cybergate | 0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643

General

Target

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643
Size

926KB
Sample

221128-f5bpgshd92
MD5

79ada15c4f8a7fbd9d272672712e5373
SHA1

4cb9fe1d91d6777b2a3b1bdc0ec7ff801e175dc2
SHA256

0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643
SHA512

f76457132767904b1070f152ec8e7d97ef8db9de7eac5291c344d89faee75f0eaffcee9eb587dec640067690c0391ffc2182ec4693e8fab0af5807b6ac92e884
SSDEEP

24576:PoV6rg3tqKfO3bmhXysm8a+XYw0OCo/tAMQoKNWfQ:PoMrIHCbsmeowsMM0Q

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

testew

C2

viperboy.no-ip.info:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643
- Size
  
  926KB
- MD5
  
  79ada15c4f8a7fbd9d272672712e5373
- SHA1
  
  4cb9fe1d91d6777b2a3b1bdc0ec7ff801e175dc2
- SHA256
  
  0b52039ff3929002508ee2075aa840f6a1a4a35cb9af866882fc43f9f3ed2643
- SHA512
  
  f76457132767904b1070f152ec8e7d97ef8db9de7eac5291c344d89faee75f0eaffcee9eb587dec640067690c0391ffc2182ec4693e8fab0af5807b6ac92e884
- SSDEEP
  
  24576:PoV6rg3tqKfO3bmhXysm8a+XYw0OCo/tAMQoKNWfQ:PoMrIHCbsmeowsMM0Q
Score

10^/10

cybergate testew evasion persistence stealer themida trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Modifies WinLogon for persistence
  persistence
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2