Overview

overview

10

Static

static

10

4e9af956b1...fc.exe

windows7-x64

10

4e9af956b1...fc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4e9af956b114074442f89c20a410ec1002580de4a9726b5b406aea404a0d28fc

  • Size

    270KB

  • Sample

    221128-snnzpsch26

  • MD5

    6e969c2d51c04dbc054adcd92c51f069

  • SHA1

    e5de4d368974e24fd509096f330d503a215d3926

  • SHA256

    4e9af956b114074442f89c20a410ec1002580de4a9726b5b406aea404a0d28fc

  • SHA512

    d5c33258b425ca9d225b51718d5514c614462e60a49e97d088b22e58bead33c32cd34a66ab02655e88d7aeb9e31b37ec8d39594455c7659c4f5cdd50b57f9ed6

  • SSDEEP

    6144:XCMuxjVtFlmi1xqOxrhNc8qjm819Glwgnq5pkudOYxLmO5:SfRfjmi1x5x1Nojm8/GSn5pndtxLmU

Score
10/10
cybergatenicctruepersistencestealertrojanupx

Malware Config

Extracted

Family

cybergate

Botnet

TRUE

C2

ØØÎÙÏϼ¼êÕÎÈÉÝÐìÎÓÈÙßȼ¼êÕÎÈÉÝÐýÐÐÓß¼¼êÕÎÈÉÝÐúÎÙÙ¼¼¼ùÄÕÈìÎÓßÙÏϼ¼¼ðÏÝÿÐÓÏÙ¼¼ÿÎÅÌÈéÒÌÎÓÈÙßÈøÝÈݼ¼óÐÙõÒÕÈÕÝÐÕÆÙ¼¼¼ïÅÏúÎÙÙïÈÎÕÒÛ¼¼¼ìïÈÓÎÙÿÎÙÝÈÙõÒÏÈÝÒßÙ¼¼îÝÏùÒÉÑùÒÈÎÕÙÏý¼¼¼ïôûÙÈïÌÙßÕÝÐúÓÐØÙÎìÝÈÔý¼¼¼èÓýÏßÕÕ¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼¼Ÿ{FBG75TW3-YQXD-QXIO-285X-6DE48W0R14I8}

HKLM

HKCU

FALSE

16

0

CyberGate

Remote Administration anywhere in the world.

TRUE

ftp.server.com

./logs/

ftp_user

ªš÷Öº+Þ

21

30
Mutex

Attributes
  • enable_keylogger

    false

  • enable_message_box

    true

  • install_dir

    TRUE

  • install_file

    TRUE

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    TRUE

  • message_box_title

    TRUE

  • password

    TRUE

  • regkey_hkcu

    TRUE

  • regkey_hklm

    TRUE

Extracted

Family

cybergate

Version

v1.07.5

Botnet

nicc

C2

127.0.0.1:999

127.0.0.1:81
Mutex

4MW8F0NI2NT675

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WindowsUpdate

  • install_file

    WindowsUpdate.DLL

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      4e9af956b114074442f89c20a410ec1002580de4a9726b5b406aea404a0d28fc

    • Size

      270KB

    • MD5

      6e969c2d51c04dbc054adcd92c51f069

    • SHA1

      e5de4d368974e24fd509096f330d503a215d3926

    • SHA256

      4e9af956b114074442f89c20a410ec1002580de4a9726b5b406aea404a0d28fc

    • SHA512

      d5c33258b425ca9d225b51718d5514c614462e60a49e97d088b22e58bead33c32cd34a66ab02655e88d7aeb9e31b37ec8d39594455c7659c4f5cdd50b57f9ed6

    • SSDEEP

      6144:XCMuxjVtFlmi1xqOxrhNc8qjm819Glwgnq5pkudOYxLmO5:SfRfjmi1x5x1Nojm8/GSn5pndtxLmU

    Score
    10/10
    cybergateniccpersistencestealertrojanupx

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

      trojanstealercybergate

    • Adds policy Run key to start application

      persistence

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks