cybergate | 0073aee29d41f741b5fd338a8781fbd1df852eaa8f1d9d49f9d036547bf068b6

General

Target

0073aee29d41f741b5fd338a8781fbd1df852eaa8f1d9d49f9d036547bf068b6
Size

3.3MB
Sample

221123-l1a52scg43
MD5

26a881839c80565b4687cc065cc91285
SHA1

20b862779f4567ee82bbddbc7269fbca23cd16b8
SHA256

0073aee29d41f741b5fd338a8781fbd1df852eaa8f1d9d49f9d036547bf068b6
SHA512

bc887ca4b1587d096acbeef6675848936e8c201d0da1daaa3dbb642a9bddfb5a4a8df7bfeb1d74085427f298b6fdd70f7d75491fb4e2a66cb51d2b90d15ea730
SSDEEP

49152:gJZoQrbTFZY1iaTqLERzY1VNf/X27e1IMsBFP4TawjJ05D2d/8KozwUI1VX6Af5l:gtrbTA1oEMBO7eBFDaIWTzwZ191Ue

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

NEW

C2

joujounette974.ddns.net:8027

Mutex

8LO785716L517K

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Targets

- Target
  
  0073aee29d41f741b5fd338a8781fbd1df852eaa8f1d9d49f9d036547bf068b6
- Size
  
  3.3MB
- MD5
  
  26a881839c80565b4687cc065cc91285
- SHA1
  
  20b862779f4567ee82bbddbc7269fbca23cd16b8
- SHA256
  
  0073aee29d41f741b5fd338a8781fbd1df852eaa8f1d9d49f9d036547bf068b6
- SHA512
  
  bc887ca4b1587d096acbeef6675848936e8c201d0da1daaa3dbb642a9bddfb5a4a8df7bfeb1d74085427f298b6fdd70f7d75491fb4e2a66cb51d2b90d15ea730
- SSDEEP
  
  49152:gJZoQrbTFZY1iaTqLERzY1VNf/X27e1IMsBFP4TawjJ05D2d/8KozwUI1VX6Af5l:gtrbTA1oEMBO7eBFDaIWTzwZ191Ue
Score

10^/10

cybergate new persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Modifies WinLogon for persistence
  persistence
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Modifies WinLogon for persistence

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2