cybergate | de2f10468d57b9c055a4a4e829c09862f58707223042c80c79c5d17dd7cc30e6

Analysis

max time kernel
55s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4123bf29f1a36f8940272dfcfb9ab409.exe
Size

324KB
MD5

4123bf29f1a36f8940272dfcfb9ab409
SHA1

a2657ed954e37a6e39585c5e938fd610e9b71137
SHA256

de2f10468d57b9c055a4a4e829c09862f58707223042c80c79c5d17dd7cc30e6
SHA512

f108e8a48b2073624262015c12b6d1ef2d45fe5f1bd7496e20bbb7137eb59414fa61e6319c62c3a5d5cb93377e105cfeb796810c16ec66c5945e30e438c546e9
SSDEEP

6144:qhmTH1EWuzEwi9fYtR7Rfvb0JOPScVeb+jUtV6v6/aO5R:omH1EWuwtfYrRXb7VVeqAsSiyR

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.18.0 - Crack Version

Botnet

remote

tim0.dyndns.org:81

tim0.dyndns.org:82

Mutex

N65I4020CC0882

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
.//
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
QWERTZ

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1636-19-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-23-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-32-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-33-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-38-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-26-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-24-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-20-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-18-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-17-0x0000000000450000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1636-1298-0x0000000000450000-0x00000000004C2000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows-Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Policies\\WinDefender.exe"	4123bf29f1a36f8940272dfcfb9ab409.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1652 set thread context of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 set thread context of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 set thread context of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 set thread context of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1636	vbc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	4123bf29f1a36f8940272dfcfb9ab409.exe
Token: 33	1652	4123bf29f1a36f8940272dfcfb9ab409.exe
Token: SeIncBasePriorityPrivilege	1652	4123bf29f1a36f8940272dfcfb9ab409.exe
Token: SeBackupPrivilege	1636	vbc.exe
Token: SeRestorePrivilege	1636	vbc.exe
Token: SeDebugPrivilege	1636	vbc.exe
Token: SeDebugPrivilege	1636	vbc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1636	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	16
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 1692	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	29
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2652	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	30
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31
PID 1652 wrote to memory of 2656	1652	4123bf29f1a36f8940272dfcfb9ab409.exe	31

C:\Users\Admin\AppData\Local\Temp\4123bf29f1a36f8940272dfcfb9ab409.exe
"C:\Users\Admin\AppData\Local\Temp\4123bf29f1a36f8940272dfcfb9ab409.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d3db92f97b262198b32502f378db9197

SHA1
f0fcb55aaa3b82a5b717cfdd79d3ddf98ef69084

SHA256
3bfb549230954d94d30acdd9dcc6679a4978d896b4f7e0dfe20daf5ab74f8fe4

SHA512
c7cd0b416728ee57c3a1a1b74c02d9ab141dc8ab2007ff278c2d1ed9445dff50334d0953d8328b1e63bfb51f8da39435a0552b3bbfbf54b39ed9ea36ff5fbc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
351fb1ebf58a97fdefc633599d94b9fc

SHA1
c40bc1f7e5205e44e3fb3925c337baa636daea5d

SHA256
a0389f7905361a2700f59aeb2c8fe38efbe56b9095bcea4426a6c259953acbd1

SHA512
b8f9a9459e7622dbca7372d87801f368c1b7c03e18be0dfc075ca7f66600381aa897a9fe4b09e2d525df63a681bcd3ed237ca15245239b9f61ddf6f5aa6f72d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2db65b2bdb5457fbb9bd29a3b9f881a9

SHA1
2e69ad9bb54278eaea701ce1fb79c4e4a90fde8f

SHA256
c77667a282f544841479ea5fbac07b7571dfe841fd9cbb5298f4d2b3e427eb2a

SHA512
28bc264dd717c32ddea130dd7ef6b1599b5e8752941be2c9a4891602a09443767aea9ed3da0037aa7ae249d37d34e8e07c7e76a3f77f993d9a06a396df0675c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f2ce80986cee1a9c6b19d54431c145c3

SHA1
949d89ae79c9968b3470f444f9e93b10d6674ecd

SHA256
96ba1e0dbcf267a65a23812a6b26f639adb7c363bc3b696ec5f1d2f2cc7bd507

SHA512
cd81d77f55d8c63ead2d1a414e687a14b59ccbab4c3a44f0e5b1839e3443a31578b664958e3b83d7a28932c1cf1e2e5d62460f0dbaaa371fefed5227ceff82fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d84458921385bec14be9731531c871aa

SHA1
52af363b504ec1af2666746db448d2c8367c5821

SHA256
9ab618e8eb5f2bbd15a8aecd10e5d6a85ef1abf5e31ab60d57eaeae37a5d1417

SHA512
fdb25c2d0bb7f8b4287d4c4a89ae7ce7bce3bd9e9034bf653e65715c51b698b581a0b6820303f2fd501f5bce941d021524f8fa616f6792a4a75cd092ebdfc73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
34e6b6efad104593899fa5e03f5f0f10

SHA1
62bde9b36ef9b01ee5f14c56b88acbaf7635da0c

SHA256
42bb0c2442f03b4418f7b3bee3469c796fcf376e7c87e869fe34470388446167

SHA512
8b83e3c7e639d643e1676766c18795d8b293ad83bc3f5c7984a211519572c1a454d969295e95891470b13cf49d8fb9452414bc5f4ba213ee86d5360ce6485b01

Download Submit
memory/1636-38-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-20-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-8-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-7-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-6-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-4-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-19-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-23-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-32-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-33-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-14-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-26-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-24-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-18-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-17-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1636-15-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-69-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-13-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1636-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1636-1298-0x0000000000450000-0x00000000004C2000-memory.dmp

Filesize
456KB

Download
memory/1652-150-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-1-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/1652-0-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-2-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-67-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2652-151-0x0000000000450000-0x00000000004B7000-memory.dmp

Filesize
412KB

Download
memory/2652-153-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads