cybergate | c5e1c94fc953992cb5d5711a9feac9c2e5b2e465f61c196c1d28422c7a64a43c | Triage

Submit
Reports

Overview

overview

Static

static

c5e1c94fc9...3c.exe

windows7-x64

c5e1c94fc9...3c.exe

windows10-2004-x64

Sharing

General

Target

c5e1c94fc953992cb5d5711a9feac9c2e5b2e465f61c196c1d28422c7a64a43c
Size

404KB
Sample

221030-y7cnnshdf9
MD5

922ebad17a820a461a2d521815beb87b
SHA1

3e84f8e30e0e89ba4f2f65b41c9803e8295784ef
SHA256

c5e1c94fc953992cb5d5711a9feac9c2e5b2e465f61c196c1d28422c7a64a43c
SHA512

8422a7d8c8f91faacaa7aecb9183e78af4df50adc4b3ff903c54c04eff9e33c4a9a04e1ca49874d9d68d0cd9fd42aa40abcd37127f2ecebd7f59dd116d7b2e54
SSDEEP

6144:lGI9p8LqO9h6zhTreVSx1yThvexmhYgmx1Ve8dNwtDP:lGI9OL99h6zZreVSxGhOBe8dNwtD

Score

10^/10

cybergate vic persistence stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

c5e1c94fc953992cb5d5711a9feac9c2e5b2e465f61c196c1d28422c7a64a43c.exe

Resource

win7-20220812-en

cybergate vic persistence stealer trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

c5e1c94fc953992cb5d5711a9feac9c2e5b2e465f61c196c1d28422c7a64a43c.exe

Resource

win10v2004-20220901-en

cybergate vic persistence stealer trojan upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

vic

C2

1337brocki1337.ath.cx:8080

Mutex

G6YRG05L20PGI4

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Defender
install_file
def.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
omg13371337
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  c5e1c94fc953992cb5d5711a9feac9c2e5b2e465f61c196c1d28422c7a64a43c
- Size
  
  404KB
- MD5
  
  922ebad17a820a461a2d521815beb87b
- SHA1
  
  3e84f8e30e0e89ba4f2f65b41c9803e8295784ef
- SHA256
  
  c5e1c94fc953992cb5d5711a9feac9c2e5b2e465f61c196c1d28422c7a64a43c
- SHA512
  
  8422a7d8c8f91faacaa7aecb9183e78af4df50adc4b3ff903c54c04eff9e33c4a9a04e1ca49874d9d68d0cd9fd42aa40abcd37127f2ecebd7f59dd116d7b2e54
- SSDEEP
  
  6144:lGI9p8LqO9h6zhTreVSx1yThvexmhYgmx1Ve8dNwtDP:lGI9OL99h6zZreVSxGhOBe8dNwtD
Score

10^/10

cybergate vic persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cybergatevicpersistencestealertrojanupx

behavioral2

cybergatevicpersistencestealertrojanupx

© 2018-2024

Terms | Privacy