cybergate | 7d93976408dc11ba72f22a1d3e8f56cb04bd709b2f59035e045cd95082294b52

General

Target

63a0509c0c7e8dcb75f57331cfa6bd38.exe
Size

831KB
MD5

63a0509c0c7e8dcb75f57331cfa6bd38
SHA1

16db2eaad442f6b3a011d270c5d3137c559d710c
SHA256

7d93976408dc11ba72f22a1d3e8f56cb04bd709b2f59035e045cd95082294b52
SHA512

b2dd26729e01dd1bcb092ea70bcaef56d00a80360cea624fb93fc82de7ced772f616b59383c0eed9a975109cad5aa42c0e053342c4b6de552a64f1d82647f8f9
SSDEEP

12288:4ArOsSxQyf7cS3dllghQnqbaE23v7eNxQgbSc2yw/Nogi5QRjtOf2ABpj92KPalV:4f1+QAm7E2lImAaZz

Score

10^/10

cybergate admin stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

admin

C2

crypto234.no-ip.org:7678

Mutex

6M8B7UH0U6TFNB

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
winupdate
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
ankay22
regkey_hkcu
HKCU

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

3016 svhost.exe
Loads dropped DLL 2 IoCs

Processes:

63a0509c0c7e8dcb75f57331cfa6bd38.exe

pid process

2372 63a0509c0c7e8dcb75f57331cfa6bd38.exe
2372 63a0509c0c7e8dcb75f57331cfa6bd38.exe

pid	process
3016	svhost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1816-564-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2900-867-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral1/memory/1816-1244-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral1/memory/2900-2103-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

63a0509c0c7e8dcb75f57331cfa6bd38.exe

description pid process target process

PID 2372 set thread context of 3016 2372 63a0509c0c7e8dcb75f57331cfa6bd38.exe svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2372 set thread context of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

63a0509c0c7e8dcb75f57331cfa6bd38.exe

pid	process
2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe
2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe
2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe
2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe
2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe
2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe
2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe
2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

63a0509c0c7e8dcb75f57331cfa6bd38.exe

description pid process

Token: SeDebugPrivilege 2372 63a0509c0c7e8dcb75f57331cfa6bd38.exe

description	pid	process
Token: SeDebugPrivilege	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

63a0509c0c7e8dcb75f57331cfa6bd38.exe

description	pid	process	target process
PID 2372 wrote to memory of 2176	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 2176	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 2176	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 2176	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe
PID 2372 wrote to memory of 3016	2372	63a0509c0c7e8dcb75f57331cfa6bd38.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\63a0509c0c7e8dcb75f57331cfa6bd38.exe
"C:\Users\Admin\AppData\Local\Temp\63a0509c0c7e8dcb75f57331cfa6bd38.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\winamp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\\winamp\svhost.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\winamp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\winamp\svhost.exe"
3⤵
PID:2900

C:\Windows\SysWOW64\winupdate\svchost.exe
"C:\Windows\system32\winupdate\svchost.exe"
4⤵
PID:3036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:2424

C:\Windows\SysWOW64\winupdate\svchost.exe
"C:\Windows\system32\winupdate\svchost.exe"
3⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\winamp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\\winamp\svhost.exe
2⤵
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-33-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1816-1244-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1816-564-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/1816-280-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1816-336-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2372-2-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-0-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-28-0x0000000074870000-0x0000000074E1B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-1-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/2900-2103-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/2900-867-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/3016-27-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3016-13-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3016-12-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3016-11-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3016-14-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3016-16-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3016-18-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3016-20-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3016-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3016-24-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3016-26-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads