cybergate | f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7

General

Target

f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7
Size

1.1MB
Sample

221014-lp2hvshha8
MD5

626b8d03be6e13c113081a7d1a8f2673
SHA1

273ba5653a9781689be443f13e519d7f71e4ae6b
SHA256

f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7
SHA512

4eec7c14ce599fca0d4c6d32c5794d795415a46bd82fe0dd20798d3da5059f3e99826e2fffe0fed59d034623ebe10482c6af9e0711a99db024f334cedbb7e2ea
SSDEEP

24576:r7gluJ0c7UjEKQ1uvH3Oy4IPBqKF58QG4x03PdhMdh:rquJ8TDeyfPBp8h7dhML

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.5

Botnet

NetSus

C2

lokotokio.no-ip.org:8888

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Elplorer
install_file
lexplorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
loko
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7
- Size
  
  1.1MB
- MD5
  
  626b8d03be6e13c113081a7d1a8f2673
- SHA1
  
  273ba5653a9781689be443f13e519d7f71e4ae6b
- SHA256
  
  f43eff1e512ad2f52f2249af234f1436e7e665174e7a36d5df6c40215c67ffc7
- SHA512
  
  4eec7c14ce599fca0d4c6d32c5794d795415a46bd82fe0dd20798d3da5059f3e99826e2fffe0fed59d034623ebe10482c6af9e0711a99db024f334cedbb7e2ea
- SSDEEP
  
  24576:r7gluJ0c7UjEKQ1uvH3Oy4IPBqKF58QG4x03PdhMdh:rquJ8TDeyfPBp8h7dhML
Score

10^/10

cybergate netsus persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2