cybergate | 7f6fa7cb7c1b8bbc8ddc2f73960480f528250fac8842912520edf85b64924605

General

Target

7500ce0c4a42420ae8e50c241974c891.exe
Size

1.3MB
MD5

7500ce0c4a42420ae8e50c241974c891
SHA1

be311f95a2af46db1366aca7c646c11d89454c18
SHA256

7f6fa7cb7c1b8bbc8ddc2f73960480f528250fac8842912520edf85b64924605
SHA512

007be785b20216cdae025af249b5a189735dfad746de44799432ab4233d338cc4ac131c0d3b9bcca7256b38bba21082ba571affe540cbf95a5e4526c5e6c5313
SSDEEP

24576:SREZ+/P4hfk7jxzh0r6tr+L4U+sufkCTEy7OMyuXl38r8U:SREnOYKrU4ZtfzTEyfw

Score

10^/10

cybergate king spyware stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.01.8

Botnet

King

C2

kingz.zapto.org:4578

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Winbooter
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Owned?
message_box_title
CyberGate
password
420
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Executes dropped EXE 2 IoCs

Processes:

2345.exewinupdate.exe

pid process

824 2345.exe
2580 winupdate.exe

pid	process
824	2345.exe
2580	winupdate.exe

Loads dropped DLL 7 IoCs

Processes:

7500ce0c4a42420ae8e50c241974c891.exe2345.exewinupdate.exedw20.exe

pid	process
2512	7500ce0c4a42420ae8e50c241974c891.exe
2512	7500ce0c4a42420ae8e50c241974c891.exe
824	2345.exe
2580	winupdate.exe
2580	winupdate.exe
2580	winupdate.exe
2600	dw20.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

2345.exe

description pid process target process

PID 824 set thread context of 2580 824 2345.exe winupdate.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

7500ce0c4a42420ae8e50c241974c891.exe2345.exe

pid process

2512 7500ce0c4a42420ae8e50c241974c891.exe
2512 7500ce0c4a42420ae8e50c241974c891.exe
824 2345.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

2600 dw20.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7500ce0c4a42420ae8e50c241974c891.exe2345.exe

description pid process

Token: SeDebugPrivilege 2512 7500ce0c4a42420ae8e50c241974c891.exe
Token: SeDebugPrivilege 824 2345.exe

description	pid	process	target process
PID 824 set thread context of 2580	824	2345.exe	winupdate.exe

pid	process
2600	dw20.exe

description	pid	process
Token: SeDebugPrivilege	2512	7500ce0c4a42420ae8e50c241974c891.exe
Token: SeDebugPrivilege	824	2345.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

7500ce0c4a42420ae8e50c241974c891.exe2345.execsc.exe

description	pid	process	target process
PID 2512 wrote to memory of 824	2512	7500ce0c4a42420ae8e50c241974c891.exe	2345.exe
PID 2512 wrote to memory of 824	2512	7500ce0c4a42420ae8e50c241974c891.exe	2345.exe
PID 2512 wrote to memory of 824	2512	7500ce0c4a42420ae8e50c241974c891.exe	2345.exe
PID 2512 wrote to memory of 824	2512	7500ce0c4a42420ae8e50c241974c891.exe	2345.exe
PID 824 wrote to memory of 2896	824	2345.exe	csc.exe
PID 824 wrote to memory of 2896	824	2345.exe	csc.exe
PID 824 wrote to memory of 2896	824	2345.exe	csc.exe
PID 824 wrote to memory of 2896	824	2345.exe	csc.exe
PID 2896 wrote to memory of 2608	2896	csc.exe	cvtres.exe
PID 2896 wrote to memory of 2608	2896	csc.exe	cvtres.exe
PID 2896 wrote to memory of 2608	2896	csc.exe	cvtres.exe
PID 2896 wrote to memory of 2608	2896	csc.exe	cvtres.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2580	824	2345.exe	winupdate.exe
PID 824 wrote to memory of 2600	824	2345.exe	dw20.exe
PID 824 wrote to memory of 2600	824	2345.exe	dw20.exe
PID 824 wrote to memory of 2600	824	2345.exe	dw20.exe
PID 824 wrote to memory of 2600	824	2345.exe	dw20.exe
PID 2512 wrote to memory of 1908	2512	7500ce0c4a42420ae8e50c241974c891.exe	dw20.exe
PID 2512 wrote to memory of 1908	2512	7500ce0c4a42420ae8e50c241974c891.exe	dw20.exe
PID 2512 wrote to memory of 1908	2512	7500ce0c4a42420ae8e50c241974c891.exe	dw20.exe
PID 2512 wrote to memory of 1908	2512	7500ce0c4a42420ae8e50c241974c891.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\7500ce0c4a42420ae8e50c241974c891.exe
"C:\Users\Admin\AppData\Local\Temp\7500ce0c4a42420ae8e50c241974c891.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\2345.exe
"C:\Users\Admin\AppData\Local\Temp\2345.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7qt4dcoe.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4432.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4431.tmp"
4⤵
PID:2608

