cybergate | f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975

General

Target

f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975
Size

2.0MB
Sample

221128-mkcvdaca3w
MD5

27c16af0dc1ca5114f02274e888859d3
SHA1

4dd821ebcb09acbfd94178e36f120b761362b4a3
SHA256

f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975
SHA512

cea40e3fcf7cad69a9cb0aff50b3b6df65a499ce12ba883558a00aebb4e46a7ebc768dc44cb42315e9fe27755865ee313edc81b2157012c174de9076c46b54ab
SSDEEP

24576:CzGZ0XTB9109be930wzdHkh6wFXRDZEZnTuZOklkQQfn+3CvzuvUBMclcLSwU:CaSB910Q3LzdHEPqZ+OzsSSvUmMcWwU

Score

10^/10

Malware Config

Extracted

Family

pony

C2

http://coc.zz.vc/gate.php

Extracted

Family

cybergate

Version

2.6

Botnet

VLC

C2

ligtv.mooo.com:83

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
java
install_file
update.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975
- Size
  
  2.0MB
- MD5
  
  27c16af0dc1ca5114f02274e888859d3
- SHA1
  
  4dd821ebcb09acbfd94178e36f120b761362b4a3
- SHA256
  
  f58d67a10f6215929f26e33bae086571fb9779c3adef3e81efbcb2fd6dec7975
- SHA512
  
  cea40e3fcf7cad69a9cb0aff50b3b6df65a499ce12ba883558a00aebb4e46a7ebc768dc44cb42315e9fe27755865ee313edc81b2157012c174de9076c46b54ab
- SSDEEP
  
  24576:CzGZ0XTB9109be930wzdHkh6wFXRDZEZnTuZOklkQQfn+3CvzuvUBMclcLSwU:CaSB910Q3LzdHEPqZ+OzsSSvUmMcWwU
Score

10^/10

cybergate pony vlc collection discovery evasion persistence rat spyware stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2