cybergate | 4449b45c2b457df70f29bf77af2a652ae9c43511cdff20005d294764416097e3

General

Target

4449b45c2b457df70f29bf77af2a652ae9c43511cdff20005d294764416097e3
Size

690KB
Sample

220919-ckfk6afhan
MD5

41ce2a4aca6f1d76654abaa9fbf35ad2
SHA1

11e6bc0a91ad2c61a618204c3b061e542b4e5f3d
SHA256

4449b45c2b457df70f29bf77af2a652ae9c43511cdff20005d294764416097e3
SHA512

3a000b58e08d7d3af67141d2e10e649d238226e92f035b30eb9055854c8a5c4cf3d7df911ff3d24060941f9cfd4b5449085b7e6e888bab0399d4bdd887767c4f
SSDEEP

12288:7WfHoz83OtIEzW+/m/AyF7bCrO/E/rTIGlei5tz8zgo20BTySY:7WEbIEzW+/m/rF7kcmHlZIglo/Y

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Hacked

C2

toni2011.no-ip.org:999

Mutex

2O73OT2544HJX1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
gaetano
regkey_hkcu
Microsoft
regkey_hklm
Microsoft

Targets

- Target
  
  4449b45c2b457df70f29bf77af2a652ae9c43511cdff20005d294764416097e3
- Size
  
  690KB
- MD5
  
  41ce2a4aca6f1d76654abaa9fbf35ad2
- SHA1
  
  11e6bc0a91ad2c61a618204c3b061e542b4e5f3d
- SHA256
  
  4449b45c2b457df70f29bf77af2a652ae9c43511cdff20005d294764416097e3
- SHA512
  
  3a000b58e08d7d3af67141d2e10e649d238226e92f035b30eb9055854c8a5c4cf3d7df911ff3d24060941f9cfd4b5449085b7e6e888bab0399d4bdd887767c4f
- SSDEEP
  
  12288:7WfHoz83OtIEzW+/m/AyF7bCrO/E/rTIGlei5tz8zgo20BTySY:7WEbIEzW+/m/rF7kcmHlZIglo/Y
Score

10^/10

cybergate hacked persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2