cybergate | 8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b

Analysis

max time kernel
119s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/03/2025, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Size

577KB
MD5

68954c7245521d519cbb3a385cb2c148
SHA1

a9ca115a8ba053d34b346712258cd38569fa9ff0
SHA256

8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b
SHA512

2c8c26c67d486d43f847fbb95d7e01ba38f4f6a57fb1ccf3b216909b2bd4228de68920e062711e48356b519660056281ae4f63e0fa743cb164004be755ce280f
SSDEEP

12288:3FRfn0O/l1hgLzINJzTPudj+NVjVsrhwyvywWHb06ePuwCuqtgjN/yZsZra:nn//lXqzaTPQ+Wrhw0y5LsuwCXGym

Score

10^/10

cybergate öííé discovery stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

127.0.0.1:288

Mutex

***MUTEX***

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
t?tulo da mensagem
password
abcd1234

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Executes dropped EXE 1 IoCs

pid	Process
1028	Morph_.exe

Loads dropped DLL 1 IoCs

pid	Process
1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1028-259-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1028-275-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1028	Morph_.exe
1028	Morph_.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: 33	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: SeIncBasePriorityPrivilege	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: 33	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: SeIncBasePriorityPrivilege	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: 33	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: SeIncBasePriorityPrivilege	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: 33	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: SeIncBasePriorityPrivilege	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: SeDebugPrivilege	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: 33	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
Token: SeIncBasePriorityPrivilege	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31
PID 1624 wrote to memory of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31
PID 1624 wrote to memory of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31
PID 1624 wrote to memory of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31
PID 1624 wrote to memory of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31
PID 1624 wrote to memory of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31
PID 1624 wrote to memory of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31
PID 1624 wrote to memory of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31
PID 1624 wrote to memory of 1028	1624	8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe	31

C:\Users\Admin\AppData\Local\Temp\8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe
"C:\Users\Admin\AppData\Local\Temp\8cf05013debe5bfebfb43cd6ea093581f9fb33179d3297cde5d59f0e5cb9e39b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\Morph_.exe_v52003C3A\TheApp\STUBEXE\@APPDATALOCAL@\Temp\Morph_.exe
  "C:\Users\Admin\AppData\Local\Temp\Morph_.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Xenocode\ApplianceCaches\Morph_.exe_v52003C3A\TheApp\STUBEXE\@APPDATALOCAL@\Temp\Morph_.exe

Filesize
16KB

MD5
d180a9affc66f6298e1c1cbe473d0766

SHA1
ec70e19a5e687770c6efe8d4d40339cddb0dc495

SHA256
9efa15963214fd4d81e26bba489788b1a3eed2d09511c8440802a628a7e2515c

SHA512
0d59e9d085c5fbf574b4635211b00becd6c88471b65332a5f29673193c171a2ec06e09869445006c81e6b8156fa78b3ee24bdc8b843260972e9326afd1e726bc

Download Submit
memory/1028-275-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1028-259-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1624-18-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-20-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-51-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-49-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-45-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-43-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-41-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-39-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-36-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-37-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-34-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-32-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-30-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-26-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-24-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-22-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-12-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-0-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-53-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-14-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-66-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-98-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-68-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-99-0x0000000077BF0000-0x0000000077BF1000-memory.dmp

Filesize
4KB

Download
memory/1624-64-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-62-0x0000000077BF0000-0x0000000077BF1000-memory.dmp

Filesize
4KB

Download
memory/1624-61-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-60-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-10-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-8-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-6-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-4-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-2-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-1-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-242-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-55-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-57-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-262-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download
memory/1624-28-0x0000000000350000-0x00000000003A2000-memory.dmp

Filesize
328KB

Download