cybergate | 6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be

General

Target

6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be
Size

1.1MB
Sample

221124-mwqwdahb99
MD5

94bc558632c9f3e51e55e940cad61b97
SHA1

cf29db7c9b0a3cbab365ca7ea4fe2595d9173775
SHA256

6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be
SHA512

2a0ecb63082cdbb5ac2c12a6a2be34583e63077a9402e25d78030a990c051cd0cee7991b838c295e33ad599e893f09e96c1278cc888533ff204069ea92e4bd5b
SSDEEP

24576:cbRtE13E0PVm7SEYIsij5jiuGCSdSX19G158g3dMNYyQqV5:eRSNhEeEYK5GuzCSXnMD3y+

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

l2ru

C2

brosto.strangled.net:81

brosto.strangled.net:4123

brosto.strangled.net:6745

brosto.strangled.net:7534

brosto.strangled.net:7653

sasaze.chickenkiller.com:7875

sasaze.chickenkiller.com:8545

sasaze.chickenkiller.com:8642

sasaze.chickenkiller.com:8742

sasaze.chickenkiller.com:8954

brostod.jumpingcrab.com:9647

brostod.jumpingcrab.com:9743

brostod.jumpingcrab.com:9866

brostod.jumpingcrab.com:10535

brostod.jumpingcrab.com:10877

1844205166:53575

1844205166:58656

1844205166:59534

1844205166:59642

Mutex

0I0Q6R81O8WD50

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
interface
install_file
csrsc.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
a123123123
regkey_hkcu
exploruse
regkey_hklm
exploruse

Targets

- Target
  
  6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be
- Size
  
  1.1MB
- MD5
  
  94bc558632c9f3e51e55e940cad61b97
- SHA1
  
  cf29db7c9b0a3cbab365ca7ea4fe2595d9173775
- SHA256
  
  6167a02ecd821549325b27a2ccd7ba796384999b39a074a5c4891fd0661253be
- SHA512
  
  2a0ecb63082cdbb5ac2c12a6a2be34583e63077a9402e25d78030a990c051cd0cee7991b838c295e33ad599e893f09e96c1278cc888533ff204069ea92e4bd5b
- SSDEEP
  
  24576:cbRtE13E0PVm7SEYIsij5jiuGCSdSX19G158g3dMNYyQqV5:eRSNhEeEYK5GuzCSXnMD3y+
Score

10^/10

cybergate l2ru agilenet persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Drops startup file

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2