cybergate | aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25

General

Target

aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe
Size

186KB
MD5

0ecec7cafea0801aeeca3ec8c5c339b0
SHA1

c876af9075ff0e06db1562d9eb119c9cce7cda9c
SHA256

aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25
SHA512

9aa4f80108c14f410e5263f6e9ee09a39d70d6343e79d401afcf2d7af055021f2242adb2e10eb031efe916fcdc3299c8017f969bfbfca11ab486ddfb8ad76003
SSDEEP

3072:Jlt0bI9TbqOetSAJzsysGb+3G5/D7PpXFI4cUUGwOpbZ1Ui2fqnh6pyPjFF8fVT:JrjbuMA7sGb+25/D7pX6iUCbZzS24pkC

Score

10^/10

cybergate víctima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.3

Botnet

Víctima

C2

gchacker.no-ip.org:112

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Win62
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Imposible abrir el archivo.
message_box_title
Error de apertura:
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win62\\server.exe"	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win62\\server.exe"	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42417K5V-8B3Q-2RR5-RD36-42PH0Y3O8O7A}\StubPath = "C:\\Windows\\Win62\\server.exe Restart"	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{42417K5V-8B3Q-2RR5-RD36-42PH0Y3O8O7A}	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1368-132-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral2/memory/1368-134-0x0000000024010000-0x0000000024051000-memory.dmp	upx
behavioral2/memory/1368-139-0x0000000024060000-0x00000000240A1000-memory.dmp	upx
behavioral2/memory/504-142-0x0000000024060000-0x00000000240A1000-memory.dmp	upx
behavioral2/memory/1368-143-0x0000000000400000-0x0000000000442000-memory.dmp	upx
C:\Windows\Win62\server.exe	upx
behavioral2/memory/504-146-0x0000000024060000-0x00000000240A1000-memory.dmp	upx
behavioral2/memory/504-147-0x0000000024060000-0x00000000240A1000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

Processes:

aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exeexplorer.exe

description	ioc	process
File created	C:\Windows\Win62\server.exe	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe
File opened for modification	C:\Windows\Win62\server.exe	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe
File opened for modification	C:\Windows\Win62\server.exe	explorer.exe
File opened for modification	C:\Windows\Win62\	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe

pid	process
1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe
1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

504 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 504 explorer.exe
Token: SeDebugPrivilege 504 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe

pid process

1368 aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe

pid	process
504	explorer.exe

description	pid	process
Token: SeDebugPrivilege	504	explorer.exe
Token: SeDebugPrivilege	504	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe

description	pid	process	target process
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE
PID 1368 wrote to memory of 1192	1368	aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe
"C:\Users\Admin\AppData\Local\Temp\aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
144KB

MD5
5dfcf44a3363918224e45d9a6660f2d2

SHA1
e32027e0da7d4acebd2ddac36e3929e57317579d

SHA256
f2e1b8fc45fba5570e0862d34f49eed09730081e1e887664d243028180c71df0

SHA512
f552ae78402c03720280632facb2fa8c19cf2b16d6e3b677e20f01df7cd1d151b6d1cf5c467c7452f767e72c25e0071c0d9e2922940b4e258faf61c431457509

Download Submit
C:\Windows\Win62\server.exe
Filesize
186KB

MD5
0ecec7cafea0801aeeca3ec8c5c339b0

SHA1
c876af9075ff0e06db1562d9eb119c9cce7cda9c

SHA256
aeb0d83c7289fc73c413673d44e8b77ee5f11ebf459868f45a4ee56e5a23cc25

SHA512
9aa4f80108c14f410e5263f6e9ee09a39d70d6343e79d401afcf2d7af055021f2242adb2e10eb031efe916fcdc3299c8017f969bfbfca11ab486ddfb8ad76003

Download Submit
memory/504-138-0x0000000000000000-mapping.dmp

Download
memory/504-142-0x0000000024060000-0x00000000240A1000-memory.dmp

Filesize
260KB

Download
memory/504-146-0x0000000024060000-0x00000000240A1000-memory.dmp

Filesize
260KB

Download
memory/504-147-0x0000000024060000-0x00000000240A1000-memory.dmp

Filesize
260KB

Download
memory/1368-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1368-134-0x0000000024010000-0x0000000024051000-memory.dmp

Filesize
260KB

Download
memory/1368-139-0x0000000024060000-0x00000000240A1000-memory.dmp

Filesize
260KB

Download
memory/1368-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads