cybergate | 4ae3ae114ba84c4e8eb7acef823ad4517e628b8f088126edb956c5c1480799ce

General

Target

4ae3ae114ba84c4e8eb7acef823ad4517e628b8f088126edb956c5c1480799ce
Size

643KB
Sample

221128-mc8xvafb97
MD5

dde9dfb24295d7b19cea9d06bbc70a89
SHA1

cac60a20c07c94a8fd293660313d37fb6613a692
SHA256

4ae3ae114ba84c4e8eb7acef823ad4517e628b8f088126edb956c5c1480799ce
SHA512

debfd350caa18f551110284173d2d1608bfb0792e044ce67ed898878ae1b78bbb912366c0ad2621ba364bc4f1d1b918c52f2f55d80a68fc6f6a384721cad4360
SSDEEP

12288:DYuG579ANtmDzgA9I4FpE00YglJLobyQqVtQhU7:JE5smDzDVPB0YMNYyQqV5

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v3.4.2.2

Botnet

l2ru

C2

brosto.strangled.net:81

brosto.strangled.net:4123

brosto.strangled.net:6745

brosto.strangled.net:7534

brosto.strangled.net:7653

sasaze.chickenkiller.com:7875

sasaze.chickenkiller.com:8545

sasaze.chickenkiller.com:8642

sasaze.chickenkiller.com:8742

sasaze.chickenkiller.com:8954

brostod.jumpingcrab.com:9647

brostod.jumpingcrab.com:9743

brostod.jumpingcrab.com:9866

brostod.jumpingcrab.com:10535

brostod.jumpingcrab.com:10877

1844205166:53575

1844205166:58656

1844205166:59534

1844205166:59642

Mutex

08RFLO43TP8P33

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
injected_process
explorer.exe
install_dir
interface
install_file
csrsc.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
a123123123
regkey_hkcu
exploruse
regkey_hklm
exploruse

Targets

- Target
  
  4ae3ae114ba84c4e8eb7acef823ad4517e628b8f088126edb956c5c1480799ce
- Size
  
  643KB
- MD5
  
  dde9dfb24295d7b19cea9d06bbc70a89
- SHA1
  
  cac60a20c07c94a8fd293660313d37fb6613a692
- SHA256
  
  4ae3ae114ba84c4e8eb7acef823ad4517e628b8f088126edb956c5c1480799ce
- SHA512
  
  debfd350caa18f551110284173d2d1608bfb0792e044ce67ed898878ae1b78bbb912366c0ad2621ba364bc4f1d1b918c52f2f55d80a68fc6f6a384721cad4360
- SSDEEP
  
  12288:DYuG579ANtmDzgA9I4FpE00YglJLobyQqVtQhU7:JE5smDzDVPB0YMNYyQqV5
Score

10^/10

cybergate l2ru persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2