General
-
Target
0073aee29d41f741b5fd338a8781fbd1df852eaa8f1d9d49f9d036547bf068b6
-
Size
3.3MB
-
Sample
221123-l1a52scg43
-
MD5
26a881839c80565b4687cc065cc91285
-
SHA1
20b862779f4567ee82bbddbc7269fbca23cd16b8
-
SHA256
0073aee29d41f741b5fd338a8781fbd1df852eaa8f1d9d49f9d036547bf068b6
-
SHA512
bc887ca4b1587d096acbeef6675848936e8c201d0da1daaa3dbb642a9bddfb5a4a8df7bfeb1d74085427f298b6fdd70f7d75491fb4e2a66cb51d2b90d15ea730
-
SSDEEP
49152:gJZoQrbTFZY1iaTqLERzY1VNf/X27e1IMsBFP4TawjJ05D2d/8KozwUI1VX6Af5l:gtrbTA1oEMBO7eBFDaIWTzwZ191Ue
Malware Config
Extracted
cybergate
v3.4.2.2
NEW
joujounette974.ddns.net:8027
8LO785716L517K
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
server.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
Targets
-
-
Target
0073aee29d41f741b5fd338a8781fbd1df852eaa8f1d9d49f9d036547bf068b6
-
Size
3.3MB
-
MD5
26a881839c80565b4687cc065cc91285
-
SHA1
20b862779f4567ee82bbddbc7269fbca23cd16b8
-
SHA256
0073aee29d41f741b5fd338a8781fbd1df852eaa8f1d9d49f9d036547bf068b6
-
SHA512
bc887ca4b1587d096acbeef6675848936e8c201d0da1daaa3dbb642a9bddfb5a4a8df7bfeb1d74085427f298b6fdd70f7d75491fb4e2a66cb51d2b90d15ea730
-
SSDEEP
49152:gJZoQrbTFZY1iaTqLERzY1VNf/X27e1IMsBFP4TawjJ05D2d/8KozwUI1VX6Af5l:gtrbTA1oEMBO7eBFDaIWTzwZ191Ue
Score10/10-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Modifies WinLogon for persistence
-
Adds policy Run key to start application
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-