cybergate | 3ad4e87985867c0e5313e37242a6a488b86b79085356975a32dde67bbd209856

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d54fe0fe99064b7a1e3b6db4aac87d13.exe
Size

214KB
MD5

d54fe0fe99064b7a1e3b6db4aac87d13
SHA1

7aa9578e3ca5fd30f10de8a5c90a556085193572
SHA256

3ad4e87985867c0e5313e37242a6a488b86b79085356975a32dde67bbd209856
SHA512

e6643011f2f68b89985623211e0e9d90e2c5e8da3cc41b0968cb74cbbb40ac4c8cde3602401b4dda53bf17132afa8b8c7b0952e496b85cd8692384f7fed6953f
SSDEEP

3072:zJem1ov4DMDwh9tvWbI8gDrXdQ+oJ96qKKaEv50QgzwuZptcniN:zJem+1atYI8StEzLKKV5HgzwuF

Score

10^/10

cybergate vítima persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.2.3

Botnet

vítima

infectadito.sytes.net:81

Mutex

jajaja...

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
60
ftp_password
deboletin123
ftp_port
21
ftp_server
ftp.deboleto.pe
ftp_username
deboleto
injected_process
explorer.exe
install_dir
Win32
install_file
notepad.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Error de compatibilidad
message_box_title
RunDLL
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d54fe0fe99064b7a1e3b6db4aac87d13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\notepad.exe"	d54fe0fe99064b7a1e3b6db4aac87d13.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d54fe0fe99064b7a1e3b6db4aac87d13.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Win32\\notepad.exe"	d54fe0fe99064b7a1e3b6db4aac87d13.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{37RHWP1C-6K3R-R461-6W51-JS2REX1PX2Y3}	d54fe0fe99064b7a1e3b6db4aac87d13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37RHWP1C-6K3R-R461-6W51-JS2REX1PX2Y3}\StubPath = "C:\\Windows\\Win32\\notepad.exe Restart"	d54fe0fe99064b7a1e3b6db4aac87d13.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{37RHWP1C-6K3R-R461-6W51-JS2REX1PX2Y3}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37RHWP1C-6K3R-R461-6W51-JS2REX1PX2Y3}\StubPath = "C:\\Windows\\Win32\\notepad.exe"	explorer.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2536-3-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/2536-5-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/2536-7-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/2536-8-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/2536-12-0x0000000024010000-0x000000002404E000-memory.dmp	upx
behavioral2/memory/2536-60-0x0000000024050000-0x000000002408E000-memory.dmp	upx
behavioral2/memory/2840-64-0x0000000024050000-0x000000002408E000-memory.dmp	upx
behavioral2/memory/2840-65-0x0000000024050000-0x000000002408E000-memory.dmp	upx
behavioral2/memory/2536-69-0x0000000024090000-0x00000000240CE000-memory.dmp	upx
behavioral2/memory/2536-90-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/2536-127-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/388-126-0x00000000240D0000-0x000000002410E000-memory.dmp	upx
behavioral2/memory/2840-152-0x0000000024050000-0x000000002408E000-memory.dmp	upx
behavioral2/memory/388-178-0x00000000240D0000-0x000000002410E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\Win32\\notepad.exe"	d54fe0fe99064b7a1e3b6db4aac87d13.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\Win32\\notepad.exe"	d54fe0fe99064b7a1e3b6db4aac87d13.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2536	2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe	88

