cybergate | 1c0970c1c5a0b7e9cc4df84f827eb552f45bcb3718ef59a01390212253364bd4

Analysis

max time kernel
167s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6685dadf189743e471cb8102b84806d9.exe
Size

319KB
MD5

6685dadf189743e471cb8102b84806d9
SHA1

3b50eb5668387f102de26dc41a14e8eae723c687
SHA256

1c0970c1c5a0b7e9cc4df84f827eb552f45bcb3718ef59a01390212253364bd4
SHA512

36dd4c94ca622ea2413c49179cc49997e4e3b3291827da379c067fc36d0bbac44c5884270deee24e74cdbb9098423b173b9c1d22520973b0d671fc41700e73d8
SSDEEP

6144:RSpZ46Gp2lml9AGSOpDqWlx9fPLbFjW50nJ3iwjM87j49ndelPsFV0frVnz55d:R6Z49p2lEAGFRtLbF20nsafPOFepz5b

Score

10^/10

cybergate cyber stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

sybreed.no-ip.biz:82

Mutex

7AR723B2572JT7

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./upload/
ftp_interval
60
ftp_password
qazwsx123
ftp_port
21
ftp_server
ftp.moneyunderground.co.cc
ftp_username
exoprism
injected_process
explorer.exe
install_dir
install
install_file
WinUpdate.exe
install_flag
false
keylogger_enable_ftp
true
message_box_caption
This program is not compatible with your Operating System.
message_box_title
Error
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	6685dadf189743e471cb8102b84806d9.exe

Executes dropped EXE 2 IoCs

pid	Process
4368	explore.exe
2980	explore.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4368-83-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2980-87-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2980-88-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2980-107-0x0000000010410000-0x0000000010475000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	2980	explore.exe
Token: SeRestorePrivilege	2980	explore.exe
Token: SeDebugPrivilege	2980	explore.exe
Token: SeDebugPrivilege	2980	explore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4368	5084	6685dadf189743e471cb8102b84806d9.exe	96
PID 5084 wrote to memory of 4368	5084	6685dadf189743e471cb8102b84806d9.exe	96
PID 5084 wrote to memory of 4368	5084	6685dadf189743e471cb8102b84806d9.exe	96
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98
PID 4368 wrote to memory of 2980	4368	explore.exe	98

C:\Users\Admin\AppData\Local\Temp\6685dadf189743e471cb8102b84806d9.exe
"C:\Users\Admin\AppData\Local\Temp\6685dadf189743e471cb8102b84806d9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\explore.exe
  "C:\Users\Admin\AppData\Local\Temp\explore.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\explore.exe
    "C:\Users\Admin\AppData\Local\Temp\explore.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
8047995e0f01d0a951488814ec8c1d92

SHA1
da98cb7d7104a02050af16249317e0886352352c

SHA256
1f346bc506c9ce4704f42164444ff4d14b92477321ea830754d13cae2b3bc5d7

SHA512
e1372c7377ba8f275d840573fd9ad9fc3ab2ac3eee69b4e9a9f8bd11cbd726065e95f5807edb30062e0ace27e1d6c308fa9efa7193b99a66f8b70aa16e059670

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
9e27a1b860cebb4f52e469655662c2ff

SHA1
f3b51387497dd2f5c4e9f1fbc647665847b5079e

SHA256
fc5aa3e32da79cd07a7a00a78a5f6f663e355e85e473e4d98134946e9db89405

SHA512
9bde189fea94a3b973d3681d5606fe8ab8d3dd29631f8bf5db20c1fa1a7d6840325020a3f501831b1c8aebae5a5d98e98e10a0ddd2ff98d610541a06e67924ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
bda062c5c2a023657f87f645180791f9

SHA1
2db752524f7fa05d8c0e03e9784ec18c0c102f6c

SHA256
be5c1fceab27982fe1e14826b17816a91da252cd8e5ec1673cdf4cf56e6a4ce7

SHA512
f32eeeef889bfe6612b14e06f4be26a053937853ade1df65e23a137d63e47943f8db78ed1ab74e4a53bdf313ba1814a448da9e2266f3227ac9c9458664fcee33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d68976adff857c834d9a4b3dad211ffc

