cybergate | 8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

8e8f3c6fe3...dc.exe

windows7-x64

8e8f3c6fe3...dc.exe

windows10-2004-x64

Sharing

General

Target

8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc
Size

818KB
Sample

221014-k9jm4shac7
MD5

73de66d2519ad200365714b17da81160
SHA1

f9ce9d8ec3c975ff27e074b75e6b76a6f1eda26b
SHA256

8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc
SHA512

9860b7d40649ceaf7ff442ce42ce0c92cb67f582a4dcac844a77865a06d732b4175b076d958ff5d72e00fec9e63351d32803f42160a00df5947ef83264d4e072
SSDEEP

12288:55sn5mnSeD0IpOB9yAARmRsCD7HXCiS4omMfNFS5VWjua+nrYaSbKYceukhy6Ipb:3sUnke49Ki0SN9yHFm+PFy

Score

10^/10

cybergate 12345 persistence stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc.exe

Resource

win7-20220812-en

cybergate 12345 persistence stealer trojan upx

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc.exe

Resource

win10v2004-20220812-en

cybergate 12345 persistence stealer trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

12345

C2

neruel.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
service.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc
- Size
  
  818KB
- MD5
  
  73de66d2519ad200365714b17da81160
- SHA1
  
  f9ce9d8ec3c975ff27e074b75e6b76a6f1eda26b
- SHA256
  
  8e8f3c6fe3e72dc430e1d5c4db110b420cbe9d62bfe7e68f82ad39795276e4dc
- SHA512
  
  9860b7d40649ceaf7ff442ce42ce0c92cb67f582a4dcac844a77865a06d732b4175b076d958ff5d72e00fec9e63351d32803f42160a00df5947ef83264d4e072
- SSDEEP
  
  12288:55sn5mnSeD0IpOB9yAARmRsCD7HXCiS4omMfNFS5VWjua+nrYaSbKYceukhy6Ipb:3sUnke49Ki0SN9yHFm+PFy
Score

10^/10

cybergate 12345 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergate12345persistencestealertrojanupx

behavioral2

cybergate12345persistencestealertrojanupx

© 2018-2025

Terms | Privacy