Analysis

  • max time kernel
    17s
  • max time network
    19s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2023 06:24

General

  • Target

    CyberGate v3.4.2.2 Cracked/CyberGate v3.4.2.2 Cracked by The Old Warrior/server.exe

  • Size

    428KB

  • MD5

    193642d723ede4bbfc6243fdee330a46

  • SHA1

    7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7

  • SHA256

    022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85

  • SHA512

    faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed

  • SSDEEP

    12288:RuMwnBi8vvrHxVPKyv2m77sZB07FxObO321:RHwU8vrx52t07FQao

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

127.0.0.1:999

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3132
      • C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe
        "C:\Users\Admin\AppData\Local\Temp\CyberGate v3.4.2.2 Cracked\CyberGate v3.4.2.2 Cracked by The Old Warrior\server.exe"
        2⤵
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
          3⤵
            PID:4896
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2216
          • C:\directory\CyberGate\install\server.exe
            "C:\directory\CyberGate\install\server.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4560

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

        Filesize

        385KB

        MD5

        f8ea6b460cd968e4b12a3d7a57dda28f

        SHA1

        abc2943337cfb876fe72dcc3684bbb12bb1ec638

        SHA256

        5ce0400db7fea62d32f20e8a72c2e116c316a58e2b5575340a5097f4ffe46386

        SHA512

        020aba30ef6fe4505db41c5e501b71f284c9a9f76ff8cfcd92604bc4c4383b17b912fc69e7248560e39df676e689ac70b117198415ff955f97bd440abf00d22b

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        01aefe7b5a7c1627737371735d2714f1

        SHA1

        6454d23e6ef2ae97f205ef357f2d8a1907a639cf

        SHA256

        211d0ac0b1ddd8dbfe3b0fd4e4483c19576ac6e36969d705e11451fc57b1ee1b

        SHA512

        3d62bf48fbd1203066f4e599977b9719538af5e9cd84df4a3a67c59ff1b532a96212d2ae8462b013b50fcc4f692c37c39ab61c1ad4bcd2476fe06dc4fd0311a5

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        7b69b6d44607fb2a2cbfd647a8f592a0

        SHA1

        b0369006edcd8653036d48ad03d77c5aa0b67843

        SHA256

        df873d76452582dafbd3f6608b860796451b797d3ec4cf3dadb935fa543b0769

        SHA512

        c9ed8fdc2dd983f7d489cb2c9b8aa1898075adb7fc1e4316431b727afe1ac2efc4811dcd8af4f289116111c09c20f9d89feb0d35b04dce848238745e5055ba33

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        7b9d07b6d767fa2487594c83db76b164

        SHA1

        12aa06b39ef87804b22f3cf32d79161386ef1d79

        SHA256

        a4d2692bc6abe15f636c237443af0158f56f62b9539b8f104d6342e1890d5f1c

        SHA512

        c33c9ae0907a2c0b21c6069451779b3410c1ba3eba917a353a5fbce162d8f5caf72e65ef3027c70e13c0f2910b710e8edaf4148447c861161c1ecbd58bd9caf1

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        f7534c9e71f8d48ab4b11eadd0b1c808

        SHA1

        1e5e837724e7a799c82e36eb74c75bced16e6062

        SHA256

        ae1e3c2702433eb81d6688ee87350cdf2be6c2ff444993095f191d5ca40c26f2

        SHA512

        3a0b2dee44a83b204dfac834ddb4868395abf1ea09b44127cff17789e508d69fe1295d08d1bf73e2b5f304a9f662c479c3f4698fcd87ebd229ba36d4f76dee8f

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        408be7f1457433c36e817076281c04c1

        SHA1

        23792832611a278d434e0e985490cf57a9903f8e

        SHA256

        c4021ef34cf2454cf95a36a5e04502781e1c149ff75882a44df9c39c224cb4f0

        SHA512

        e1ebb1ccb4dc4278678096f7826b61fe42daa5cd54ac250ec479d32240126b9d84f93826c7a59370220cbec1a88f9138282e0ea548f9e442967d8236f0e6d885

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        229668c2fcaa626b8b1e83dc5532f8d2

        SHA1

        ce106476db7d97a15f8fe4eea2b65c4db6872a61

        SHA256

        4f8a724876400db5213979a34b33abd983744a87e6ab67a82168d0142ce060b8

        SHA512

        d41b17642c942afcfa5f5ae7c21659538da18b20520b70f484ae54e5e5d37384d6e8b4df2545005df0f850dd614063d2b3e19ed3d51d2ceae2610c1f4df20a6b

      • C:\Users\Admin\AppData\Local\Temp\Admin8

        Filesize

        8B

        MD5

        13eab812c78c8973c4835624e6c0d3cf

        SHA1

        e4adad263ad256162af9b8398da3cd5aef4b3092

        SHA256

        b7be0d6f25b38613d997963809168224e5aa7549df18fcdc3b71d693fd71d801

        SHA512

        b64d750209a228dfd33feab7f29fb17eed5108073cc9f3d7658482f8cb55862e51a610246f56f7720829d3872ea9627df320b9c3603238320e0e59cd3d2c1bea

      • C:\directory\CyberGate\install\server.exe

        Filesize

        428KB

        MD5

        193642d723ede4bbfc6243fdee330a46

        SHA1

        7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7

        SHA256

        022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85

        SHA512

        faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed

      • C:\directory\CyberGate\install\server.exe

        Filesize

        428KB

        MD5

        193642d723ede4bbfc6243fdee330a46

        SHA1

        7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7

        SHA256

        022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85

        SHA512

        faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed

      • C:\directory\CyberGate\install\server.exe

        Filesize

        428KB

        MD5

        193642d723ede4bbfc6243fdee330a46

        SHA1

        7f4217ca52d5f5bc0d31405aa8aeabdcc86ae1e7

        SHA256

        022781a00ae035eba4657733106f9d6909ec28f4bcd77b19a0ee215cb7766d85

        SHA512

        faa873ab32649a1607065074a0bda5e3a20ceaa54505244edcee639eb3bb4f74b1976c2b4c4f688ea325d92f9c94ab4fef70c1f77d336861223fbb1a47bab8ed

      • memory/2216-278-0x00000000104F0000-0x0000000010560000-memory.dmp

        Filesize

        448KB

      • memory/2216-145-0x00000000007C0000-0x00000000007C1000-memory.dmp

        Filesize

        4KB

      • memory/2216-144-0x0000000000700000-0x0000000000701000-memory.dmp

        Filesize

        4KB

      • memory/2216-1411-0x00000000104F0000-0x0000000010560000-memory.dmp

        Filesize

        448KB

      • memory/2540-136-0x0000000010410000-0x0000000010480000-memory.dmp

        Filesize

        448KB

      • memory/2540-200-0x00000000104F0000-0x0000000010560000-memory.dmp

        Filesize

        448KB

      • memory/2540-140-0x0000000010480000-0x00000000104F0000-memory.dmp

        Filesize

        448KB