cybergate | 40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

Analysis

max time kernel
150s
max time network
57s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious2b763683f4bc.exe
Size

290KB
MD5

cc5d023b5fa3916f2ef1a794145254ea
SHA1

b496eb4a3947eb290717059b70d6d2fb17ed6d6b
SHA256

40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de
SHA512

17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b
SSDEEP

6144:2OpslFlqLhdBCkWYxuukP1pjSKSNVkq/MVJbX:2wsl2TBd47GLRMTbX

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

smokie666.chickenkiller.com:8090

Mutex

TG0LNKN1EO587L

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	easyMalicious2b763683f4bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	easyMalicious2b763683f4bc.exe
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	easyMalicious2b763683f4bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\directory\\CyberGate\\install\\server.exe"	easyMalicious2b763683f4bc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{65712V73-T7AW-S821-21E2-LU324O72L4U7}	easyMalicious2b763683f4bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65712V73-T7AW-S821-21E2-LU324O72L4U7}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe Restart"	easyMalicious2b763683f4bc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{65712V73-T7AW-S821-21E2-LU324O72L4U7}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65712V73-T7AW-S821-21E2-LU324O72L4U7}\StubPath = "c:\\directory\\CyberGate\\install\\server.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	server.exe

Loads dropped DLL 2 IoCs

pid	Process
544	easyMalicious2b763683f4bc.exe
544	easyMalicious2b763683f4bc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/584-584-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/544-903-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/544-933-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	easyMalicious2b763683f4bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\directory\\CyberGate\\install\\server.exe"	easyMalicious2b763683f4bc.exe
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run	easyMalicious2b763683f4bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\directory\\CyberGate\\install\\server.exe"	easyMalicious2b763683f4bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
544	easyMalicious2b763683f4bc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	584	explorer.exe
Token: SeRestorePrivilege	584	explorer.exe
Token: SeBackupPrivilege	544	easyMalicious2b763683f4bc.exe
Token: SeRestorePrivilege	544	easyMalicious2b763683f4bc.exe
Token: SeDebugPrivilege	544	easyMalicious2b763683f4bc.exe
Token: SeDebugPrivilege	544	easyMalicious2b763683f4bc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2376	easyMalicious2b763683f4bc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14
PID 2376 wrote to memory of 1384	2376	easyMalicious2b763683f4bc.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\easyMalicious2b763683f4bc.exe
  "C:\Users\Admin\AppData\Local\Temp\easyMalicious2b763683f4bc.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\easyMalicious2b763683f4bc.exe
    "C:\Users\Admin\AppData\Local\Temp\easyMalicious2b763683f4bc.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:544
  - - C:\directory\CyberGate\install\server.exe
      "C:\directory\CyberGate\install\server.exe"
      4⤵
      Executes dropped EXE
      PID:2820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
ea859081c91a710ea0a57cd3aacb9139

SHA1
00ec36c43b42c2cca6a8f9776060e9fa19207ec5

SHA256
8e2b57630b79b70698de298313198b0f8c8dd54ba835b14fc8430c43e44a77e8

SHA512
ae1b5ca74ccddba87639c660c4fbc12c60722d6ce51e143b40c658d6bdf927e904108a1f9eff43b307fc4142c250a3ee41bd54fd0480c21145764f59878f342f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin8

Filesize
8B

MD5
59b89d8c5d0a25282737ab8e3b8febb1

SHA1
d9dffb117d93c64aa9d38c048c851567b4ab903a

SHA256
ca91d81c2f951bff34bc2e8b3ca5ee4c74cea0479bda5a393b6385c4d683e70c

SHA512
2e67af636a6d9514f8070774a0c573e8f5d771d4ea7dd25696fc2ed052002d5236443331125941c05cb41d6ef6e9b1a3a9beba2d6155af5b3bc264dca4e307bd

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\directory\CyberGate\install\server.exe

Filesize
290KB

MD5
cc5d023b5fa3916f2ef1a794145254ea

SHA1
b496eb4a3947eb290717059b70d6d2fb17ed6d6b

SHA256
40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

SHA512
17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b

Download Submit
\??\c:\directory\CyberGate\install\server.exe

Filesize
290KB

MD5
cc5d023b5fa3916f2ef1a794145254ea

SHA1
b496eb4a3947eb290717059b70d6d2fb17ed6d6b

SHA256
40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

SHA512
17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b

Download Submit
\directory\CyberGate\install\server.exe

Filesize
290KB

MD5
cc5d023b5fa3916f2ef1a794145254ea

SHA1
b496eb4a3947eb290717059b70d6d2fb17ed6d6b

SHA256
40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

SHA512
17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b

Download Submit
\directory\CyberGate\install\server.exe

Filesize
290KB

MD5
cc5d023b5fa3916f2ef1a794145254ea

SHA1
b496eb4a3947eb290717059b70d6d2fb17ed6d6b

SHA256
40675c4b5d24820f25d5ea8e99f2381c1dd57565ab67f68aad2a110d892108de

SHA512
17fd636fce02c4545731897781db2dd966aaf3b2a5c761b5aebf2d5c02f9e1af18be8b0f93298e65dd12a15f0d4d1a88267cd28a035016ed50fe4e232d593e7b

Download Submit
memory/544-903-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/544-933-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/584-550-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/584-584-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/584-552-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1384-57-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads