cybergate | 4c1b54d62da62e10084d62fb44b6709deb129355fe6fe81bd94ca687d280a605

General

Target

4c1b54d62da62e10084d62fb44b6709deb129355fe6fe81bd94ca687d280a605
Size

1.9MB
Sample

221123-hnbn9shf6s
MD5

c123bc9e4d9deb0673081f9812c40de2
SHA1

c0b37800928748499e3ad1a32bb35ede70ff3d18
SHA256

4c1b54d62da62e10084d62fb44b6709deb129355fe6fe81bd94ca687d280a605
SHA512

74d8b674e9cab4e51e517289961c8d9f7e7ff80c90ddc50f9f7ad494ed3be1baa2abd6c6a58e9e680cd78268357f74b7c342f4421e627a6b4a7b817fd84b2ee9
SSDEEP

49152:Dkwkn9IMHeaQLYOIzZxqG+lMpeKSaPCS:AdnVYEpZN+luJPC

Score

10^/10

cybergate yt persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

yt

C2

greenmail4.mooo.com:1605

Mutex

X338VB838P4CE7

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123

Targets

- Target
  
  4c1b54d62da62e10084d62fb44b6709deb129355fe6fe81bd94ca687d280a605
- Size
  
  1.9MB
- MD5
  
  c123bc9e4d9deb0673081f9812c40de2
- SHA1
  
  c0b37800928748499e3ad1a32bb35ede70ff3d18
- SHA256
  
  4c1b54d62da62e10084d62fb44b6709deb129355fe6fe81bd94ca687d280a605
- SHA512
  
  74d8b674e9cab4e51e517289961c8d9f7e7ff80c90ddc50f9f7ad494ed3be1baa2abd6c6a58e9e680cd78268357f74b7c342f4421e627a6b4a7b817fd84b2ee9
- SSDEEP
  
  49152:Dkwkn9IMHeaQLYOIzZxqG+lMpeKSaPCS:AdnVYEpZN+luJPC
Score

10^/10

cybergate yt persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2