cybergate | c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3

General

Target

c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe
Size

1.1MB
MD5

c3949d458a91786a6037188c6a098a8f
SHA1

eb029186b7a25cb6185106d06adcaa7e4061eefb
SHA256

c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3
SHA512

68b3c9779b5c49291503ec4f0e56e0c274274a64a35273348cd879cee5f4b16167b303fccf6a7c984f6f3c0ab9dea7e6d4362fb1f3324448780e0c13771be8f3
SSDEEP

12288:6o1IrQRfhmX01LiOCkKMdrJALYVcXmGdUq7nvr6MgSEr1ZixnzHh1ErnUbalmqvb:8qZmmrcX5js8nTmx9X2Hj4Z8P

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victime

C2

therealdexen.no-ip.biz:27015

Mutex

V13NYN68G86567

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
ftp_password
123lol
ftp_port
21
ftp_server
dexen.free.fr
ftp_username
dexen
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123lol

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	vbc.exe

Executes dropped EXE 2 IoCs

Processes:

server.exeserver.exe

pid process

296 server.exe
1908 server.exe

pid	process
296	server.exe
1908	server.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B21X7CH-WK45-EQH6-16B1-708U4HOY5XEG}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B21X7CH-WK45-EQH6-16B1-708U4HOY5XEG}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	vbc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1732-63-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral1/memory/1732-69-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/608-74-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/608-75-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/608-84-0x0000000010480000-0x00000000104E5000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

1732 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1732	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe

description	pid	process	target process
PID 2004 set thread context of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

1732 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

608 vbc.exe

pid	process
1732	vbc.exe

pid	process
608	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeBackupPrivilege	608	vbc.exe
Token: SeRestorePrivilege	608	vbc.exe
Token: SeDebugPrivilege	608	vbc.exe
Token: SeDebugPrivilege	608	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exevbc.exe

description	pid	process	target process
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 2004 wrote to memory of 1732	2004	c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe	vbc.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe
PID 1732 wrote to memory of 1348	1732	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe
"C:\Users\Admin\AppData\Local\Temp\c076a611f9726ce59a6ab4472b69b68b30efc0ad8772db66a0a771a02cfa06e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
4⤵
- Executes dropped EXE
PID:1908

C:\directory\CyberGate\install\server.exe
"C:\directory\CyberGate\install\server.exe"
3⤵
- Executes dropped EXE
PID:296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt
Filesize
224KB

MD5
1bfdd14ac661094727c98fe823df2d80

SHA1
3760cbc41ef0b817a80d1d8ccf355410fc8ddbbc

SHA256
4a926d10cfa069551ec48a6d15354239b7608438447a19211924a764c74f3edf

SHA512
39177a97ae8c41bae938a78576a506927119e37a818781373f079eb6c1bbee0f6ad3b61c2e578ed87b1f6430a1df887100618761202be742db0fcc6f68c032d2

Download Submit
C:\directory\CyberGate\install\server.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\directory\CyberGate\install\server.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\directory\CyberGate\install\server.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\directory\CyberGate\install\server.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/296-77-0x0000000000000000-mapping.dmp

Download
memory/608-72-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/608-74-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/608-67-0x0000000000000000-mapping.dmp

Download
memory/608-84-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/608-75-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1732-79-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1732-61-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1732-60-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1732-63-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/1732-57-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1732-56-0x000000000040E1A8-mapping.dmp

Download
memory/1732-55-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1732-69-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1908-82-0x0000000000000000-mapping.dmp

Download
memory/2004-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/2004-58-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads