cybergate | ee5d6a092ef6fab92c5ce097705b052defb56bd0a6c6650ec2c92f030680a5d4 | Triage

Sharing

General

Target

ee5d6a092ef6fab92c5ce097705b052defb56bd0a6c6650ec2c92f030680a5d4
Size

499KB
Sample

221127-eygfqahe72
MD5

20bb9a2e5abdc1b1fbd20de5a16a53be
SHA1

3ba89aed16fc48b4d64a8217c693bf5539507004
SHA256

ee5d6a092ef6fab92c5ce097705b052defb56bd0a6c6650ec2c92f030680a5d4
SHA512

f5f79629901ef735ea45d4eb9beb3e0bde9141a5df1a55a8212f9123969248ccacd141a5079367793dca5a5acdd8782bbeaf858992fdc502d41361b9e8c54793
SSDEEP

12288:8s5U0eL+KsXN+DFTzBCjkoPuNsp8DUAwLf0XRho0Z/56:r5U0W+vXmFT4gomep8DdwAXrp/56

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

remote

C2

akv007.no-ip.org:1900

Mutex

150BVDH3M8R0V8

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Targets

- Target
  
  ee5d6a092ef6fab92c5ce097705b052defb56bd0a6c6650ec2c92f030680a5d4
- Size
  
  499KB
- MD5
  
  20bb9a2e5abdc1b1fbd20de5a16a53be
- SHA1
  
  3ba89aed16fc48b4d64a8217c693bf5539507004
- SHA256
  
  ee5d6a092ef6fab92c5ce097705b052defb56bd0a6c6650ec2c92f030680a5d4
- SHA512
  
  f5f79629901ef735ea45d4eb9beb3e0bde9141a5df1a55a8212f9123969248ccacd141a5079367793dca5a5acdd8782bbeaf858992fdc502d41361b9e8c54793
- SSDEEP
  
  12288:8s5U0eL+KsXN+DFTzBCjkoPuNsp8DUAwLf0XRho0Z/56:r5U0W+vXmFT4gomep8DdwAXrp/56
Score

10^/10

cybergate remote persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cybergateremotepersistencestealertrojanupx

behavioral2

cybergateremotepersistencestealertrojan