cybergate | e81eeb1814c5b94e1d83a907dfcf36bf813607e0875f3a62a084e259b1318db1

General

Target

TS3HackToken.exe
Size

405KB
MD5

6d5ccb56c9aa12c579d0f20fe1c9163a
SHA1

0fa7b41bf999f6d2e6b4caf6f1b2cf00acb7720d
SHA256

937c41971fded46ea59c6d248eca33fb494204541a6e5983f0f21b6bcd435710
SHA512

986abf3629c917890cc0ca232d5e287f55f497486e79db0d6fbd369afd443d883e4f5c5febaf3d6bb239e44300e407455734420b78a8a248a93bebd55ea9d365
SSDEEP

12288:KVUBLwLg2RgfLkz1qtrVyUX33w+mO9Hystr0py:KVUBf4ZKJ3w3y

Score

10^/10

cybergate victime persistence spyware stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Victime

C2

pedrologue.no-ip.org:81

Mutex

5K1FQ4L182DDX0

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
windir
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Le bot Dofus n'est pas compatible avec votre Ordinateur actuel. Merci d'essayer de relancer le bot sur un nouvel ordinateur
message_box_title
INCOMPATIBLE
password
123456
regkey_hkcu
svchost.exe
regkey_hklm
svchost.exe

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Deletes itself 1 IoCs

Processes:

svhost.exe

pid process

2948 svhost.exe
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2948 svhost.exe
Loads dropped DLL 1 IoCs

Processes:

TS3HackToken.exe

pid process

1700 TS3HackToken.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2948	svhost.exe

pid	process
2948	svhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svhost.exe

description pid process target process

PID 2948 set thread context of 2932 2948 svhost.exe AppLaunch.exe

description	pid	process	target process
PID 2948 set thread context of 2932	2948	svhost.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

TS3HackToken.exesvhost.exe

pid	process
1700	TS3HackToken.exe
1700	TS3HackToken.exe
1700	TS3HackToken.exe
1700	TS3HackToken.exe
1700	TS3HackToken.exe
1700	TS3HackToken.exe
2948	svhost.exe
2948	svhost.exe
2948	svhost.exe
2948	svhost.exe
2948	svhost.exe
2948	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TS3HackToken.exesvhost.exe

description pid process

Token: SeDebugPrivilege 1700 TS3HackToken.exe
Token: SeDebugPrivilege 2948 svhost.exe

description	pid	process
Token: SeDebugPrivilege	1700	TS3HackToken.exe
Token: SeDebugPrivilege	2948	svhost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

TS3HackToken.exesvhost.exe

description	pid	process	target process
PID 1700 wrote to memory of 2948	1700	TS3HackToken.exe	svhost.exe
PID 1700 wrote to memory of 2948	1700	TS3HackToken.exe	svhost.exe
PID 1700 wrote to memory of 2948	1700	TS3HackToken.exe	svhost.exe
PID 1700 wrote to memory of 2948	1700	TS3HackToken.exe	svhost.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe
PID 2948 wrote to memory of 2932	2948	svhost.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\TS3HackToken.exe
"C:\Users\Admin\AppData\Local\Temp\TS3HackToken.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
3⤵
PID:2932

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\svhost.exe
Filesize
405KB

MD5
6d5ccb56c9aa12c579d0f20fe1c9163a

SHA1
0fa7b41bf999f6d2e6b4caf6f1b2cf00acb7720d

SHA256
937c41971fded46ea59c6d248eca33fb494204541a6e5983f0f21b6bcd435710

SHA512
986abf3629c917890cc0ca232d5e287f55f497486e79db0d6fbd369afd443d883e4f5c5febaf3d6bb239e44300e407455734420b78a8a248a93bebd55ea9d365

Download Submit
memory/1700-17-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-1-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-0-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-3-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-5-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/1700-2-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2932-32-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2932-30-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2932-38-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2932-39-0x0000000010000000-0x0000000010000000-memory.dmp

Download
memory/2932-22-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2932-24-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2932-28-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2932-26-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2932-34-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2932-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2948-14-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-16-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-19-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-15-0x0000000001E00000-0x0000000001E40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads