cybergate | cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c

General

Target

cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c
Size

552KB
Sample

221201-v4m4fsbh87
MD5

b1c5c7e1e68a9fa96181913679b4bdbc
SHA1

7b7ff433011cb9e00e3dbbacd3de90c5509e53a1
SHA256

cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c
SHA512

ca8116bbf18aff88fc21a789a9dfbf0c00cec955a272c9359c357f393f41a3d864969b14a0000f9eceebcdcb5fa1334b9d71420a00229c59b3284d25bb58820f
SSDEEP

12288:aSNwanCWMXw2tLteRwjkxuSNB6giWmjVv3XJx:aSGanCgSgwYiDFH

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

mike

C2

iamgreatl33t.no-ip.org:1723

Mutex

EUB6MQ52B01S78

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_dir
blade
install_file
csc.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c
- Size
  
  552KB
- MD5
  
  b1c5c7e1e68a9fa96181913679b4bdbc
- SHA1
  
  7b7ff433011cb9e00e3dbbacd3de90c5509e53a1
- SHA256
  
  cca1eff70c8875bee98cefcd9cd42592ad2c07aaf69503d9429458088bfdf10c
- SHA512
  
  ca8116bbf18aff88fc21a789a9dfbf0c00cec955a272c9359c357f393f41a3d864969b14a0000f9eceebcdcb5fa1334b9d71420a00229c59b3284d25bb58820f
- SSDEEP
  
  12288:aSNwanCWMXw2tLteRwjkxuSNB6giWmjVv3XJx:aSGanCgSgwYiDFH
Score

10^/10

cybergate mike persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2