cybergate | 7672a5945d18c13509ad0872e28dd2ffcb14115d26a2938b4a3be2624fa00f34

General

Target

7672a5945d18c13509ad0872e28dd2ffcb14115d26a2938b4a3be2624fa00f34
Size

654KB
Sample

221127-lrpxvaca7s
MD5

67998cc5c7716d03aad09e73ae305859
SHA1

678ee856ab863ec48a6969a5e6d993ef99cc4850
SHA256

7672a5945d18c13509ad0872e28dd2ffcb14115d26a2938b4a3be2624fa00f34
SHA512

61e291c9b9872dda26589dce8035e6d3b8e28aec27e691c8067cc06fa70578a6b87255ce86dacd9815221103f4383dec0169bc48f444396af2635bcc9ec7c733
SSDEEP

12288:CwDhAOxtf3XNPWDVRQ/UtK9BJ3pAEX8KrfBtmFZRBLYCQd23sCJ:CwFAO792Q/TjpAEsgpA3UJAvJ

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

rsmacroing.no-ip.biz:101

rsmacroing.no-ip.biz:100

Mutex

40S23881623UTP

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Targets

- Target
  
  7672a5945d18c13509ad0872e28dd2ffcb14115d26a2938b4a3be2624fa00f34
- Size
  
  654KB
- MD5
  
  67998cc5c7716d03aad09e73ae305859
- SHA1
  
  678ee856ab863ec48a6969a5e6d993ef99cc4850
- SHA256
  
  7672a5945d18c13509ad0872e28dd2ffcb14115d26a2938b4a3be2624fa00f34
- SHA512
  
  61e291c9b9872dda26589dce8035e6d3b8e28aec27e691c8067cc06fa70578a6b87255ce86dacd9815221103f4383dec0169bc48f444396af2635bcc9ec7c733
- SSDEEP
  
  12288:CwDhAOxtf3XNPWDVRQ/UtK9BJ3pAEX8KrfBtmFZRBLYCQd23sCJ:CwFAO792Q/TjpAEsgpA3UJAvJ
Score

10^/10

cybergate cyber persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2