cybergate | 756508ea3798cff859903929c4cca1f9e17e76d078123d5371d976c027906d65

General

Target

c19cc7c41cb7460b3b2c6521f1b9daef.exe
Size

373KB
MD5

c19cc7c41cb7460b3b2c6521f1b9daef
SHA1

efdae6486a820200258740e8c1bf116955c34224
SHA256

756508ea3798cff859903929c4cca1f9e17e76d078123d5371d976c027906d65
SHA512

72ec2f151944c58437343754862df5d09d17c3829b1fc7254ae44313f6e46b9d710a43c45b19efc42fba5c031a625f89a6491cb78d69497f03d5869c00e9d426
SSDEEP

6144:d3rPltasYzp79j2zrFHEPl+xH/UdTJHVKhrEtCyWsEKTnTj5v4:Rna3NNGh6Ul/k3LfEAv5w

Score

10^/10

cybergate cyber persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

1yop.no-ip.biz:100

Mutex

7R65OQ0XHTGJ73

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Executes dropped EXE 1 IoCs

pid	Process
2824	audiodgi.exe

Loads dropped DLL 1 IoCs

pid	Process
1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe
2824	audiodgi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe
Token: SeDebugPrivilege	2824	audiodgi.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 1884	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	28
PID 1152 wrote to memory of 2824	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	29
PID 1152 wrote to memory of 2824	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	29
PID 1152 wrote to memory of 2824	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	29
PID 1152 wrote to memory of 2824	1152	c19cc7c41cb7460b3b2c6521f1b9daef.exe	29

C:\Users\Admin\AppData\Local\Temp\c19cc7c41cb7460b3b2c6521f1b9daef.exe
"C:\Users\Admin\AppData\Local\Temp\c19cc7c41cb7460b3b2c6521f1b9daef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\c19cc7c41cb7460b3b2c6521f1b9daef.exe
  C:\Users\Admin\AppData\Local\Temp\c19cc7c41cb7460b3b2c6521f1b9daef.exe
  2⤵
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  "C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
    "C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
    3⤵
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
eddba92f201ca73d90517abdd63048d0

SHA1
1b4398b8d6fb6b736edd4650f9a455708347e2c1

SHA256
bcdc41df47f937bd9b8250c9799a7f1b0c910dde8846ca64027a54d07aa339c7

SHA512
83f3b0e6f41ee370972a089c806d0bb4abdffc06b1b3006e5f33a5c5e6cfd87069fdfee88000b35300bd3bfb6113247cb6f8ecc8a69964d2993621a15c9f5555

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe

Filesize
373KB

MD5
c19cc7c41cb7460b3b2c6521f1b9daef

SHA1
efdae6486a820200258740e8c1bf116955c34224

SHA256
756508ea3798cff859903929c4cca1f9e17e76d078123d5371d976c027906d65

SHA512
72ec2f151944c58437343754862df5d09d17c3829b1fc7254ae44313f6e46b9d710a43c45b19efc42fba5c031a625f89a6491cb78d69497f03d5869c00e9d426

Download Submit
\Users\Admin\AppData\Local\Temp\System\audiodgi.exe

Filesize
8KB

MD5
13da1958462e33bd431ed429fbf0da06

SHA1
90699d7b1e43c53b3ed31acc19f3daf758bd4262

SHA256
9fd3a80e2e961f13a35d5637d2401b914d41a32662135c1fded655c73d5b1264

SHA512
84403df4cd56cdae97372b2b63201713d000588c2a7d135eabf65bd85ef70b0b70f30bd30742b0fe0aa0e30fbca1df95755c4c64e24599269b277d7bde9e7263

Download Submit
\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe

Filesize
304KB

MD5
e7bb843d26cb93b4ae7980b775a56d55

SHA1
cba916356a57d35b803edde1579428ec8ce86215

SHA256
09a47f0a5ced8d4649fe92899f1e5659ac2b21c6cc4709221e4aa4709a80a45a

SHA512
e8052d753b8b0128c35c10891601aa1a0a8cf600e1298944d1bc8627a4c12dacd120906323007498e2d8449b7fcebffb5623f33043bc7bde8d0b618910d864ca

Download Submit
\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe

Filesize
236KB

MD5
a2674d1eac38676b68c39eb4676be164

SHA1
48e7af1dae4040f83e24181dd7c19a55bfaea9ce

SHA256
6ced2cff19896165261b5d6ce5397a791b6ca82399fbbe418fd55ce92e7bc273

SHA512
4fbf0164c2f510370267e145d66cab535c54cfc1b8f175521ea005845856af019993d065694769ef253a0c1acfe736818458a7ade2d1d4987214ef86691f9081

Download Submit
memory/1152-361-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-1-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-2-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-0-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-359-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-45-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1708-387-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1708-82-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1708-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1884-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1884-10-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-7-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-18-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-14-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-13-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-11-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-12-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1984-363-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1984-365-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2824-28-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-27-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2824-378-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-380-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2824-26-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-34-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/2888-33-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-35-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-384-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-385-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/2888-386-0x0000000074E60000-0x000000007540B000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads