cybergate | 458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8

General

Target

458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8
Size

397KB
Sample

221030-catp2afhc4
MD5

9356c56374eed0fe79bd4772eaf7b6c0
SHA1

bfeea518e5673da831c383e14424b60f1e8153c5
SHA256

458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8
SHA512

2120e1b12959d0f92f8421984b84a9320919105f8c1ca66f878fd1b24c2c91e2ed02bbd3843554092373b376ca0536cd6a6f2ff9523ae10d26e149fe749c2975
SSDEEP

6144:Uk4qmzFrq5uOshWGPYBY3EEHKVJyAtTcAF/ST6E0uvr4MFKWG8aTv/ZN1sH7zCXi:39UqQxhQmEYyJCARK6PPM1aTHZNU7R

Score

10^/10

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

cybergate

Version

2.6

Botnet

Microsoft

C2

jackerjumper.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
system32
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8
- Size
  
  397KB
- MD5
  
  9356c56374eed0fe79bd4772eaf7b6c0
- SHA1
  
  bfeea518e5673da831c383e14424b60f1e8153c5
- SHA256
  
  458cdba55c2bc579f9dd17c28af59bcd979abafc0789047e8ef6ab78e74c63f8
- SHA512
  
  2120e1b12959d0f92f8421984b84a9320919105f8c1ca66f878fd1b24c2c91e2ed02bbd3843554092373b376ca0536cd6a6f2ff9523ae10d26e149fe749c2975
- SSDEEP
  
  6144:Uk4qmzFrq5uOshWGPYBY3EEHKVJyAtTcAF/ST6E0uvr4MFKWG8aTv/ZN1sH7zCXi:39UqQxhQmEYyJCARK6PPM1aTHZNU7R
Score

10^/10

cybergate sality microsoft backdoor evasion persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2