cybergate | 4334f549dbd49fbe4cd4f29e17f1441d33c65f493ad0d802ea664f539011827a

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7180b86065fe1cc6ceab63ccb91f7f91.exe
Size

337KB
MD5

7180b86065fe1cc6ceab63ccb91f7f91
SHA1

d49e23bf71fedc49d483bc885b6ad202c9edea0d
SHA256

4334f549dbd49fbe4cd4f29e17f1441d33c65f493ad0d802ea664f539011827a
SHA512

255a3df74761de34e575780ece788f1e9a8b2c78590483f1a9c515a91da9508c6e8302e584cfc20259f343e2d88850a774a7d67396e5c6f45693278549f47ba4
SSDEEP

6144:j4Cf1WboCJIzBAAeTZrEcyKs1kNtpv/djAVo/RjrA7mxh7e2wK:km1WBJbh9fzNtp3d8Vo/e7AH

Score

10^/10

cybergate öííé persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

127.0.0.1:188

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
t?tulo da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	7180b86065fe1cc6ceab63ccb91f7f91.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7180b86065fe1cc6ceab63ccb91f7f91.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\windows.exe"	7180b86065fe1cc6ceab63ccb91f7f91.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7180b86065fe1cc6ceab63ccb91f7f91.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}	7180b86065fe1cc6ceab63ccb91f7f91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\windows.exe Restart"	7180b86065fe1cc6ceab63ccb91f7f91.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\microsoft\windows.exe	7180b86065fe1cc6ceab63ccb91f7f91.exe
File opened for modification	\??\c:\windows\SysWOW64\microsoft\windows.exe	7180b86065fe1cc6ceab63ccb91f7f91.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	7180b86065fe1cc6ceab63ccb91f7f91.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2420	7180b86065fe1cc6ceab63ccb91f7f91.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2256	7180b86065fe1cc6ceab63ccb91f7f91.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2256 wrote to memory of 2420	2256	7180b86065fe1cc6ceab63ccb91f7f91.exe	28
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21
PID 2420 wrote to memory of 1192	2420	7180b86065fe1cc6ceab63ccb91f7f91.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\7180b86065fe1cc6ceab63ccb91f7f91.exe
  "C:\Users\Admin\AppData\Local\Temp\7180b86065fe1cc6ceab63ccb91f7f91.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\7180b86065fe1cc6ceab63ccb91f7f91.exe
    C:\Users\Admin\AppData\Local\Temp\7180b86065fe1cc6ceab63ccb91f7f91.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-12-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2256-0-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2256-5-0x00000000036C0000-0x0000000003801000-memory.dmp

Filesize
1.3MB

Download
memory/2256-6-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2420-3-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2420-4-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2420-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2420-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2420-258-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3004-255-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download