cybergate | ea978749c1cb50887edf59482191d5344b38010160b230d352b3e4eedcdb842f

General

Target

ea978749c1cb50887edf59482191d5344b38010160b230d352b3e4eedcdb842f
Size

997KB
Sample

221106-htjbasbeel
MD5

22295ae123a1086892993978dfa74c50
SHA1

34274142a00d1f168a95c54d7a8424469e055773
SHA256

ea978749c1cb50887edf59482191d5344b38010160b230d352b3e4eedcdb842f
SHA512

280805ea6bdcb3f89c90704efaac7456e7d1093cd7d4c7c086c44bf487eebc023350851b4bb2c8a5a1b268af781221428cd6fcc2f6bf900b1c5c188d749d78c4
SSDEEP

24576:KeQkTf4+DcWfmk5TyAy3iu5A3t/LIByEnywiebhPb+1GJsN:qkTggcWfmsfuW3pIByEnHNbsGK

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

darknighthacker.no-ip.biz:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  ea978749c1cb50887edf59482191d5344b38010160b230d352b3e4eedcdb842f
- Size
  
  997KB
- MD5
  
  22295ae123a1086892993978dfa74c50
- SHA1
  
  34274142a00d1f168a95c54d7a8424469e055773
- SHA256
  
  ea978749c1cb50887edf59482191d5344b38010160b230d352b3e4eedcdb842f
- SHA512
  
  280805ea6bdcb3f89c90704efaac7456e7d1093cd7d4c7c086c44bf487eebc023350851b4bb2c8a5a1b268af781221428cd6fcc2f6bf900b1c5c188d749d78c4
- SSDEEP
  
  24576:KeQkTf4+DcWfmk5TyAy3iu5A3t/LIByEnywiebhPb+1GJsN:qkTggcWfmsfuW3pIByEnHNbsGK
Score

10^/10

cybergate öííé persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Suspicious use of NtCreateProcessExOtherParentProcess
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Suspicious use of NtCreateProcessExOtherParentProcess

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2