cybergate | 6a7b717681603aefd71977bfc07a2318dba49060056dd5d942030901b97a8f4a

General

Target

6a7b717681603aefd71977bfc07a2318dba49060056dd5d942030901b97a8f4a
Size

464KB
Sample

221123-l12yrsgb71
MD5

08703f67ad5222bf1c0f17308584d3dd
SHA1

e3c9ddf7a8d117746ee50d2cc0c9072c9a15915e
SHA256

6a7b717681603aefd71977bfc07a2318dba49060056dd5d942030901b97a8f4a
SHA512

edb494cd9d624d071b2e6fbb5ca28a1f664828e8dc5e552f4b8274868f7ccae55abb331672b07a84f235de41559c1abf55b5ad79362ff958a84cd705f050b1d1
SSDEEP

6144:iKuhfgZhLhfgZhQw1E7vd++mJ6kWwymy8jGtSsc3rRct2ffJojmo9wqcnhfgZh:iKwu7F+t6P/hk2c3rRmqbIc

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.04.8

Botnet

remote

C2

merosh.zapto.org:200

merosh.zapto.org:81

merosh.zapto.org:288

Mutex

N6X0W8843KF3I0

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Targets

- Target
  
  6a7b717681603aefd71977bfc07a2318dba49060056dd5d942030901b97a8f4a
- Size
  
  464KB
- MD5
  
  08703f67ad5222bf1c0f17308584d3dd
- SHA1
  
  e3c9ddf7a8d117746ee50d2cc0c9072c9a15915e
- SHA256
  
  6a7b717681603aefd71977bfc07a2318dba49060056dd5d942030901b97a8f4a
- SHA512
  
  edb494cd9d624d071b2e6fbb5ca28a1f664828e8dc5e552f4b8274868f7ccae55abb331672b07a84f235de41559c1abf55b5ad79362ff958a84cd705f050b1d1
- SSDEEP
  
  6144:iKuhfgZhLhfgZhQw1E7vd++mJ6kWwymy8jGtSsc3rRct2ffJojmo9wqcnhfgZh:iKwu7F+t6P/hk2c3rRmqbIc
Score

10^/10

cybergate remote persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2