cybergate | f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f

General

Target

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
Size

315KB
MD5

dcc256be852687239ff152f6d9a6e1b5
SHA1

c1944db712385819ebe9600739e3ccac7e031d30
SHA256

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f
SHA512

8fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2
SSDEEP

6144:rz+W2anmpCY4A0863r6tZzpu+C8CKJVR05:rz+Kk3N6etZzpul8CKnO

Score

10^/10

cybergate 5 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.05.1

Botnet

5

C2

annonymous007.zapto.org:56120

Mutex

I42OOP770AO448

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
0123456

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

mvscavAP.exeSiaPort.exe

pid process

4308 mvscavAP.exe
3068 SiaPort.exe

pid	process
4308	mvscavAP.exe
3068	SiaPort.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4264-138-0x0000000010410000-0x0000000010471000-memory.dmp	upx
behavioral2/memory/4264-143-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/3460-146-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/3460-148-0x0000000010480000-0x00000000104E1000-memory.dmp	upx
behavioral2/memory/3460-163-0x0000000010480000-0x00000000104E1000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exemvscavAP.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	mvscavAP.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mvscavAP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe"	mvscavAP.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exeSiaPort.exe

description	pid	process	target process
PID 3176 set thread context of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3068 set thread context of 3840	3068	SiaPort.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exemvscavAP.exeSiaPort.exe

pid	process
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe
3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
4308	mvscavAP.exe
3068	SiaPort.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exeAppLaunch.exemvscavAP.exeSiaPort.exe

description	pid	process
Token: SeDebugPrivilege	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
Token: SeDebugPrivilege	3460	AppLaunch.exe
Token: SeDebugPrivilege	3460	AppLaunch.exe
Token: SeDebugPrivilege	4308	mvscavAP.exe
Token: SeDebugPrivilege	3068	SiaPort.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exeAppLaunch.exe

description	pid	process	target process
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 3176 wrote to memory of 4264	3176	f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe	AppLaunch.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe
PID 4264 wrote to memory of 1952	4264	AppLaunch.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe
"C:\Users\Admin\AppData\Local\Temp\f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
"C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
4⤵
PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
Filesize
315KB

MD5
dcc256be852687239ff152f6d9a6e1b5

SHA1
c1944db712385819ebe9600739e3ccac7e031d30

SHA256
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f

SHA512
8fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe
Filesize
315KB

MD5
dcc256be852687239ff152f6d9a6e1b5

SHA1
c1944db712385819ebe9600739e3ccac7e031d30

SHA256
f29898fb778457feab0502f1b8b96a7ba2a4ad9b37514163aa73d3678364613f

SHA512
8fdf3e8d0ae8e01a539920ab03b92ac492ea46e733de04919f43c3da89314ff144cfabc390f956a2e3333fc5418ec1cf7a2907ae17214a1fb8fc01e790ef84d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
Filesize
6KB

MD5
c203e138f460101f8af1314c0e817892

SHA1
13c2bc33e42e86e066d303b8596211d92a1a814e

SHA256
1d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454

SHA512
ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe
Filesize
6KB

MD5
c203e138f460101f8af1314c0e817892

SHA1
13c2bc33e42e86e066d303b8596211d92a1a814e

SHA256
1d06c0e123142e3d119f5d865cba651d10c1b96a6fb44b68782b5f762ee16454

SHA512
ed9890756d06e0418223bda173c054839c407687c4f4cc0de63f7ef77a8872c146157c85be215b45f60636c7dfc2c815660d979b2f581408bbdae336428e045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
222KB

MD5
37fcb6f30c7348187b8cba966a16f73b

SHA1
aa61d17dd87449ff657490965cadc965fc0d543d

SHA256
0d8a9a8fb8b84632f613b327e9aef424f7d3b8608dbf8f81a3d5c0036cf82858

SHA512
0744a1ed1f257dfc5df018bb67753aaad53811899b4da7147e6bc60c0b12bc5bdb78410c43314608bd95deda90b6b4defae4b00392b5001e889adfcc34d2e59d

Download Submit
memory/824-149-0x0000000000000000-mapping.dmp

Download
memory/3068-165-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/3068-157-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/3068-154-0x0000000000000000-mapping.dmp

Download
memory/3176-162-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/3176-132-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/3460-142-0x0000000000000000-mapping.dmp

Download
memory/3460-148-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/3460-146-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/3460-163-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/3840-158-0x0000000000000000-mapping.dmp

Download
memory/3840-161-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4264-143-0x0000000010480000-0x00000000104E1000-memory.dmp

Filesize
388KB

Download
memory/4264-135-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4264-136-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4264-138-0x0000000010410000-0x0000000010471000-memory.dmp

Filesize
388KB

Download
memory/4264-134-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4264-133-0x0000000000000000-mapping.dmp

Download
memory/4308-156-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/4308-150-0x0000000000000000-mapping.dmp

Download
memory/4308-164-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads