cybergate | a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90

Analysis

max time kernel
153s
max time network
93s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 20:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe
Size

328KB
MD5

7c1ec60524f6ec115ebc6fd92f2c0d9f
SHA1

9f8af175d94251c1b9286afd98b047e616f84889
SHA256

a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90
SHA512

d98b7d46600567b42bfc54149a771a3c2416b2c64a3a9aff57fb9d1a6059a64dde528080332d1a542d6c66c4a43b4b6f59fd7c2e5028fe723b5bf1d9d24df9e5
SSDEEP

6144:S3wRQf2PoKmFjfrhSgvYm8rerh2sakS79v8opB:S3u9PoKejfrhSgnrhvMeop

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

thebest10.zapto.org:3014

Mutex

IRS2LRE2365B5J

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
svchost.exe
install_file
picture
install_flag
true
keylogger_enable_ftp
false
message_box_caption
YOU HAVE BEEN HACKED! Who i am is the question? I Am -------- The Genius
message_box_title
CyberGate
password
facebook
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\picture"	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cvtres.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\picture"	cvtres.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YJ6XG6D6-PE50-V8DV-DN03-MPXKTODF51N5}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YJ6XG6D6-PE50-V8DV-DN03-MPXKTODF51N5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\picture"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{YJ6XG6D6-PE50-V8DV-DN03-MPXKTODF51N5}	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{YJ6XG6D6-PE50-V8DV-DN03-MPXKTODF51N5}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\picture Restart"	cvtres.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-56-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1292-58-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1292-59-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1292-63-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1292-64-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1292-66-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1292-68-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1292-77-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1088-82-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1088-85-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1292-87-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1292-93-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1528-98-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1292-99-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1528-100-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1528-101-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\picture"	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	cvtres.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\\picture"	cvtres.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe\picture	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1292	1632	a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1292	cvtres.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1528	cvtres.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1088	explorer.exe
Token: SeRestorePrivilege	1088	explorer.exe
Token: SeBackupPrivilege	1528	cvtres.exe
Token: SeRestorePrivilege	1528	cvtres.exe
Token: SeDebugPrivilege	1528	cvtres.exe
Token: SeDebugPrivilege	1528	cvtres.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1292	cvtres.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1292	1632	a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe	27
PID 1632 wrote to memory of 1292	1632	a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe	27
PID 1632 wrote to memory of 1292	1632	a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe	27
PID 1632 wrote to memory of 1292	1632	a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe	27
PID 1632 wrote to memory of 1292	1632	a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe	27
PID 1632 wrote to memory of 1292	1632	a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe	27
PID 1632 wrote to memory of 1292	1632	a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe	27
PID 1632 wrote to memory of 1292	1632	a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe	27
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15
PID 1292 wrote to memory of 1360	1292	cvtres.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe
  "C:\Users\Admin\AppData\Local\Temp\a387a07547d978962e9f3d88a7fb910b583cd8421aeee9f3e81c7724d9fd1e90.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Suspicious use of AdjustPrivilegeToken
      PID:1088
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
4bd4ae59cad21effda7c707edf4b03dd

SHA1
6887092912e96cf982720d1303bc6702f71ef581

SHA256
743dc8440639443fa3ebf8ec38d20f81f02c6539a86a0abcc84487476c3d5f67

SHA512
bce06d126594f88c18ddd46040a1e4e2881f071072d47e8cdeb93de877a308c9beba430a845bc9136c637934821fb39c1205d2bd05477e2d1d0460d0eb2b37c6

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe\picture

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1088-85-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1088-76-0x0000000074F71000-0x0000000074F73000-memory.dmp

Filesize
8KB

Download
memory/1088-82-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1292-77-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1292-87-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1292-63-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1292-66-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1292-68-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1292-99-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1292-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1292-93-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1292-64-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1292-56-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1292-55-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1292-59-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1360-71-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1528-98-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1528-100-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1528-101-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/1632-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1632-65-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download