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Win32\notepad.exe	d54fe0fe99064b7a1e3b6db4aac87d13.exe
File opened for modification	C:\Windows\Win32\notepad.exe	d54fe0fe99064b7a1e3b6db4aac87d13.exe
File opened for modification	C:\Windows\Win32\notepad.exe	d54fe0fe99064b7a1e3b6db4aac87d13.exe
File opened for modification	C:\Windows\Win32\	d54fe0fe99064b7a1e3b6db4aac87d13.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe
2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
388	d54fe0fe99064b7a1e3b6db4aac87d13.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	d54fe0fe99064b7a1e3b6db4aac87d13.exe
Token: SeDebugPrivilege	388	d54fe0fe99064b7a1e3b6db4aac87d13.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2536	2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe	88
PID 2224 wrote to memory of 2536	2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe	88
PID 2224 wrote to memory of 2536	2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe	88
PID 2224 wrote to memory of 2536	2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe	88
PID 2224 wrote to memory of 2536	2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe	88
PID 2224 wrote to memory of 2536	2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe	88
PID 2224 wrote to memory of 2536	2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe	88
PID 2224 wrote to memory of 2536	2224	d54fe0fe99064b7a1e3b6db4aac87d13.exe	88
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56
PID 2536 wrote to memory of 3384	2536	d54fe0fe99064b7a1e3b6db4aac87d13.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\d54fe0fe99064b7a1e3b6db4aac87d13.exe
  "C:\Users\Admin\AppData\Local\Temp\d54fe0fe99064b7a1e3b6db4aac87d13.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\d54fe0fe99064b7a1e3b6db4aac87d13.exe
    C:\Users\Admin\AppData\Local\Temp\d54fe0fe99064b7a1e3b6db4aac87d13.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      PID:2840
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\d54fe0fe99064b7a1e3b6db4aac87d13.exe
      "C:\Users\Admin\AppData\Local\Temp\d54fe0fe99064b7a1e3b6db4aac87d13.exe"
      4⤵
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UuU.uUu

Filesize
8B

MD5
cbd2fc578bc35c1166cc3cc69d2b1c62

SHA1
cacbe4b5fe3bfd3a86a80144fd9d2f325c1fd665

SHA256
cd45a8a9bb9fddbf88e45e961260e98e251d45cb5e9414acd8632c818637337d

SHA512
78e6649d84dca5e1d8a0ec79dbfe3827d66edbcab8b6b9f5e04b50a7a22d0fc19cbdbf8050809a9dde3fa7623bcdc5748b0273c2841ad073cf314a9002b973a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
141KB

MD5
5d55401ad56043cac90f3ea6c608dde0

SHA1
3a83e011434125686df9672e9d9ef107b087dce5

SHA256
d701171389de4d999bacf21001768c15032c886dc35c9d9865a663cab60147a0

SHA512
10c20be9784421d20f9e834f41d9e9a58d7da05e9c3207b72c41bc5e930c3981a765e43e8114dd2faa736546e06ec85e7dd54b6c3bfb94b699b9c811c47112df

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
86f3c87caff4d7973404ff22c664505b

SHA1
245bc19c345bc8e73645cd35f5af640bc489da19

SHA256
e8ab966478c22925527b58b0a7c3d89e430690cbdabb44d501744e0ad0ac9ddb

SHA512
0940c4b339640f60f1a21fc9e4e958bf84f0e668f33a9b24d483d1e6bfcf35eca45335afee1d3b7ff6fd091b2e395c151af8af3300e154d3ea3fdb2b73872024

Download Submit
C:\Windows\Win32\notepad.exe

Filesize
214KB

MD5
d54fe0fe99064b7a1e3b6db4aac87d13

SHA1
7aa9578e3ca5fd30f10de8a5c90a556085193572

SHA256
3ad4e87985867c0e5313e37242a6a488b86b79085356975a32dde67bbd209856

SHA512
e6643011f2f68b89985623211e0e9d90e2c5e8da3cc41b0968cb74cbbb40ac4c8cde3602401b4dda53bf17132afa8b8c7b0952e496b85cd8692384f7fed6953f

Download Submit
memory/388-178-0x00000000240D0000-0x000000002410E000-memory.dmp

Filesize
248KB

Download
memory/388-126-0x00000000240D0000-0x000000002410E000-memory.dmp

Filesize
248KB

Download
memory/388-76-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2224-6-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2224-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2536-12-0x0000000024010000-0x000000002404E000-memory.dmp

Filesize
248KB

Download
memory/2536-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-60-0x0000000024050000-0x000000002408E000-memory.dmp

Filesize
248KB

Download
memory/2536-5-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-69-0x0000000024090000-0x00000000240CE000-memory.dmp

Filesize
248KB

Download
memory/2536-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-17-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/2840-16-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/2840-65-0x0000000024050000-0x000000002408E000-memory.dmp

Filesize
248KB

Download
memory/2840-152-0x0000000024050000-0x000000002408E000-memory.dmp

Filesize
248KB

Download
memory/2840-63-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/2840-64-0x0000000024050000-0x000000002408E000-memory.dmp

Filesize
248KB

Download