cybergate | 933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3

Analysis

max time kernel
149s
max time network
62s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe
Size

294KB
MD5

1c410f1649d4eaed7f8fd0108267b4d9
SHA1

7fe9d89ac8fb16ed7f79d1fe06bd335d614dfb08
SHA256

933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3
SHA512

d46d6bf7c87df6d5643d57e72286f29a557890ea91bfd279142127b38d36ef22e63c8d73b4e760a7b8b45b81d1d9cfa0a2eb44be719df3c3c19744f4c8850b19
SSDEEP

6144:e60x6xG2DUxWGaEgxyDpUKrP1dIPgBw9zX1wYNfSEBtWWL:eP6xrDUMNxy9UokL9zNaEBtxL

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

victime

farfouch-hacker.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Tempdecrypted.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Tempdecrypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	Tempdecrypted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Tempdecrypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	Tempdecrypted.exe

Executes dropped EXE 3 IoCs

Processes:

Tempdecrypted.exeTempdecrypted.exeserver.exe

pid process

960 Tempdecrypted.exe
1424 Tempdecrypted.exe
1168 server.exe

pid	process
960	Tempdecrypted.exe
1424	Tempdecrypted.exe
1168	server.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Tempdecrypted.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	Tempdecrypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	Tempdecrypted.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
behavioral1/memory/960-63-0x0000000000400000-0x0000000000458000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
behavioral1/memory/960-66-0x0000000024010000-0x0000000024072000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
behavioral1/memory/1424-73-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/960-74-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/960-80-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1424-79-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
\dir\install\install\server.exe	upx
C:\dir\install\install\server.exe	upx
\dir\install\install\server.exe	upx
C:\dir\install\install\server.exe	upx
behavioral1/memory/1424-89-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1168-91-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1168-92-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1424-94-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exeTempdecrypted.exe

pid	process
1048	933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe
1048	933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe
1424	Tempdecrypted.exe
1424	Tempdecrypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Tempdecrypted.exe

pid process

960 Tempdecrypted.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Tempdecrypted.exe

pid process

1424 Tempdecrypted.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Tempdecrypted.exe

description pid process

Token: SeDebugPrivilege 1424 Tempdecrypted.exe
Token: SeDebugPrivilege 1424 Tempdecrypted.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe

pid process

1048 933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe

pid	process
960	Tempdecrypted.exe

pid	process
1424	Tempdecrypted.exe

description	pid	process
Token: SeDebugPrivilege	1424	Tempdecrypted.exe
Token: SeDebugPrivilege	1424	Tempdecrypted.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exeTempdecrypted.exe

description	pid	process	target process
PID 1048 wrote to memory of 960	1048	933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe	Tempdecrypted.exe
PID 1048 wrote to memory of 960	1048	933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe	Tempdecrypted.exe
PID 1048 wrote to memory of 960	1048	933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe	Tempdecrypted.exe
PID 1048 wrote to memory of 960	1048	933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe	Tempdecrypted.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe
PID 960 wrote to memory of 1760	960	Tempdecrypted.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe
"C:\Users\Admin\AppData\Local\Temp\933f84a4c952165dcf5c78413bb764491f527c8909ddf7602083732e166bd3c3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Tempdecrypted.exe
"C:\Users\Admin\AppData\Local\Tempdecrypted.exe"
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1760

C:\Users\Admin\AppData\Local\Tempdecrypted.exe
"C:\Users\Admin\AppData\Local\Tempdecrypted.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\dir\install\install\server.exe
"C:\dir\install\install\server.exe"
4⤵
- Executes dropped EXE
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
230KB

MD5
e36c7e764cc9f279e542522c0d75b4e5

SHA1
1db09a8c0ad3975264b88c660d6f82578201c590

SHA256
8882bbfe54f833a6c0f225f45ec37da002e2c2dbfbc83c784700672087729e8f

SHA512
c4ec5f7685631875e44b921ad7a2bc6ff827736f17728c82037c78e973a9d1b3f26c1b059a4f0b2c2d2810d798b678a97f21598fb549d2f3bed004effbf3575a

Download Submit
C:\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
C:\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
C:\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
C:\dir\install\install\server.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
C:\dir\install\install\server.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
\dir\install\install\server.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
\dir\install\install\server.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
memory/960-63-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/960-66-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/960-59-0x0000000000000000-mapping.dmp

Download
memory/960-74-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/960-80-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1048-56-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1048-61-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1168-85-0x0000000000000000-mapping.dmp

Download
memory/1168-92-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1168-91-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1424-70-0x0000000000000000-mapping.dmp

Download
memory/1424-79-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1424-88-0x0000000004AB0000-0x0000000004B08000-memory.dmp

Filesize
352KB

Download
memory/1424-89-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1424-90-0x0000000004AB0000-0x0000000004B08000-memory.dmp

Filesize
352KB

Download
memory/1424-73-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1424-77-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1424-93-0x0000000004AB0000-0x0000000004B08000-memory.dmp

Filesize
352KB

Download
memory/1424-94-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download