cybergate | 068b16ffecd8bc7f76e95c95eb1d16d7317e29c92e23c83e711cca42eee27731

General

Target

068b16ffecd8bc7f76e95c95eb1d16d7317e29c92e23c83e711cca42eee27731
Size

914KB
Sample

221002-rnyngaadd6
MD5

6c3b660d083c662e160bb3752907e771
SHA1

c0de419382dbf804aa56ae40d2fb9450976c33cd
SHA256

068b16ffecd8bc7f76e95c95eb1d16d7317e29c92e23c83e711cca42eee27731
SHA512

58b36262318219db3e59251a57327d5704b30afdf3ae951fa255604756e8d276c70670a7b998e7eadecd325f317b2b9ac24dc0e90ec4852977ae3e791bc974a7
SSDEEP

12288:JzfPf4mr1crpkEPbahKthc9EG1j+4a2ULZ7dFnFnFtZ2zkPaCxB:JzfYe1c6MOhKXEa2UdBZOkln

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

hack PB

C2

anonymofdp.no-ip.biz:82

anonymofdp.no-ip.biz:2014

anonymofdp.no-ip.biz:9030

anonymofdp.no-ip.biz:1000

anonymofdp.no-ip.biz:2222

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
hackpb atualizado.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  068b16ffecd8bc7f76e95c95eb1d16d7317e29c92e23c83e711cca42eee27731
- Size
  
  914KB
- MD5
  
  6c3b660d083c662e160bb3752907e771
- SHA1
  
  c0de419382dbf804aa56ae40d2fb9450976c33cd
- SHA256
  
  068b16ffecd8bc7f76e95c95eb1d16d7317e29c92e23c83e711cca42eee27731
- SHA512
  
  58b36262318219db3e59251a57327d5704b30afdf3ae951fa255604756e8d276c70670a7b998e7eadecd325f317b2b9ac24dc0e90ec4852977ae3e791bc974a7
- SSDEEP
  
  12288:JzfPf4mr1crpkEPbahKthc9EG1j+4a2ULZ7dFnFnFtZ2zkPaCxB:JzfYe1c6MOhKXEa2UdBZOkln
Score

10^/10

cybergate hack pb persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2