cybergate | 64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd

General

Target

64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd
Size

404KB
Sample

221106-3r6n2agca5
MD5

064d1630dfcc620f0632856805d86bec
SHA1

52313bed2302a45d985099eb6752e8b10e10e88e
SHA256

64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd
SHA512

160cd6ee3dbf055ec26f5844cda9f6c8dc163295a890f39519f0330139381849f19ee7cb0f12dba47b013a1f97c6aa5592e0f658b54199c86ceda50c7379de86
SSDEEP

6144:P87+LaxrSm3P4NXouMF2VC4K4dwfZtIb6UKTblN5zMCycMq5jgFrayF9vqJ2eM9A:pWxrSmGMd4KKAZt+4HH/MYKrbFehgm35

Score

10^/10

cybergate 260113+persistence stealer trojan upx vmprotect

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

260113+

C2

88.167.71.61:82

Mutex

6V338DBOKL417J

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
224444

Targets

- Target
  
  64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd
- Size
  
  404KB
- MD5
  
  064d1630dfcc620f0632856805d86bec
- SHA1
  
  52313bed2302a45d985099eb6752e8b10e10e88e
- SHA256
  
  64da8faf127400bd268fa3605f30fc1fa74e5365e79fba42346dff3923d229cd
- SHA512
  
  160cd6ee3dbf055ec26f5844cda9f6c8dc163295a890f39519f0330139381849f19ee7cb0f12dba47b013a1f97c6aa5592e0f658b54199c86ceda50c7379de86
- SSDEEP
  
  6144:P87+LaxrSm3P4NXouMF2VC4K4dwfZtIb6UKTblN5zMCycMq5jgFrayF9vqJ2eM9A:pWxrSmGMd4KKAZt+4HH/MYKrbFehgm35
Score

10^/10

vmprotect cybergate 260113+persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

VMProtect packed file

Checks computer location settings

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2