cybergate | 6abbdf595f2e45eb79e8e6b04d115a89aaf0d0c1ed011c90e6b01bfa64632d6a

Analysis

max time kernel
20s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

491aab484281274b4f496705c3997c9c.exe
Size

440KB
MD5

491aab484281274b4f496705c3997c9c
SHA1

fd28638987c9d5411bb9e41ecf83033f62c7d59b
SHA256

6abbdf595f2e45eb79e8e6b04d115a89aaf0d0c1ed011c90e6b01bfa64632d6a
SHA512

d79a986403e7646936c5fe2258eb62cb536f9d6bad817013ca893af816b400552c727fdf976d1de00fc011ef5e28b0d3c6e9c2ef327ca47f836ae985b2d8c002
SSDEEP

12288:Gqq5tNa6ir4ajCXi1R4x3RuP2/v2JiWs25n:Gq5Yauy4x3N/vei4h

Score

10^/10

cybergate vítima bootkit persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

xuladas1.myftp.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Startup
install_file
Winstart.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCUj
regkey_hklm
HKLMj

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	491aab484281274b4f496705c3997c9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Startup\\Winstart.exe"	491aab484281274b4f496705c3997c9c.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	491aab484281274b4f496705c3997c9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\Startup\\Winstart.exe"	491aab484281274b4f496705c3997c9c.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	491aab484281274b4f496705c3997c9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Program Files (x86)\\Startup\\Winstart.exe Restart"	491aab484281274b4f496705c3997c9c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/636-9-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/636-11-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/636-12-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/636-13-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/636-17-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLMj = "C:\\Program Files (x86)\\Startup\\Winstart.exe"	491aab484281274b4f496705c3997c9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCUj = "C:\\Program Files (x86)\\Startup\\Winstart.exe"	491aab484281274b4f496705c3997c9c.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	491aab484281274b4f496705c3997c9c.exe
File opened for modification	\??\PhysicalDrive0	491aab484281274b4f496705c3997c9c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4904 set thread context of 1064	4904	491aab484281274b4f496705c3997c9c.exe	95
PID 1064 set thread context of 636	1064	491aab484281274b4f496705c3997c9c.exe	97

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Startup\Winstart.exe	491aab484281274b4f496705c3997c9c.exe
File opened for modification	C:\Program Files (x86)\Startup\Winstart.exe	491aab484281274b4f496705c3997c9c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
636	491aab484281274b4f496705c3997c9c.exe
636	491aab484281274b4f496705c3997c9c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
636	491aab484281274b4f496705c3997c9c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4904	491aab484281274b4f496705c3997c9c.exe
1064	491aab484281274b4f496705c3997c9c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 1064	4904	491aab484281274b4f496705c3997c9c.exe	95
PID 4904 wrote to memory of 1064	4904	491aab484281274b4f496705c3997c9c.exe	95
PID 4904 wrote to memory of 1064	4904	491aab484281274b4f496705c3997c9c.exe	95
PID 4904 wrote to memory of 1064	4904	491aab484281274b4f496705c3997c9c.exe	95
PID 4904 wrote to memory of 1064	4904	491aab484281274b4f496705c3997c9c.exe	95
PID 4904 wrote to memory of 1064	4904	491aab484281274b4f496705c3997c9c.exe	95
PID 4904 wrote to memory of 1064	4904	491aab484281274b4f496705c3997c9c.exe	95
PID 4904 wrote to memory of 1064	4904	491aab484281274b4f496705c3997c9c.exe	95
PID 1064 wrote to memory of 636	1064	491aab484281274b4f496705c3997c9c.exe	97
PID 1064 wrote to memory of 636	1064	491aab484281274b4f496705c3997c9c.exe	97
PID 1064 wrote to memory of 636	1064	491aab484281274b4f496705c3997c9c.exe	97
PID 1064 wrote to memory of 636	1064	491aab484281274b4f496705c3997c9c.exe	97
PID 1064 wrote to memory of 636	1064	491aab484281274b4f496705c3997c9c.exe	97
PID 1064 wrote to memory of 636	1064	491aab484281274b4f496705c3997c9c.exe	97
PID 1064 wrote to memory of 636	1064	491aab484281274b4f496705c3997c9c.exe	97
PID 1064 wrote to memory of 636	1064	491aab484281274b4f496705c3997c9c.exe	97
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53
PID 636 wrote to memory of 3428	636	491aab484281274b4f496705c3997c9c.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\491aab484281274b4f496705c3997c9c.exe
  "C:\Users\Admin\AppData\Local\Temp\491aab484281274b4f496705c3997c9c.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\491aab484281274b4f496705c3997c9c.exe
    "C:\Users\Admin\AppData\Local\Temp\491aab484281274b4f496705c3997c9c.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\491aab484281274b4f496705c3997c9c.exe
      "C:\Users\Admin\AppData\Local\Temp\491aab484281274b4f496705c3997c9c.exe"
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-11-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-12-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/636-17-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1064-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1064-6-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2696-21-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2696-22-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download