cybergate | dc394d67c82124166f5694ba5bf2f9fce862cd6b802f8b0fd2d677f6b08b4b0e

General

Target

dc394d67c82124166f5694ba5bf2f9fce862cd6b802f8b0fd2d677f6b08b4b0e
Size

558KB
Sample

221030-s6lbjahehl
MD5

81ffd3354f5cb92f9e7db4d57ad9cde9
SHA1

170b9dabed7eea901d7b048b030318e66630e160
SHA256

dc394d67c82124166f5694ba5bf2f9fce862cd6b802f8b0fd2d677f6b08b4b0e
SHA512

be4fc1edfd06db1f7478fcacc666874548c404b2aab8e9c8b8df9c411aeac075d16870d02acde1c17118d232616897b8410a2349bcb56bf994d4e6fbf1c89ead
SSDEEP

12288:tHLUMuiv9RgfSjAzRty4yOc6PjOIOnsbXN5P+uPo4D:VtARtXVensb7PM4D

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

mirelly27.no-ip.org:999

Mutex

B650PBL57J02K0

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
explorer.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Targets

- Target
  
  dc394d67c82124166f5694ba5bf2f9fce862cd6b802f8b0fd2d677f6b08b4b0e
- Size
  
  558KB
- MD5
  
  81ffd3354f5cb92f9e7db4d57ad9cde9
- SHA1
  
  170b9dabed7eea901d7b048b030318e66630e160
- SHA256
  
  dc394d67c82124166f5694ba5bf2f9fce862cd6b802f8b0fd2d677f6b08b4b0e
- SHA512
  
  be4fc1edfd06db1f7478fcacc666874548c404b2aab8e9c8b8df9c411aeac075d16870d02acde1c17118d232616897b8410a2349bcb56bf994d4e6fbf1c89ead
- SSDEEP
  
  12288:tHLUMuiv9RgfSjAzRty4yOc6PjOIOnsbXN5P+uPo4D:VtARtXVensb7PM4D
Score

10^/10

cybergate remote persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2