cybergate | eeb55237fb44060b6ef24c27bd976017efd06e9ce9281b719040ead33bcbf0a4

General

Target

eeb55237fb44060b6ef24c27bd976017efd06e9ce9281b719040ead33bcbf0a4
Size

277KB
Sample

221011-cztrbsbah4
MD5

2384fbbc3867ca268d827f43a1f4b3c3
SHA1

3e82126f44059510c34182c06043366f1c33f110
SHA256

eeb55237fb44060b6ef24c27bd976017efd06e9ce9281b719040ead33bcbf0a4
SHA512

e23b2b41971a7dd15ad490018c0b7c0e678830723f95da0f3eda90c3c067930ac66a30a652f8edb833a646a0a9b100f3871c199017c4a4d0000114eedcae127d
SSDEEP

6144:jk4qmGRRDWU7s6ezbVlRO0nHkwBP0ang48XsOVK+:Y9Pxf7RE00hBP0am8j

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

737ngx.no-ip.org:81

Mutex

JFDS9F7SD8F890S8DF9SD

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinSys
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Fichier corrompu. L'image que vous avez sélectionner est défectueuse.
message_box_title
Erreur
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  eeb55237fb44060b6ef24c27bd976017efd06e9ce9281b719040ead33bcbf0a4
- Size
  
  277KB
- MD5
  
  2384fbbc3867ca268d827f43a1f4b3c3
- SHA1
  
  3e82126f44059510c34182c06043366f1c33f110
- SHA256
  
  eeb55237fb44060b6ef24c27bd976017efd06e9ce9281b719040ead33bcbf0a4
- SHA512
  
  e23b2b41971a7dd15ad490018c0b7c0e678830723f95da0f3eda90c3c067930ac66a30a652f8edb833a646a0a9b100f3871c199017c4a4d0000114eedcae127d
- SSDEEP
  
  6144:jk4qmGRRDWU7s6ezbVlRO0nHkwBP0ang48XsOVK+:Y9Pxf7RE00hBP0am8j
Score

10^/10

cybergate vítima persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2