cybergate | 0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238

General

Target

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238
Size

4.2MB
Sample

221126-fg5yesda32
MD5

027a8042ac64fad8b80c50fdf472ad2e
SHA1

5f9899bd11556c144385968ee1faf42b7f2f4287
SHA256

0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238
SHA512

57e6c0938da0ec031b86116cd31a238c06826b367cc1b1c422a2a3e6343766e14f3d3984fdc7af705bc2f8a9229a8197e1f273687d4df83e836af973056489f1
SSDEEP

98304:gCjPKNciZGis0FKxcewvemveP0E3S5FeHKMgJsJAMJt:gCbGcgJFKbwmmveP0EspMAUdt

Score

10^/10

Malware Config

Extracted

Family

pony

C2

http://tuttyfrutty.hol.es/root/Panel/gate.php

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

VPN2

C2

joujounette974.ddns.net:8027

Mutex

S723VTV4Y21R8A

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Generator actually down for maintenance.Please try again later.
message_box_title
HWID Generator Error!!
password
123456

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Crypter

C2

warrior0007.no-ip.biz:8027

Mutex

T13MG4FDX66L27

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Targets

- Target
  
  0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238
- Size
  
  4.2MB
- MD5
  
  027a8042ac64fad8b80c50fdf472ad2e
- SHA1
  
  5f9899bd11556c144385968ee1faf42b7f2f4287
- SHA256
  
  0815065f470f4c5ea8386b0b617c2958973fdd8b12051e87be68bd7614e94238
- SHA512
  
  57e6c0938da0ec031b86116cd31a238c06826b367cc1b1c422a2a3e6343766e14f3d3984fdc7af705bc2f8a9229a8197e1f273687d4df83e836af973056489f1
- SSDEEP
  
  98304:gCjPKNciZGis0FKxcewvemveP0E3S5FeHKMgJsJAMJt:gCbGcgJFKbwmmveP0EspMAUdt
Score

10^/10

cybergate pony crypter vpn2 collection discovery persistence rat spyware stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Modifies WinLogon for persistence
  persistence
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2