cybergate | f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5 | Triage

Submit
Reports

Overview

overview

Static

static

5

f181bf31f9...f5.exe

windows7-x64

8

f181bf31f9...f5.exe

windows10-2004-x64

Sharing

General

Target

f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5
Size

1.1MB
Sample

221126-2llk8sea61
MD5

40162efe8b87462998c769fa5aa1e99e
SHA1

fad71527956d5cc44601a681a5d92e9e459565c8
SHA256

f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5
SHA512

ef41c6c8a72fa2b1f203f5cf73648df359cf39cedebabf20801dc492fde06550cf8bed05fca1e16b1543017e8db4774a25ea7922471d4b0b3608583e271afbb7
SSDEEP

24576:mtb20pkaCqT5TBWgNQ7azb7Lh3i0GzxmCTHUWlI7L6A:TVg5tQ7an7LsDBJS5

Score

10^/10

cybergate knieler persistence stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5.exe

Resource

win7-20220901-en

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5.exe

Resource

win10v2004-20220812-en

cybergate knieler persistence stealer trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

knieler

C2

cybergaat.ddns.net:16203

Mutex

N3AH6065VEWHV2

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
Win32
install_file
windate
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
.123456

Targets

- Target
  
  f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5
- Size
  
  1.1MB
- MD5
  
  40162efe8b87462998c769fa5aa1e99e
- SHA1
  
  fad71527956d5cc44601a681a5d92e9e459565c8
- SHA256
  
  f181bf31f94705a2030506437a4f412d7004c339c1232e6abbb3e7385c50def5
- SHA512
  
  ef41c6c8a72fa2b1f203f5cf73648df359cf39cedebabf20801dc492fde06550cf8bed05fca1e16b1543017e8db4774a25ea7922471d4b0b3608583e271afbb7
- SSDEEP
  
  24576:mtb20pkaCqT5TBWgNQ7azb7Lh3i0GzxmCTHUWlI7L6A:TVg5tQ7an7LsDBJS5
Score

10^/10

persistence cybergate knieler stealer trojan
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

cybergateknielerpersistencestealertrojan

© 2018-2024

Terms | Privacy