cybergate | 1f9621917578d1d5ec63c5b27bafd2fdf42f9af653d01419831be96436aa789e

Sharing

Copy URL

Twitter E-mail

General

Target

1f9621917578d1d5ec63c5b27bafd2fdf42f9af653d01419831be96436aa789e
Size

1.4MB
Sample

221123-wbt7qsed5t
MD5

b48d24342a72ae2cf0a0017adb513772
SHA1

e8d86fff879c9aad62768daf79a6ff2301881774
SHA256

1f9621917578d1d5ec63c5b27bafd2fdf42f9af653d01419831be96436aa789e
SHA512

df5c9d0cfb794d2a8fbac07b707abe33f69b68aa0d3429cf52b6ee226ad96b56dbd69ee80383964e59698c2d35bca62a4275eda04a8d091f4d8683f25a0d54b3
SSDEEP

24576:YVN5nd1qbdJ/wBOzJXQYo1unuuZTkpRL39saV2ZDgGYfE2syUN9T6spkG7vK62Iq:YVx1SYMzaYosnjZTW2gLxsyy9TLkGLCt

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

victima

mayi100.zapto.org:82

Mutex

3RPDD4J3LU7HW3

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
SyStem32
install_file
winzip.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
error framework '.net framework 4.0 client profile' not installed
message_box_title
Autoclick faller
password
smail
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  3.exe
- Size
  
  520KB
- MD5
  
  09194a529b091910a4760ac33a140b51
- SHA1
  
  beff469c9b35117ba8d2811cebf3ae0d6b06716e
- SHA256
  
  b9f99b155a2d19f8b6b5907356e61c3726c9023c2d1966f317dde11a73e865e3
- SHA512
  
  5d9ff30d5771f623417a7c3a3ca13cf1c7073c3caa23c290b6aaaf52b0e78fde5bcbdfdaa8d4a73e5f09759589c54b42c371a33e5c3a034e796bf650176725a1
- SSDEEP
  
  6144:4eHejf9m2IUHtWuL2/JPrwj9o+Q+/zDjIiI1Zzq:4I2Q2IUHp2/JwtQMkx1Z
Score

1^/10
behavioral1 behavioral2
- Target
  
  Autazo Anonimous.exe
- Size
  
  85KB
- MD5
  
  44adfcba9ca769530cda441750cae418
- SHA1
  
  9cad4aeca13aea454717c8d02f55a1c05d6163ba
- SHA256
  
  268555d6fb4fc1d740cd99074fc3a53fcd32dc6a70fd01a52f857bb3b9bf34ba
- SHA512
  
  b7e5383ee247998e1ce7de0f35e5b2bd4d059f4f9efae836e48d5a999781999bddd083d69e04957c44e005e16649fcbe2d40057ac100ff7664ff904ba2091d32
- SSDEEP
  
  1536:RTN3eaIyaDHppDNNqXsYUcGVJzgDnX7SKVBYnRBu:l5YLpDNE1ZKJz8LSyBWu
Score

1^/10
behavioral3 behavioral4
- Target
  
  AutoClick Shot-Sule-XD 2.0.exe
- Size
  
  48KB
- MD5
  
  d972a2a3405419af033bbd4af8848eeb
- SHA1
  
  31c9515be00071d256ad94654aedac10904257e3
- SHA256
  
  4a1750316604db67a3853510016caca6b662c55a6a82e8e08fbeb66463c0cff5
- SHA512
  
  e234318fe9622a8aebd230d1ec6365d768f2a705b2245a3ff9b733f01f06c0c4117a646e224b7aadfc2a9e0fb1ff43fcdd04ded12780f3135024fc7cdc57e4d8
- SSDEEP
  
  768:tRTpBBFpYKLmB7tohesAJyYMRmr+DEJTyqP17QGUAImGI9yI2XPVKkU:esmB7tzsPYMAroEMC1/UTIT2fckU
Score

1^/10
behavioral5 behavioral6
- Target
  
  Autoclick CarlosHdz!.exe
- Size
  
  130KB
- MD5
  
  806f39fd4042410e18f803ddf250b9e4
- SHA1
  
  8aa6f0dd1eb8e8b17c8bced39e03f106bce8e5a4
- SHA256
  
  5bc83be43587d84d56bc981cc58aef0f740fae1f35ef24708ea2262f406351c0
- SHA512
  
  e46e2829f32d683102d91fa5315a892f154cde7fc4d3c604a5b73ff0e2a8889c2566ec79c758a2029147973d77607139de509a51172a0655fd434eff8cca4882
- SSDEEP
  
  3072:+Q5akSxmL/B5h/kxE1HAQcYfgjhUZ2ipx24hy:+QtwmL/B52gAQpfgjeZ2in
Score

1^/10
behavioral7 behavioral8
- Target
  
  Autoclick GreenSkull.exe
- Size
  
  45KB
- MD5
  
  d0bc98ae25f8707fba3be06ebff9c046
- SHA1
  
  53da2d1e636f9bdc7f5ade085c9d032b4e1bddc9
- SHA256
  
  ed12e5482b90f22c07433553b604119dfca9b4b0930aac93b8de325dbfa2519a
- SHA512
  
  5ccd15d4a0ec712c4176a6b3404af97f793dfd29529a74d2072baf1007974e2b73b48127b2c554790bfe3103a314fd69c57f14539efabad3d517bc5b6ca45918
- SSDEEP
  
  768:4iGMGG8Q8KRFfz2IklgF7+WFai27E9nxzyyBcPClsH:4XYB84LvFMiwE59DBYiK
Score

1^/10
behavioral10 behavioral9
- Target
  
  Autoclick Petuliano.exe
- Size
  
  96KB
- MD5
  
  3f98e162989edf51d351ebd9af2a553c
- SHA1
  
  85758aa41f15a178ae96cf76b32b85c62b5ade02
- SHA256
  
  b56395ba8c7499c2b0ee01d703f8c5294b36e5fa17ec7b1b0abbc6c63c957a7a
- SHA512
  
  48b968c2541f2c52f0d004f54a9f56f1a380d227711d76de84346bb8dbe878df43e0119da22fc6a633b20e14421b7236299cee29f77b83eeb846cb84452853db
- SSDEEP
  
  3072:fOSSj+UQCSuRV7Vr1PmiteKltdFDre1ece2zo:fOzLQLIV7tdmEeKltdFDre1b
Score

1^/10
behavioral11 behavioral12
- Target
  
  Autoclick Upper-Z.exe
- Size
  
  82KB
- MD5
  
  72df3ad6be245419d90686084860329d
- SHA1
  
  5a9f14640906a10bcf1be5c9e7600324691a3331
- SHA256
  
  3016e757b24a341dd1e915b60f4c01f996527324487c2b0dd75b46ba7362c86b
- SHA512
  
  503d86fee5e724b27cb0d56cbbd9433acf06dd43a4f7261a9c5abbbc43da451fe794ce266420f09c0df77064b39b00dff1c88eeb369724823eb514cb51ab81d0
- SSDEEP
  
  768:m57JvxWatbNWbU0F0vp/U7FF0Jhfxsez/U9ke38BcPdnHexbtFZ7JvxWatbNWb:mftbWU0KhM70JhJsez8cBYdHybz/tbW
Score

1^/10
behavioral13 behavioral14
- Target
  
  Autoclick VIP.exe
- Size
  
  60KB
- MD5
  
  f4c3c1337e50041b533b49831031369b
- SHA1
  
  2215b13e639d1212608e56703a9d17f7abf6b832
- SHA256
  
  b4b21c93472cfdd50c9062b5b837789d3abff12988a1bcf2fddec13b7af09998
- SHA512
  
  0ec0d2317883571d48cdee96e5472675f2a34cfcf9a983b3148a4ed074c0bbe963863fb43a267fd703d4a63b2a5900cb7c19ae6ddb7e368484a9623abef4a9ad
- SSDEEP
  
  1536:yssr+kLR87m4gvdjWMwK4Th1uJ6oRZkWAhJBYIlQ:rsakLRaEdjtwK4Th4J6uZOBlQ
Score

1^/10
behavioral15 behavioral16
- Target
  
  Autoclick anonimous.exe
- Size
  
  61KB
- MD5
  
  ec2e0e1a8a1267d7fa1196ba26e6bd2c
- SHA1
  
  736319f7aed12b1a80aff000a63ab45a6f10b724
- SHA256
  
  0d8ceecae987762d6df34511858845567efb454fb5d5bb6d581572aff970e582
- SHA512
  
  296a3af3d6212ab4f9d230a5af18eb988bb7a125c5a2a1db52a0ef6ebf3911d7a018f43ca1d3c8964dffe424b9a98b210aa9c216d1d38fec992e07fd8f9bc58f
- SSDEEP
  
