cybergate | 816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8 | Triage

Submit
Reports

Overview

overview

Static

static

5

816b5c64db...e8.exe

windows7-x64

816b5c64db...e8.exe

windows10-2004-x64

Sharing

General

Target

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8
Size

2.6MB
Sample

221126-2lh54sea6x
MD5

546769859cbe499ca5a2cf5fc84234a7
SHA1

7e725d4ed01753bab0897e0d7e7d205f746006e3
SHA256

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8
SHA512

b6064389a377f1bb88655db6ca1482f44e5af584f2278049ba1f6e9fe4c3efc4efb790b58e7be00577ac49720c4e107e4b1c38a218ce67e71e3fd2214846c006
SSDEEP

49152:/bCjPKNqQq1YA7nCflADKnxCvRC0bbw9Dr20tzHqEKWHfQ60rV0PPcJ:zCjPKNEZn0C5dw9DSrwo6YJ

Score

10^/10

cybergate vpn30112014 persistence spyware stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

Resource

win7-20221111-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8.exe

Resource

win10v2004-20220812-en

cybergate vpn30112014 persistence spyware stealer trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

VPN30112014

C2

joujounette974.ddns.net:8027

Mutex

CCFNROF7GT3773

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Targets

- Target
  
  816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8
- Size
  
  2.6MB
- MD5
  
  546769859cbe499ca5a2cf5fc84234a7
- SHA1
  
  7e725d4ed01753bab0897e0d7e7d205f746006e3
- SHA256
  
  816b5c64db8baa8d8352a1186d051e2a1f6d1cf06cf44fe5e20a48c60b5a66e8
- SHA512
  
  b6064389a377f1bb88655db6ca1482f44e5af584f2278049ba1f6e9fe4c3efc4efb790b58e7be00577ac49720c4e107e4b1c38a218ce67e71e3fd2214846c006
- SSDEEP
  
  49152:/bCjPKNqQq1YA7nCflADKnxCvRC0bbw9Dr20tzHqEKWHfQ60rV0PPcJ:zCjPKNEZn0C5dw9DSrwo6YJ
Score

10^/10

persistence cybergate vpn30112014 spyware stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Modifies WinLogon for persistence
  persistence
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

cybergatevpn30112014persistencespywarestealertrojanupx

© 2018-2024

Terms | Privacy