cybergate | e578d57a7eeacf007eb83cbf053f3f78afedaeab18a3f8da8e40f9db5bb41c77

Analysis

max time kernel
146s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c512bb486ee7428d22e364a627faa83f.exe
Size

675KB
MD5

c512bb486ee7428d22e364a627faa83f
SHA1

c8c8338810c8fb10ac29adbf89b224406ab026ce
SHA256

e578d57a7eeacf007eb83cbf053f3f78afedaeab18a3f8da8e40f9db5bb41c77
SHA512

fc20b3807a47a9301976150a0edb3c9ca723c678d0d5e92c281e593c4aed8fdd364af9121b8ca9db2294f962d06c53c51e59292749fe725f8f616bb3cdc775b0
SSDEEP

12288:dBPDXS5Dkk6op3Yywy2CAynxd51IpTqtVQzR2OVvrKIaApS:u5Dkk6wYywy2+pCTDrK

Score

10^/10

cybergate server persistence stealer trojan

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

tyfnanl.zapto.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Media
install_file
rundll32.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
rundll32.exe
regkey_hklm
rundll32.exe

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Ventrilo.eXe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rundll32 = "C:\\Windows\\Media\\rundll32.exe"	Ventrilo.eXe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Ventrilo.eXe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rundll32 = "C:\\Windows\\Media\\rundll32.exe"	Ventrilo.eXe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7U033341-KC3X-L880-B7XH-3Q7NWR8U1HS2}	Ventrilo.eXe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7U033341-KC3X-L880-B7XH-3Q7NWR8U1HS2}\StubPath = "C:\\Windows\\Media\\rundll32.exe Restart"	Ventrilo.eXe

Executes dropped EXE 2 IoCs

pid	Process
2524	Ventrilo.exe
2560	Ventrilo.eXe

Loads dropped DLL 6 IoCs

pid	Process
1400	c512bb486ee7428d22e364a627faa83f.exe
1400	c512bb486ee7428d22e364a627faa83f.exe
1400	c512bb486ee7428d22e364a627faa83f.exe
1400	c512bb486ee7428d22e364a627faa83f.exe
1400	c512bb486ee7428d22e364a627faa83f.exe
2524	Ventrilo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Windows\\Media\\rundll32.exe"	Ventrilo.eXe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Windows\\Media\\rundll32.exe"	Ventrilo.eXe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2560	2524	Ventrilo.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Media\rundll32.exe	Ventrilo.eXe
File opened for modification	C:\Windows\Media\rundll32.exe	Ventrilo.eXe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2104	DllHost.exe
2560	Ventrilo.eXe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1400	c512bb486ee7428d22e364a627faa83f.exe
2524	Ventrilo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2524	1400	c512bb486ee7428d22e364a627faa83f.exe	29
PID 1400 wrote to memory of 2524	1400	c512bb486ee7428d22e364a627faa83f.exe	29
PID 1400 wrote to memory of 2524	1400	c512bb486ee7428d22e364a627faa83f.exe	29
PID 1400 wrote to memory of 2524	1400	c512bb486ee7428d22e364a627faa83f.exe	29
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2524 wrote to memory of 2560	2524	Ventrilo.exe	30
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21
PID 2560 wrote to memory of 1408	2560	Ventrilo.eXe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\c512bb486ee7428d22e364a627faa83f.exe
  "C:\Users\Admin\AppData\Local\Temp\c512bb486ee7428d22e364a627faa83f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\msx8CE4\Ventrilo.exe
    "C:\Users\Admin\AppData\Local\Temp\msx8CE4\Ventrilo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\msx8CE4\Ventrilo.eXe
      C:\Users\Admin\AppData\Local\Temp\msx8CE4\Ventrilo.eXe
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2044

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msx8CE4\Ventrilo.exe

Filesize
243KB

MD5
fa57e1870481b08e2b4f6acd5aef07cf

SHA1
6b7830ebac64f547c91f8a018c2d0620274c3556

SHA256
74eaf0455f823ebc7aa4d19cd5ca35745a76789ccd235beba7f918a2da3dfe18

SHA512
cc76f3b7c72b3da2505a807215a49f8b8769f98cad73ede1440bc9eb9e11fa6150ee789249480eba3d24eacf60f02d950ff10e1e567f750b70731bca3685c7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msx8CE4\Ventrilo.exe

Filesize
27KB

MD5
786aad243dbd1616ba2daaac9ee934fb

SHA1
3f038cfbddeeda0e8dd04e6155ec4e6647916331

SHA256
dbf0441283f58e358bb8df32bf9ec5f1a071c399bd207670b2f3d7d263bec90e

SHA512
debad72125ed3d7ddf2b01ea8eae33fe66885faa3e52c77306f32a842c9e84d0b7fe881a18eacd17e5dc175e7247f5af4372ab27ac83edb1bb8485f7f1bf48d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msx8CE4\mavidmxt9.jpg

Filesize
128KB

MD5
b079026378da832ba00bd83f7a64a96e

SHA1
a128f6db65551f8a2bc049a51a39570f263a012f

SHA256
a8c7f733c8e26f19214dfa589ad662b482fbdd25adb227df8e7ad182d67802f7

SHA512
ad7a98cf82b1bfaf0600f0dafbb4a37c1d20f656d3ea2f3516a569bfb610311ea262cd9a9ee9a747039cbb9065575f47b32b435a176e5347461ebae5fbb25697

Download Submit
\Users\Admin\AppData\Local\Temp\msx8CE4\Ventrilo.exe

Filesize
338KB

MD5
3d442cd6a976103af4d3c4c586f760c6

SHA1
a5df7f66c47acb956c6375302c56aaa9e71e9040

SHA256
bfdb6074f93c260216f75db816c94b841b765b19dc58416c6a0ce16e7281d100

SHA512
702db74b130eeeb6b0a87a97acb7c2023871a05432b2ebab959cc628a572dd1fbfcbd45d764dbbb6f07da6f995be16cddde8805c8190d52dd5a375f3c6263416

Download Submit
memory/1400-13-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/1400-12-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/1400-2-0x0000000002210000-0x0000000002212000-memory.dmp

Filesize
8KB

Download
memory/1408-39-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2044-284-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2044-282-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2104-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2104-3-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2104-325-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2524-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2524-29-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/2524-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2560-30-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2560-35-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2560-34-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2560-33-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2560-399-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads