Overview

overview

10

Static

static

aea54560b7...21.exe

windows7-x64

10

aea54560b7...21.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

  • Size

    639KB

  • Sample

    221124-cnp9rsba27

  • MD5

    1d12caac9cf70f982331c1bc4461783e

  • SHA1

    1249e8a0ac9f83b619bf376abf089821b15ed79f

  • SHA256

    aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

  • SHA512

    2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057

  • SSDEEP

    12288:AlmOKxg09ePyOT94iVGDOMHS5VtIVQWaglJLobyQqVtQhU7:+KxlER48sOR7WaMNYyQqV5

Score
10/10
cybergatel4ruagilenetpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

l4ru

C2

brosto.strangled.net:81

brosto.strangled.net:4123

brosto.strangled.net:6745

brosto.strangled.net:7534

brosto.strangled.net:7653

sasaze.chickenkiller.com:7875

sasaze.chickenkiller.com:8545

sasaze.chickenkiller.com:8642

sasaze.chickenkiller.com:8742

sasaze.chickenkiller.com:8954

brostod.jumpingcrab.com:9647

brostod.jumpingcrab.com:9743

brostod.jumpingcrab.com:9866

brostod.jumpingcrab.com:10535

brostod.jumpingcrab.com:10877

1844205166:53575

1844205166:58656

1844205166:59534

1844205166:59642
Mutex

HN6MPGL8C6B6K0

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    interface

  • install_file

    csrsc.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    a123123123

  • regkey_hkcu

    exploruse

  • regkey_hklm

    exploruse

Targets

    • Target

      aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

    • Size

      639KB

    • MD5

      1d12caac9cf70f982331c1bc4461783e

    • SHA1

      1249e8a0ac9f83b619bf376abf089821b15ed79f

    • SHA256

      aea54560b7b73782b13dbf894df8b1869c45b50237eccd45b66ee4efc36d5e21

    • SHA512

      2a7fbfacd4a9c70136b4f6ceb3d5319722d3d907b46f7002f3ee00ed38513918b7a1e40784fe3a5a0d56e353e99ac60d952fee8b4593838769ebb55addbc7057

    • SSDEEP

      12288:AlmOKxg09ePyOT94iVGDOMHS5VtIVQWaglJLobyQqVtQhU7:+KxlER48sOR7WaMNYyQqV5

    Score
    10/10
    cybergatel4ruagilenetpersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks