cybergate | a6932a439109ea2ca2592af515433af992b42d1caa2084e119ba1586e2a4fd79 | Triage

Submit
Reports

Overview

overview

Static

static

a6932a4391...79.exe

windows7-x64

a6932a4391...79.exe

windows10-2004-x64

Sharing

General

Target

a6932a439109ea2ca2592af515433af992b42d1caa2084e119ba1586e2a4fd79
Size

897KB
Sample

221020-j8q55adbfk
MD5

80e6c4c90814c4e70db9a106263a30f1
SHA1

740f1e9f28994aacba3f231599aea864668284df
SHA256

a6932a439109ea2ca2592af515433af992b42d1caa2084e119ba1586e2a4fd79
SHA512

796f17a3263965a384723b4df27788ee26f8a707061a25e85960bced3c839b898fa09f9ab5584d98bd94e805e8242c9f8ac9bc2c320a3c8b9241a2158170b6ea
SSDEEP

12288:nNkQ4lR491+9U5x9Bubq9UL+4goy/6rGgCYYDi9ItaF0pCQ3oJMB50KPrfdLbr+n:ne4N9lRPif0p4JyFY8nYug0bXIJ

Score

10^/10

cybergate 1 persistence stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

a6932a439109ea2ca2592af515433af992b42d1caa2084e119ba1586e2a4fd79.exe

Resource

win7-20220901-en

cybergate 1 persistence stealer trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

a6932a439109ea2ca2592af515433af992b42d1caa2084e119ba1586e2a4fd79.exe

Resource

win10v2004-20220812-en

cybergate 1 persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v3.3.0.0

Botnet

1

C2

justme.dyndns-server.com:997

Mutex

DKFOC7KJRFF5O6

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
firefox
install_file
firefox.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
2
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  a6932a439109ea2ca2592af515433af992b42d1caa2084e119ba1586e2a4fd79
- Size
  
  897KB
- MD5
  
  80e6c4c90814c4e70db9a106263a30f1
- SHA1
  
  740f1e9f28994aacba3f231599aea864668284df
- SHA256
  
  a6932a439109ea2ca2592af515433af992b42d1caa2084e119ba1586e2a4fd79
- SHA512
  
  796f17a3263965a384723b4df27788ee26f8a707061a25e85960bced3c839b898fa09f9ab5584d98bd94e805e8242c9f8ac9bc2c320a3c8b9241a2158170b6ea
- SSDEEP
  
  12288:nNkQ4lR491+9U5x9Bubq9UL+4goy/6rGgCYYDi9ItaF0pCQ3oJMB50KPrfdLbr+n:ne4N9lRPif0p4JyFY8nYug0bXIJ
Score

10^/10

cybergate 1 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cybergate1persistencestealertrojanupx

behavioral2

cybergate1persistencestealertrojanupx

© 2018-2024

Terms | Privacy