cybergate | 59104a644d925e79d812e023669995dba5a1bec1e84b0ecefbe1b0c1ee03d0f4

General

Target

59104a644d925e79d812e023669995dba5a1bec1e84b0ecefbe1b0c1ee03d0f4
Size

740KB
Sample

221202-ba19facb4x
MD5

fc56c6c8f3ad8cb486739b26dc26baad
SHA1

11c4a9a5f9d1ea6e84aae0e42647fcf9a54cfbad
SHA256

59104a644d925e79d812e023669995dba5a1bec1e84b0ecefbe1b0c1ee03d0f4
SHA512

1c36210890cd493394a541bc3fc25b21e3aabf82496cac813e6a9f43f255bf84bca272ef10622fa245be4c4e879f739b273e7ec3e167eb2194ac85a8b9bd1d8c
SSDEEP

12288:ZjNRoRANUXCDhmo+l03S9r937B9ql9HGQOuS2HK2sglrsymvyQZ/W0rwc:VDoRANUXCDhmo+Nx9EMxuSkK0lIymBW

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

KURBAN

C2

Coded54.no-ip.org:81

Coded54.no-ip.org:80

Coded34.no-ip.org:81

Coded34.no-ip.org:80

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_file
microsoftt.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
789456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  59104a644d925e79d812e023669995dba5a1bec1e84b0ecefbe1b0c1ee03d0f4
- Size
  
  740KB
- MD5
  
  fc56c6c8f3ad8cb486739b26dc26baad
- SHA1
  
  11c4a9a5f9d1ea6e84aae0e42647fcf9a54cfbad
- SHA256
  
  59104a644d925e79d812e023669995dba5a1bec1e84b0ecefbe1b0c1ee03d0f4
- SHA512
  
  1c36210890cd493394a541bc3fc25b21e3aabf82496cac813e6a9f43f255bf84bca272ef10622fa245be4c4e879f739b273e7ec3e167eb2194ac85a8b9bd1d8c
- SSDEEP
  
  12288:ZjNRoRANUXCDhmo+l03S9r937B9ql9HGQOuS2HK2sglrsymvyQZ/W0rwc:VDoRANUXCDhmo+Nx9EMxuSkK0lIymBW
Score

10^/10

cybergate kurban persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2