cybergate | 9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1

General

Target

9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
Size

428KB
MD5

4706ee52cbd9511c933c2fd42ecfd6b0
SHA1

6ee01365aeff8d50119912dd207156b480ef0cb2
SHA256

9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1
SHA512

fdf2e84edadc73a730807a776ac75d1397aa9f9d4570c878745a3a673c1acddd62f44853e4d9e94f8935ba515d832eacb73dbd2f4de28a6de2ba95148f580840
SSDEEP

12288:huMw+Bi8vvrHxVPKyv2m77sZB07FxObO32Y:hHwn8vrx52t07FQaj

Score

10^/10

cybergate 1 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

1

C2

95.182.34.83:81

Mutex

2XC28T623TIA46

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe"	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0NFV13T8-418H-CB88-8461-5037WB0268LP}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0NFV13T8-418H-CB88-8461-5037WB0268LP}\StubPath = "C:\\Windows\\install\\server.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0NFV13T8-418H-CB88-8461-5037WB0268LP}	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0NFV13T8-418H-CB88-8461-5037WB0268LP}\StubPath = "C:\\Windows\\install\\server.exe Restart"	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1816-133-0x0000000010410000-0x0000000010480000-memory.dmp	upx
behavioral2/memory/1816-138-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/4796-141-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/4796-144-0x0000000010480000-0x00000000104F0000-memory.dmp	upx
behavioral2/memory/1816-147-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/4620-150-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/4620-151-0x00000000104F0000-0x0000000010560000-memory.dmp	upx
behavioral2/memory/4620-152-0x00000000104F0000-0x0000000010560000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe"	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe"	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

Drops file in Windows directory 5 IoCs

Processes:

9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exeexplorer.exe

description	ioc	process
File created	C:\Windows\install\server.exe	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
File opened for modification	C:\Windows\install\server.exe	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
File opened for modification	C:\Windows\install\	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
File opened for modification	C:\Windows\install\server.exe	explorer.exe
File opened for modification	C:\Windows\install\	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 4620 explorer.exe
Token: SeDebugPrivilege 4620 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

pid process

1816 9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

description	pid	process
Token: SeDebugPrivilege	4620	explorer.exe
Token: SeDebugPrivilege	4620	explorer.exe

pid	process
1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe

description	pid	process	target process
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE
PID 1816 wrote to memory of 2584	1816	9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe
"C:\Users\Admin\AppData\Local\Temp\9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Modifies Installed Components in the registry
PID:4796

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
385KB

MD5
eab19b6851390ecdf639e5d4eb7b9c30

SHA1
83195bc4ad1c76fd697a4e2ef7bf8f2df60c5a96

SHA256
9a01133144890dcd7055b2a06a9bff6428fca5cead4f87905d5268f1711e6140

SHA512
3f0f8c50813da391c2e157fbda6d1e53f9a08b972d681e1f3328fc37fd3bb72b7921849f05540eea711896c7cd4aca7b84d1474d66b01ec2a4dd7b1d4f451ad4

Download Submit
C:\Windows\install\server.exe
Filesize
428KB

MD5
4706ee52cbd9511c933c2fd42ecfd6b0

SHA1
6ee01365aeff8d50119912dd207156b480ef0cb2

SHA256
9f81e30a0a0c6da5d18394f64e21082b45642607b95d83def6222b053f74cef1

SHA512
fdf2e84edadc73a730807a776ac75d1397aa9f9d4570c878745a3a673c1acddd62f44853e4d9e94f8935ba515d832eacb73dbd2f4de28a6de2ba95148f580840

Download Submit
memory/1816-133-0x0000000010410000-0x0000000010480000-memory.dmp

Filesize
448KB

Download
memory/1816-138-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/1816-147-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/4620-146-0x0000000000000000-mapping.dmp

Download
memory/4620-150-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/4620-151-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/4620-152-0x00000000104F0000-0x0000000010560000-memory.dmp

Filesize
448KB

Download
memory/4796-137-0x0000000000000000-mapping.dmp

Download
memory/4796-141-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download
memory/4796-144-0x0000000010480000-0x00000000104F0000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads