cybergate | ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229

General

Target

ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe
Size

788KB
MD5

a40a9412af18bb74847a6bd4f5a74337
SHA1

dd7382e9494a46a80f80f77840082b2c0cd15585
SHA256

ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229
SHA512

be13ffb71b05f7b7697896ed0f8a7672ac7477028be6c57d9d8520bbed1af35f26280931b8fa107db7e4728f89a001574f46ff121060207c42ff09898edb0348
SSDEEP

12288:UttGK6yTjskwQIFtdEQ0t3qrluBGpM47u4nCC3u8GjmhfoI/I4I6cm1fSDf9xe0K:Od3SUDxB8csZcY

Score

10^/10

cybergate victima stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victima

C2

albertiktn.no-ip.org:81

Mutex

***egbuiertbi***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
svchost.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1172-57-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1172-59-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1172-60-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1172-65-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1172-66-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1172-67-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1172-69-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral1/memory/1172-78-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1172-84-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1772-83-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1772-88-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1772-90-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe

description	pid	process	target process
PID 1928 set thread context of 1172	1928	ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1772 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 1772 explorer.exe
Token: SeDebugPrivilege 1772 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

vbc.exeDllHost.exe

pid process

1172 vbc.exe
1744 DllHost.exe

pid	process
1772	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1772	explorer.exe
Token: SeDebugPrivilege	1772	explorer.exe

pid	process
1172	vbc.exe
1744	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exevbc.exe

description	pid	process	target process
PID 1928 wrote to memory of 1172	1928	ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe	vbc.exe
PID 1928 wrote to memory of 1172	1928	ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe	vbc.exe
PID 1928 wrote to memory of 1172	1928	ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe	vbc.exe
PID 1928 wrote to memory of 1172	1928	ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe	vbc.exe
PID 1928 wrote to memory of 1172	1928	ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe	vbc.exe
PID 1928 wrote to memory of 1172	1928	ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe	vbc.exe
PID 1928 wrote to memory of 1172	1928	ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe	vbc.exe
PID 1928 wrote to memory of 1172	1928	ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe	vbc.exe
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE
PID 1172 wrote to memory of 1400	1172	vbc.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe
"C:\Users\Admin\AppData\Local\Temp\ae4f162271057efdc8b9b6b9c257e9a046ff775634e64570208748789ae66229.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
5⤵
PID:1960

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
236KB

MD5
cb53e3180caf8ab556d9addd2d7213bf

SHA1
4ca356e05cae90f2e89b7bb422bd40ce6e150f94

SHA256
79025bb393a294673fbdd704abff04b303152711b8efcc43645af1d7de575413

SHA512
f13b1601a93f8c339a3d7e09a8ef4c2d96d7cf8f148a31acf28638e87bb634a84427a4eef16d96c8d7baede2a3381d035700e6f1668b59a3455b5d65740e087d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kosovaaa.jpg
Filesize
6KB

MD5
5a69f4859d54519baaab29653c663360

SHA1
09a7e9b504d26f543432dfc659b6f593e5afc342

SHA256
e6cd6003e5c49c9d702410a029d4c327b920de29180115304f63fd085fb41833

SHA512
f0ee3784c413e5ca772130cd0db11b4342bee7a6cc69b66bb484507037615e6f45c7a91cc6ad06367a1901c0ca401ff5d58f3fede06228284f32941099143da6

Download Submit
memory/1172-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1172-56-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1172-59-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1172-60-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1172-61-0x0000000000457890-mapping.dmp

Download
memory/1172-57-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1172-65-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1172-66-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1172-84-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1172-69-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1172-78-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1400-72-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1772-75-0x0000000000000000-mapping.dmp

Download
memory/1772-77-0x0000000075231000-0x0000000075233000-memory.dmp

Filesize
8KB

Download
memory/1772-83-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1772-88-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1772-90-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-63-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-55-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1960-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads