cybergate | 89e9e8824f98102043dd7949e85a671d830f5c4ee62be18bcaf114986bb893ae

General

Target

89e9e8824f98102043dd7949e85a671d830f5c4ee62be18bcaf114986bb893ae
Size

1.4MB
Sample

221129-rj8ymsfh47
MD5

4c4e9d64b931a9d2b54fb9cccf44c3f9
SHA1

f18ba55737d79694e2bdb4af1eea30103287a0a3
SHA256

89e9e8824f98102043dd7949e85a671d830f5c4ee62be18bcaf114986bb893ae
SHA512

2381a4ba3f95fd6638d8a84108c79986a965b5cc71a54535e2be0f904f4ac6333bb5d4362d17a8a2a049ec71dae1c3dd5b9d7d899ab5a7d901270c2773defffe
SSDEEP

24576:9ezJ60BQwQ3EAmbbPuTr5iQlBVFDFfHckgKL8kyPQDZp2qrJHznRLAOL5Ce/:8U06Xd0uT1igVdFfHSKiM9RLX5T

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.8 Private Edition

Botnet

CryptoSuite_Victim

C2

dreisternen.no-ip.biz:81

Mutex

***CryptoSuite***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_file
cftmon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
http://www.cryptosuite.org - YLN
message_box_title
Error..
password
CryptoSuite
regkey_hkcu
cftmon

Targets

- Target
  
  89e9e8824f98102043dd7949e85a671d830f5c4ee62be18bcaf114986bb893ae
- Size
  
  1.4MB
- MD5
  
  4c4e9d64b931a9d2b54fb9cccf44c3f9
- SHA1
  
  f18ba55737d79694e2bdb4af1eea30103287a0a3
- SHA256
  
  89e9e8824f98102043dd7949e85a671d830f5c4ee62be18bcaf114986bb893ae
- SHA512
  
  2381a4ba3f95fd6638d8a84108c79986a965b5cc71a54535e2be0f904f4ac6333bb5d4362d17a8a2a049ec71dae1c3dd5b9d7d899ab5a7d901270c2773defffe
- SSDEEP
  
  24576:9ezJ60BQwQ3EAmbbPuTr5iQlBVFDFfHckgKL8kyPQDZp2qrJHznRLAOL5Ce/:8U06Xd0uT1igVdFfHSKiM9RLX5T
Score

10^/10

cybergate cryptosuite_victim persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks BIOS information in registry

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2