cybergate | b3d2b18537aeb82b145e9fb7bf5b6b1adb4040fc578bac08cacd3488377a2f94

General

Target

b3d2b18537aeb82b145e9fb7bf5b6b1adb4040fc578bac08cacd3488377a2f94
Size

476KB
Sample

221029-s9f6zschh9
MD5

37dc239619d5a1a5c0a0ce448089cae8
SHA1

ac2455b9fcc2acd21b769e3574c8f6d5504216cc
SHA256

b3d2b18537aeb82b145e9fb7bf5b6b1adb4040fc578bac08cacd3488377a2f94
SHA512

655a8ae1fd2a7871511ccc1826a1d4879b84da7f15b84c5aeb4010d14d5715165e854dadb51dcb331c2ac8fdb8072b278d10c27a630a5d91a118c11ddd353b3e
SSDEEP

6144:fd5njLvzZELqo1ahgzirNsrHccvGl8fBGKS5DTCO/vBh9zxd8fYrtIvG5z+QvCa/:frnjrlELq1qDccvtrScOFfxtfrKtIiY

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

test1

C2

priapunyaselera.no-ip.biz:86

Mutex

Y07W62JB54MVUX

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
q1w2e3r4
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  b3d2b18537aeb82b145e9fb7bf5b6b1adb4040fc578bac08cacd3488377a2f94
- Size
  
  476KB
- MD5
  
  37dc239619d5a1a5c0a0ce448089cae8
- SHA1
  
  ac2455b9fcc2acd21b769e3574c8f6d5504216cc
- SHA256
  
  b3d2b18537aeb82b145e9fb7bf5b6b1adb4040fc578bac08cacd3488377a2f94
- SHA512
  
  655a8ae1fd2a7871511ccc1826a1d4879b84da7f15b84c5aeb4010d14d5715165e854dadb51dcb331c2ac8fdb8072b278d10c27a630a5d91a118c11ddd353b3e
- SSDEEP
  
  6144:fd5njLvzZELqo1ahgzirNsrHccvGl8fBGKS5DTCO/vBh9zxd8fYrtIvG5z+QvCa/:frnjrlELq1qDccvtrScOFfxtfrKtIiY
Score

10^/10

cybergate test1 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2