Overview

overview

10

Static

static

9e67002aa5...f7.exe

windows7-x64

10

9e67002aa5...f7.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9e67002aa59c6a0e73b2d21d3a880fdbf5d523a86daeceb2b73d9a457cfc16f7

  • Size

    1.1MB

  • Sample

    221124-f61p1abh87

  • MD5

    f7bf0f320219ce5b2b80c1ab782de207

  • SHA1

    fbd8114417a8f82e0725a8f301b898fc986072dc

  • SHA256

    9e67002aa59c6a0e73b2d21d3a880fdbf5d523a86daeceb2b73d9a457cfc16f7

  • SHA512

    e41ce2f9b2e805d88d6a7bee6aa18706a88d53cf107b8121a70e9c3103d7f80bef150bd62ae71483054866b2bd7dad4a9229a99f00aa4db116c5f24ad5665066

  • SSDEEP

    24576:IzMzQE18BycsByOrV+5vcfDnajuMCkP6Lbusecnnyus:IQ8E18Bylw5Uh3vrnnu

Score
10/10
cybergate1stevasionpersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

1st

C2

210.16.255.208:2583

Mutex

B6KPE0BU4DL0JQ

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      9e67002aa59c6a0e73b2d21d3a880fdbf5d523a86daeceb2b73d9a457cfc16f7

    • Size

      1.1MB

    • MD5

      f7bf0f320219ce5b2b80c1ab782de207

    • SHA1

      fbd8114417a8f82e0725a8f301b898fc986072dc

    • SHA256

      9e67002aa59c6a0e73b2d21d3a880fdbf5d523a86daeceb2b73d9a457cfc16f7

    • SHA512

      e41ce2f9b2e805d88d6a7bee6aa18706a88d53cf107b8121a70e9c3103d7f80bef150bd62ae71483054866b2bd7dad4a9229a99f00aa4db116c5f24ad5665066

    • SSDEEP

      24576:IzMzQE18BycsByOrV+5vcfDnajuMCkP6Lbusecnnyus:IQ8E18Bylw5Uh3vrnnu

    Score
    10/10
    cybergate1stevasionpersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Adds policy Run key to start application

      persistence

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks