cybergate | aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1

General

Target

aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1
Size

367KB
Sample

221129-nszjsaeg74
MD5

57ee1776dcfc28eb2caf2161abf28222
SHA1

f7f5b21bd964af0c7abd2b58cc67ab145958cd73
SHA256

aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1
SHA512

e5dedc86c8359959a640445402891c44169757979c4b2675c5a4fdbb8eb4691e326ead1dbc733964c515a730f508768e9dfdab69a7e86ea8f09adad7616f952e
SSDEEP

6144:fu63+CQEg2GU/D6c27r2iCw/uQwDlUgFp9g+nTQw/pokXsl0U69do0HFY02Kt7Je:G65QD2+c2Zf/VClUgFXg+Tz/pSSUod9S

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

fud

C2

silent-hilll.no-ip.biz:81

silent-hilll.no-ip.biz:2000

silent-hilll.no-ip.biz:2010

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
msn.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123
regkey_hkcu
win32
regkey_hklm
win32

Targets

- Target
  
  aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1
- Size
  
  367KB
- MD5
  
  57ee1776dcfc28eb2caf2161abf28222
- SHA1
  
  f7f5b21bd964af0c7abd2b58cc67ab145958cd73
- SHA256
  
  aa02b4d4d92b010a4e9eff216822e05107573e7c6e1c07f286a965a887acd7f1
- SHA512
  
  e5dedc86c8359959a640445402891c44169757979c4b2675c5a4fdbb8eb4691e326ead1dbc733964c515a730f508768e9dfdab69a7e86ea8f09adad7616f952e
- SSDEEP
  
  6144:fu63+CQEg2GU/D6c27r2iCw/uQwDlUgFp9g+nTQw/pokXsl0U69do0HFY02Kt7Je:G65QD2+c2Zf/VClUgFXg+Tz/pSSUod9S
Score

10^/10

cybergate fud persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2