cybergate | 3d74cfe784a7cfebb08ea78ff2c67b673833c3c710931d663444c645d9a5ba48

Analysis

max time kernel
3s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1533c81b22c38bf7f7e16ac587c91116.exe
Size

604KB
MD5

1533c81b22c38bf7f7e16ac587c91116
SHA1

ab97ab39e34b44f06bba7f4c7a68df83742d4708
SHA256

3d74cfe784a7cfebb08ea78ff2c67b673833c3c710931d663444c645d9a5ba48
SHA512

a96110db4dde048b95314a1ac653c8c31bff40d96a970dcd8ed016a8772b17a5bc8ad0b3904ea31cb5219b243a4c0512990fb7283444c1862ee7fe1d940393c5
SSDEEP

12288:D3DOrVS2k0CIxhNm/74WLap2Q4SAqz2BBx5pD1aqA5nNfmHUv7+0N1R7:D3yrVW09NmDM2/c2BjzD1uNe0vaKR7

Score

10^/10

cybergate king persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

KinG

7osam.no-ip.biz:1604

Mutex

07FG30XG66S10O

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456789
regkey_hkcu
Cyber
regkey_hklm
Cyber

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1533c81b22c38bf7f7e16ac587c91116.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	1533c81b22c38bf7f7e16ac587c91116.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1533c81b22c38bf7f7e16ac587c91116.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	1533c81b22c38bf7f7e16ac587c91116.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6L63005T-Q215-3VB6-6S73-403D1XJL547J}	1533c81b22c38bf7f7e16ac587c91116.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6L63005T-Q215-3VB6-6S73-403D1XJL547J}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	1533c81b22c38bf7f7e16ac587c91116.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1560-1-0x0000000000400000-0x0000000000590000-memory.dmp	upx
behavioral1/memory/1560-6-0x0000000000400000-0x0000000000590000-memory.dmp	upx
behavioral1/memory/668-536-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2544-586-0x0000000001DE0000-0x0000000001F70000-memory.dmp	upx
behavioral1/memory/1384-588-0x0000000000400000-0x0000000000590000-memory.dmp	upx
behavioral1/memory/1384-845-0x00000000104F0000-0x0000000010555000-memory.dmp	upx
behavioral1/memory/1932-854-0x0000000000400000-0x0000000000590000-memory.dmp	upx
behavioral1/memory/1932-875-0x0000000000400000-0x0000000000590000-memory.dmp	upx
behavioral1/memory/2260-881-0x0000000000400000-0x0000000000590000-memory.dmp	upx
behavioral1/memory/668-884-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/1384-1118-0x00000000104F0000-0x0000000010555000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cyber = "C:\\Windows\\system32\\install\\server.exe"	1533c81b22c38bf7f7e16ac587c91116.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cyber = "C:\\Windows\\system32\\install\\server.exe"	1533c81b22c38bf7f7e16ac587c91116.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	1533c81b22c38bf7f7e16ac587c91116.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	1533c81b22c38bf7f7e16ac587c91116.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	1533c81b22c38bf7f7e16ac587c91116.exe
2544	1533c81b22c38bf7f7e16ac587c91116.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	668	explorer.exe
Token: SeRestorePrivilege	668	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2544	1533c81b22c38bf7f7e16ac587c91116.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1560	1533c81b22c38bf7f7e16ac587c91116.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 1560 wrote to memory of 2544	1560	1533c81b22c38bf7f7e16ac587c91116.exe	25
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8
PID 2544 wrote to memory of 1276	2544	1533c81b22c38bf7f7e16ac587c91116.exe	8

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\1533c81b22c38bf7f7e16ac587c91116.exe
  "C:\Users\Admin\AppData\Local\Temp\1533c81b22c38bf7f7e16ac587c91116.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\1533c81b22c38bf7f7e16ac587c91116.exe
    C:\Users\Admin\AppData\Local\Temp\1533c81b22c38bf7f7e16ac587c91116.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:668
  - - C:\Users\Admin\AppData\Local\Temp\1533c81b22c38bf7f7e16ac587c91116.exe
      "C:\Users\Admin\AppData\Local\Temp\1533c81b22c38bf7f7e16ac587c91116.exe"
      4⤵
      PID:1384
    - - C:\Windows\SysWOW64\install\server.exe
        
        "C:\Windows\system32\install\server.exe"
        5⤵
        
        PID:2260
      - C:\Windows\SysWOW64\install\server.exe
        
        C:\Windows\SysWOW64\install\server.exe
        6⤵
        
        PID:1620
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\install\server.exe
        
        C:\Windows\SysWOW64\install\server.exe
        5⤵
        
        PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-874-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/536-887-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/668-536-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/668-308-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/668-255-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/668-884-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1276-12-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1384-588-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1384-1118-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1384-845-0x00000000104F0000-0x0000000010555000-memory.dmp

Filesize
404KB

Download
memory/1384-1536-0x0000000006190000-0x0000000006320000-memory.dmp

Filesize
1.6MB

Download
memory/1560-5-0x0000000002BD0000-0x0000000002D60000-memory.dmp

Filesize
1.6MB

Download
memory/1560-6-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1560-1-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1620-883-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1932-875-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1932-854-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2260-881-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/2544-842-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2544-586-0x0000000001DE0000-0x0000000001F70000-memory.dmp

Filesize
1.6MB

Download
memory/2544-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2544-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2544-888-0x0000000001DE0000-0x0000000001F70000-memory.dmp

Filesize
1.6MB

Download
memory/2544-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2544-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download