SHA1
0e0138abc47eed99091b355083d3085eb041b7c5

SHA256
809ecaeb4aa597eaba3dc65f5dcc35edb3073292adbfccd430e87cd91ee0213c

SHA512
c9c9be6155f84f8bd37560c56b49a8845344be527eb35af39baad2ab376ebb1ef0dc918fd4ac24649514bbbfbfc8c315eeae8c414f6bbb14e3c4adff20a76570

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
eb9360638425ad396b19069390a62d88

SHA1
c7a9044293048898392f13326010b8ed0349114b

SHA256
9616539572060cdf26fc80b131315aaca06fedb9575c625bd323154cdbe658d1

SHA512
8456e0394718045a1bf948a60b5dfb85a5898bed55fd159e3fce807cf5f85f3186816d8eb4d69d9a4336fce598a7974dafad9d1c6e784aeced6af01283a02045

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
89d702925277b3ab3cf2c2260c4816ac

SHA1
e886afd37044e1631f733b1ee30fdc50cc9571be

SHA256
425c95b525af078ab74897b23ba992405e6b9f27055863040c4d5c5ff60b2f6d

SHA512
94aecdee035baa8af5601aceedbb2299518b3c7caffe7cb2ccbb2336493b9dc9e7cfe42e50ce75923e4371ed6dd5ff3f31d106576f83884263e2e896747260f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
98ab5731b625601040e3949f11a6543a

SHA1
350564e0c46378fc42c2520442d434168bdec699

SHA256
a9d1d37129f5027fd3a8bc66a5e60a447ecc2fca7e4f39d478d740d6e0e2105f

SHA512
4ed99de744f93f9ce3c0220e9febc734343564db1d7b6c914c27a77a46919b454afb053192f265d92a9581fa057ce1cc9d80178ab2f3ad619e2c4fa17c7c41f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
40838ff1347441990147255f5854bd2a

SHA1
ad24a00af2ec704117061e5a538243b8d2b42b4e

SHA256
91e6f1a143d0fbfebc768a1b8e677266068a29cf66732372c32315bd40365108

SHA512
fb57f296e86404de2f892ce0b84f69335bf0f0492609c449e59405b5d26d978815c696e335a876ec5aa1b6f607d4417efd250a6ab3e0c3ee4a1308904f5c8ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\explore.exe

Filesize
296KB

MD5
bc2485c5c4cf25ddfaebaee7df8d7a02

SHA1
353129f991b2c630225fdf1935529191522a9692

SHA256
34e4746122bb095c4ab6282bf14e70f2b57c9744f80cdaa059d2dbe6278fbc01

SHA512
dad5f945545000abedfaf457011f9663147c40e36e01e11bf976ec538e3ee483fcbc5b59d0f00858d3b000bf00a0771c576837b831e338bdbaac005f5e03bb8d

Download Submit
memory/2980-25-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2980-107-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2980-88-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2980-87-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2980-86-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2980-26-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/4368-22-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4368-21-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4368-75-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4368-83-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/5084-9-0x000000001BD60000-0x000000001BDAC000-memory.dmp

Filesize
304KB

Download
memory/5084-20-0x00007FFC46730000-0x00007FFC470D1000-memory.dmp

Filesize
9.6MB

Download
memory/5084-10-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/5084-0-0x00007FFC46730000-0x00007FFC470D1000-memory.dmp

Filesize
9.6MB

Download
memory/5084-8-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/5084-7-0x00007FFC46730000-0x00007FFC470D1000-memory.dmp

Filesize
9.6MB

Download
memory/5084-6-0x000000001BC80000-0x000000001BD1C000-memory.dmp

Filesize
624KB

Download
memory/5084-5-0x00007FFC46730000-0x00007FFC470D1000-memory.dmp

Filesize
9.6MB

Download
memory/5084-4-0x000000001B710000-0x000000001BBDE000-memory.dmp

Filesize
4.8MB

Download
memory/5084-3-0x0000000000A40000-0x0000000000AE6000-memory.dmp

Filesize
664KB

Download
memory/5084-2-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/5084-1-0x00007FFC46730000-0x00007FFC470D1000-memory.dmp

Filesize
9.6MB

Download