  1536:38u5ws7MaBJFpMybAdy23xUaXdfTBY+HVFQ:38u5galpFbALVtBJQ
Score

1^/10
behavioral17 behavioral18
- Target
  
  Autoclick elhuesos.exe
- Size
  
  136KB
- MD5
  
  0c17f9a2a7a9389fe8dfae831028ce77
- SHA1
  
  52aa6c4714403997f7e2b6ef3a42603996bcfc44
- SHA256
  
  df2af990abd3be2486da630db4adf8ee020c1a9e9af2e86c5013a4d5a9112c32
- SHA512
  
  aea1a96980c82d9e5b01c22b49ebfdbe1128985792ce4d0abd1602ba9677bb6a6ebcfe635c6db9f274b38998c78a4dba7cd2d1bc29a8b40614be61055435e09d
- SSDEEP
  
  1536:nTN3eaIyaDHppMHbZwpD4AJXDt+xQ2zImbaDdZ1qQmNCLE2fzm1aOhG1taPrqBYB:T5YLpMHdwx4+JQODz11mtzA6qBpbz3s
Score

1^/10
behavioral19 behavioral20
- Target
  
  Autoclick lefofo By !---Dani---!.exe
- Size
  
  68KB
- MD5
  
  2c4fc38abac0e13c8089919065e493a5
- SHA1
  
  b06a6a058b595dd8d1da0327879b0dba2a1d812d
- SHA256
  
  b1026ecd58902986463609e327f8fcef7cc9401e8b7bfe13d870692f6ce1f65e
- SHA512
  
  40f6d52136517c9f5b1bf9d9c891d0e435ba0c4f4dbdd2d3a4858fbf09bb03829a57057c9f81a42f7d0e7b08a43931516e9839533088657826ded054f7eb10ec
- SSDEEP
  
  1536:k1Rq96QjwyXfF0TLKrNO2lfScW9ZrMl40u:XblPFMqQGfSt1o40u
Score

1^/10
behavioral21 behavioral22
- Target
  
  autoclick andrusero.exe
- Size
  
  71KB
- MD5
  
  98555d37d22d6ce77b6dac3f2b3408d4
- SHA1
  
  765ef6912cc790352e321ac42f1301f795dd301b
- SHA256
  
  b18ff7e7e02a02058dd332fc05a624fc1bcb3de14634c921b40615c272635bda
- SHA512
  
  c48e90ef65a9be9a05ee45990d2d5415f198263694927714389233b8e675a559d21320f53e7098dcdbdbf8a19e3d0a0d60dc21dedce0a6efa8e671fa9d78ff4e
- SSDEEP
  
  768:x27AaWM+MA+wLqfPGftHLFbm+XcGTmDgNNIuTTngBYwZ91AfLwo2XPwHHZdIc:x20c+MyHxhsGTmwgBYibAfLv2fOD
Score

1^/10
behavioral23 behavioral24
- Target
  
  trz6571.tmp
- Size
  
  389KB
- MD5
  
  382d88e30ece53cce0046f1c26d6e4a5
- SHA1
  
  b583bafc20bc432ec0967e66ec496277ad75fd5d
- SHA256
  
  c9eccba716546375051f9c0e919b55875f158303baa508bf641690346a1af515
- SHA512
  
  483dd8c8cdb12096a65d9ee3c27ac97037d3e864b03082b4c18f5c6cefe5d2811adfba2a7643d9c3128093f22790823f3bc82d4b3f41b6f8e1683585976bd90f
- SSDEEP
  
  6144:b1dlZro5ycxfqg81E2nfzwG6D6cMYv+Izu50obEhajheQ6+sbG8ZxA01nAj5M:b1dlZo5yLRfV6lMW3zu50gEi41m01n3
Score

8^/10
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral25 behavioral26
- Target
  
  trz8522.tmp
- Size
  
  308KB
- MD5
  
  d255a9cc1c1fa4a08e322543673bcb7e
- SHA1
  
  b3ea990c7f730eb61ff4ed87748b150e34dbc76c
- SHA256
  
  2f28791775bba1d9481563d8c40c9665298a9aa06fccef01eae63f27eb2cb926
- SHA512
  
  a84b58693e1d5fe4e9d734b058c965a0bd1b0e64894c7dc301929eff31001fd39d31e0ee8d39e31122cf4e6b45def9ea38c5a1535c691fc6a53ceec86fcf1bd7
- SSDEEP
  
  6144:ikIZp16d70R3eArX76KRoGOAGw1nYCAtIRJNTu+SnumvMS1leV6EITBsllw:ikLdgR3e2GKKGOsUI0+VS10VCal
Score

10^/10

cybergate victima persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral27 behavioral28

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28