137-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1436-136-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1436-141-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1436-146-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1436-149-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1436-134-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3484-138-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/3484-132-0x0000000075190000-0x0000000075741000-memory.dmp

Filesize
5.7MB

Download
memory/4188-151-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4188-154-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/4188-150-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads