cybergate | 85011d60e6cd542ffa8409047043e016e12ac1035279e9ff5af6936fe38dccad | Triage

Submit
Reports

Overview

overview

Static

static

85011d60e6...ad.exe

windows7-x64

85011d60e6...ad.exe

windows10-2004-x64

Sharing

General

Target

85011d60e6cd542ffa8409047043e016e12ac1035279e9ff5af6936fe38dccad
Size

290KB
Sample

221128-sgsz3scc68
MD5

536880fd4727b38e3af4d99d455529f1
SHA1

ea2332ed68549548ae0179d83e5bed12bf53b09e
SHA256

85011d60e6cd542ffa8409047043e016e12ac1035279e9ff5af6936fe38dccad
SHA512

59d4b1e768422ee9cb1f4715f064c0a9c05d862a07f0fcd52753ec3e89b32bd5ebc101d1d288271e3b6845895ee834a82988042f1bd1a5c3784ce6ee9a2cca7c
SSDEEP

6144:4mcD66RRjn5JGmrpQsK3RD2u270jupCJsCxCW:RcD663WZ2zkPaCxz

Score

10^/10

cybergate deepaa persistence stealer trojan upx

Static task

static1

deepaa cybergate

1 signatures

Behavioral task

behavioral1

Sample

85011d60e6cd542ffa8409047043e016e12ac1035279e9ff5af6936fe38dccad.exe

Resource

win7-20221111-en

cybergate deepaa persistence stealer trojan upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

85011d60e6cd542ffa8409047043e016e12ac1035279e9ff5af6936fe38dccad.exe

Resource

win10v2004-20220812-en

cybergate deepaa persistence stealer trojan upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

DeepAA

C2

myvpn.duia.pw:82

Mutex

U-IF06UNRW

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_file
svchosth.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Bilgisayarýnýzdaki bütün virüsler baþarýyla silindi
message_box_title
Bilgi:
password
19031994
regkey_hkcu
Ýntel(R) Common User Interfacer
regkey_hklm
Ýntel(R) Common User Interfaces

Targets

- Target
  
  85011d60e6cd542ffa8409047043e016e12ac1035279e9ff5af6936fe38dccad
- Size
  
  290KB
- MD5
  
  536880fd4727b38e3af4d99d455529f1
- SHA1
  
  ea2332ed68549548ae0179d83e5bed12bf53b09e
- SHA256
  
  85011d60e6cd542ffa8409047043e016e12ac1035279e9ff5af6936fe38dccad
- SHA512
  
  59d4b1e768422ee9cb1f4715f064c0a9c05d862a07f0fcd52753ec3e89b32bd5ebc101d1d288271e3b6845895ee834a82988042f1bd1a5c3784ce6ee9a2cca7c
- SSDEEP
  
  6144:4mcD66RRjn5JGmrpQsK3RD2u270jupCJsCxCW:RcD663WZ2zkPaCxz
Score

10^/10

cybergate deepaa persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

deepaacybergate

behavioral1

cybergatedeepaapersistencestealertrojanupx

behavioral2

cybergatedeepaapersistencestealertrojanupx

© 2018-2024

Terms | Privacy