cybergate | ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b

Analysis

max time kernel
150s
max time network
91s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe
Size

294KB
MD5

625e39ec68c86460b163bf828773f2a8
SHA1

97a87451bec18344d3f57fc3543064c9038a8783
SHA256

ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b
SHA512

6850ec706ba44413346c20e39cd671b626dc2e0a53bd4080e8630028ba7007d04c4fc45060ac21ac5c41d812f7e3155169f6ead4d8392a000f472b5e6b94fd8d
SSDEEP

6144:s3Z60x6xG2DUxWGaEgxyDpUKrP1dIPgBw9zX1wYNfSEBtWWL:EZP6xrDUMNxy9UokL9zNaEBtxL

Score

10^/10

cybergate victime persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.7 Beta 02

Botnet

victime

farfouch-hacker.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Tempdecrypted.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	Tempdecrypted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Tempdecrypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe"	Tempdecrypted.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Tempdecrypted.exe

Executes dropped EXE 3 IoCs

Processes:

Tempdecrypted.exeTempdecrypted.exeserver.exe

pid process

1028 Tempdecrypted.exe
1696 Tempdecrypted.exe
1892 server.exe

pid	process
1028	Tempdecrypted.exe
1696	Tempdecrypted.exe
1892	server.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Tempdecrypted.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	Tempdecrypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart"	Tempdecrypted.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
C:\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
behavioral1/memory/1028-65-0x0000000000400000-0x0000000000458000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
behavioral1/memory/1028-68-0x0000000024010000-0x0000000024072000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Tempdecrypted.exe	upx
behavioral1/memory/1696-75-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1028-76-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1028-82-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1696-81-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral1/memory/1696-83-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
C:\dir\install\install\server.exe	upx
\dir\install\install\server.exe	upx
\dir\install\install\server.exe	upx
C:\dir\install\install\server.exe	upx
behavioral1/memory/1696-92-0x0000000004AC0000-0x0000000004B18000-memory.dmp	upx
behavioral1/memory/1892-93-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1892-94-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1696-95-0x0000000024080000-0x00000000240E2000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exeTempdecrypted.exe

pid	process
1724	ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe
1724	ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe
1696	Tempdecrypted.exe
1696	Tempdecrypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Tempdecrypted.exe

pid process

1028 Tempdecrypted.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Tempdecrypted.exe

pid process

1696 Tempdecrypted.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Tempdecrypted.exe

description pid process

Token: SeDebugPrivilege 1696 Tempdecrypted.exe
Token: SeDebugPrivilege 1696 Tempdecrypted.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe

pid process

1724 ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe

pid	process
1028	Tempdecrypted.exe

pid	process
1696	Tempdecrypted.exe

description	pid	process
Token: SeDebugPrivilege	1696	Tempdecrypted.exe
Token: SeDebugPrivilege	1696	Tempdecrypted.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exeTempdecrypted.exe

description	pid	process	target process
PID 1724 wrote to memory of 1028	1724	ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe	Tempdecrypted.exe
PID 1724 wrote to memory of 1028	1724	ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe	Tempdecrypted.exe
PID 1724 wrote to memory of 1028	1724	ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe	Tempdecrypted.exe
PID 1724 wrote to memory of 1028	1724	ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe	Tempdecrypted.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe
PID 1028 wrote to memory of 580	1028	Tempdecrypted.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe
"C:\Users\Admin\AppData\Local\Temp\ab50acdc5952ccdad34ea9a169097e361bab5e32867d2c044453dab97f42737b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Tempdecrypted.exe
"C:\Users\Admin\AppData\Local\Tempdecrypted.exe"
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:580

C:\Users\Admin\AppData\Local\Tempdecrypted.exe
"C:\Users\Admin\AppData\Local\Tempdecrypted.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\dir\install\install\server.exe
"C:\dir\install\install\server.exe"
4⤵
- Executes dropped EXE
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
230KB

MD5
e36c7e764cc9f279e542522c0d75b4e5

SHA1
1db09a8c0ad3975264b88c660d6f82578201c590

SHA256
8882bbfe54f833a6c0f225f45ec37da002e2c2dbfbc83c784700672087729e8f

SHA512
c4ec5f7685631875e44b921ad7a2bc6ff827736f17728c82037c78e973a9d1b3f26c1b059a4f0b2c2d2810d798b678a97f21598fb549d2f3bed004effbf3575a

Download Submit
C:\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
C:\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
C:\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
C:\dir\install\install\server.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
C:\dir\install\install\server.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
\Users\Admin\AppData\Local\Tempdecrypted.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
\dir\install\install\server.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
\dir\install\install\server.exe
Filesize
277KB

MD5
692ef0b811f0d3870a980485e56d1f64

SHA1
912e771a698e902a7ff87f94b84adc1ae5feed68

SHA256
49f30b03dbc2671ecfcb11ed39db5b002dece907b15b9529e68b8aaba9f1db4c

SHA512
032c807f4c42903f615d5dd861212951746f6a66656d2d5f8498f8bebda580d85485824bd0c3ae87a532bf8b7123131ce689bd0d08f72479fc77619fe901a697

Download Submit
memory/1028-76-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1028-61-0x0000000000000000-mapping.dmp

Download
memory/1028-68-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1028-65-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1028-82-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1696-91-0x0000000004AC0000-0x0000000004B18000-memory.dmp

Filesize
352KB

Download
memory/1696-92-0x0000000004AC0000-0x0000000004B18000-memory.dmp

Filesize
352KB

Download
memory/1696-81-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1696-83-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1696-96-0x0000000004AC0000-0x0000000004B18000-memory.dmp

Filesize
352KB

Download
memory/1696-95-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1696-79-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1696-72-0x0000000000000000-mapping.dmp

Download
memory/1696-75-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1724-55-0x0000000000400000-0x000000000040D150-memory.dmp

Filesize
52KB

Download
memory/1724-54-0x0000000000400000-0x000000000040D150-memory.dmp

Filesize
52KB

Download
memory/1724-63-0x0000000000400000-0x000000000040D150-memory.dmp

Filesize
52KB

Download
memory/1724-58-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1892-88-0x0000000000000000-mapping.dmp

Download
memory/1892-93-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1892-94-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download