C:\Users\Admin\AppData\Roaming\winupdate.exe
C:\Users\Admin\AppData\Roaming\winupdate.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 512
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1400
2⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7qt4dcoe.dll
Filesize
5KB

MD5
098767412968a9ef08dc7482a941dbdf

SHA1
8f2daa6a6ee8fb07792545e88ff8e0a6548a9a42

SHA256
c4edfc8e0e2ce71641693f8396ec8bfb11e33272a473f86f32488ccce85f96c6

SHA512
d2f4bb57caa5079263514f2bbc2f203935896326d4b3b9b9e24ee2a3f7d5e65a16a7d6e94d491a38ba7ffc514a2e0215c83261e39a9849e52b7da84da161096b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4432.tmp
Filesize
1KB

MD5
aa9a562df1892a45685cc25b64a12f48

SHA1
7886f07714560f6655ee2e126d37fe433816f734

SHA256
59e25ca34b5eaefa712191240be5906029b2085ffabadd19b7ccdd1e5ed030e8

SHA512
1ccba8f8ca020a6c28ec0094ded4709a93cea7767c843e53f586087e7aaac8a9d85f845dda428551a872ae4e1f2817cbb7b44ae09d2fa0ec41302e220b2c29a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7qt4dcoe.0.cs
Filesize
4KB

MD5
2216d197bc442e875016eba15c07a937

SHA1
37528e21ea3271b85d276c6bd003e6c60c81545d

SHA256
2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

SHA512
7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7qt4dcoe.cmdline
Filesize
206B

MD5
ec2034faaff27e335c9932057874c1f5

SHA1
49d214453f571063f04ad182051d955b728a659a

SHA256
90cbfcab8fcaea338c83fee3a74db4fd82a59d2601af562b13ea6482cb778fb6

SHA512
038f5a107ed9ae80830f819837aa0278f89b3ab9f96cfacf41e39ccbb53a4a55bed6ee59a14791115224b9057ea7e7f6e86cc9ad3155b9e3b7cc5b5e2936c471

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4431.tmp
Filesize
652B

MD5
4ded2928fc25cbfb2c3b146fd8aaada4

SHA1
b22c5e6621719a1023cd2faa1e5201b1416ca3bd

SHA256
6fd21ccb55e7d50a554242342f7860fc1d4ea9bd1296df2eec2e68a8d770f500

SHA512
0e7f6efcaf9a425f26758a112395fdde60791e9121213e84319ddcaa3153461fd7b743029240629b41443b336ac175fcffedab26b9e52921b87dc0e2d0494578

Download Submit
\Users\Admin\AppData\Local\Temp\2345.exe
Filesize
1.2MB

MD5
6f11b39eaff7f49386951fb80c5ea8e0

SHA1
6059a7b86042eefc0d0c289dafd7ab75ba056a1f

SHA256
b8b2165d7b71895b660c335b133aa34db9ffbe36bd8abcd77f260a31a7045910

SHA512
8f7c10910039e6822615907269432885d046a3c8fc58dab980e931c52aec51a4d0988976c6176ee93e99ce81c4c052137f967e6e62d8be64355dff2c769caa82

Download Submit
\Users\Admin\AppData\Local\Temp\2345.exe
Filesize
418KB

MD5
5e74a7d82c882246b668ca91940b35c9

SHA1
c5cd950a4f8bcf4dcbde2b1e5b5f825a5b35d0a9

SHA256
b086879dfe7cc763984b4b5884beccc34ddead9d438e115c9bc044092fb36998

SHA512
080126f82e1b8aa5a2dd898166b1aedd9c5607f81b805533220f593a0ea1f65d09960bffa1beb5e034d1066b0c9b835398dcc4a0f6693b312d8529517ccea7e2

Download Submit
\Users\Admin\AppData\Roaming\winupdate.exe
Filesize
12KB

MD5
41304f17702b85c2dd8b737b3f814f84

SHA1
cd37f2b770ad7cfe07b4d7e83e10158dd2e457c7

SHA256
a696628b4e489ff49e7af05d46b8658ee206502deaf7b16cca36a54f4593ddbe

SHA512
c5d1351ba0aed08586999014caa8271e491c0359bb42a444096dc161cc31e49b14d65a5daa4646066fe1dc3874528309dc9bd4022c6899eb94a278e798aeb46b

Download Submit
memory/824-16-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/824-14-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/824-13-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/824-85-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/824-84-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-80-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2512-2-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download
memory/2512-0-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-83-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download
memory/2512-81-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-1-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-33-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-73-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-51-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-49-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-62-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-60-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-69-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-37-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-39-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-41-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-66-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-58-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-76-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-78-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-43-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2580-35-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2600-74-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2600-87-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing