cybergate | b2da4b954666148b9d4a528175842262e4d8c968af7ce9b49269dec632dbac9d

General

Target

b2da4b954666148b9d4a528175842262e4d8c968af7ce9b49269dec632dbac9d
Size

346KB
Sample

221004-gh7n3seea6
MD5

4ac582b0f68d0651ef5e13af76e0cff2
SHA1

0099f6b0482a328cf765941ae50d384be2fb4d80
SHA256

b2da4b954666148b9d4a528175842262e4d8c968af7ce9b49269dec632dbac9d
SHA512

ae4ef49f9a496ae6ae71e7bc4fc485aa0cc0c159eb4bfcbe71887b7f3345f829ce0e1bfd4c0913b8860dbb80dda0058a131a77a64a4f934d9dec4d8698488327
SSDEEP

6144:o57zUhoLM6ASK8E6chYRKvVB0rv46KTr9LYOEZrfatoD8HWlGcOnSQwnR8OV7I6Z:2KoL/K8E6chY5D46KTVYzRfRD82lGcOK

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

hacked

C2

hoota.zapto.org:288

hoota.no-ip.org:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
%temp%.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
thise program can not start.tr34.dll is missing
message_box_title
rong
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  b2da4b954666148b9d4a528175842262e4d8c968af7ce9b49269dec632dbac9d
- Size
  
  346KB
- MD5
  
  4ac582b0f68d0651ef5e13af76e0cff2
- SHA1
  
  0099f6b0482a328cf765941ae50d384be2fb4d80
- SHA256
  
  b2da4b954666148b9d4a528175842262e4d8c968af7ce9b49269dec632dbac9d
- SHA512
  
  ae4ef49f9a496ae6ae71e7bc4fc485aa0cc0c159eb4bfcbe71887b7f3345f829ce0e1bfd4c0913b8860dbb80dda0058a131a77a64a4f934d9dec4d8698488327
- SSDEEP
  
  6144:o57zUhoLM6ASK8E6chYRKvVB0rv46KTr9LYOEZrfatoD8HWlGcOnSQwnR8OV7I6Z:2KoL/K8E6chY5D46KTVYzRfRD82lGcOK
Score

10^/10

cybergate hacked persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2