cybergate | 844fb82a51e9a9652d4dec955d96f2f84307f6dfb5e05b45004c45dad14a8006 | Triage

Submit
Reports

Overview

overview

Static

static

844fb82a51...06.exe

windows7-x64

844fb82a51...06.exe

windows10-2004-x64

Sharing

General

Target

844fb82a51e9a9652d4dec955d96f2f84307f6dfb5e05b45004c45dad14a8006
Size

504KB
Sample

221203-grlszaec4s
MD5

df45bcdc93d7aba0b997486cc9cb6db6
SHA1

db69ec2bcd9f6e18ced47238c99ec912ed782c93
SHA256

844fb82a51e9a9652d4dec955d96f2f84307f6dfb5e05b45004c45dad14a8006
SHA512

38bfdcbde9e666b73e8932af27fe8eb3ab09b785283bb01f77f53ae8f7390bc15868db3cc5096ba983400038f5b58f4cf98a78b9eac96d0d8c77b1e1fe4ed014
SSDEEP

12288:LAJK8Bjf6zR+Zo8bR2wMAlu9CBeUDw3O:qsz0o8V2WIKeUEe

Score

10^/10

cybergate ny2 bootkit persistence stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

844fb82a51e9a9652d4dec955d96f2f84307f6dfb5e05b45004c45dad14a8006.exe

Resource

win7-20221111-en

cybergate ny2 bootkit persistence stealer trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

844fb82a51e9a9652d4dec955d96f2f84307f6dfb5e05b45004c45dad14a8006.exe

Resource

win10v2004-20221111-en

cybergate ny2 bootkit persistence stealer trojan upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

NY2

C2

kuskus.no-ip.biz:900

ndunlop.no-ip.biz:900

Mutex

NO3731CG6Y8432

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
msoffice64.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
verolongo
regkey_hkcu
Windows Defender
regkey_hklm
Windows Defender

Targets

- Target
  
  844fb82a51e9a9652d4dec955d96f2f84307f6dfb5e05b45004c45dad14a8006
- Size
  
  504KB
- MD5
  
  df45bcdc93d7aba0b997486cc9cb6db6
- SHA1
  
  db69ec2bcd9f6e18ced47238c99ec912ed782c93
- SHA256
  
  844fb82a51e9a9652d4dec955d96f2f84307f6dfb5e05b45004c45dad14a8006
- SHA512
  
  38bfdcbde9e666b73e8932af27fe8eb3ab09b785283bb01f77f53ae8f7390bc15868db3cc5096ba983400038f5b58f4cf98a78b9eac96d0d8c77b1e1fe4ed014
- SSDEEP
  
  12288:LAJK8Bjf6zR+Zo8bR2wMAlu9CBeUDw3O:qsz0o8V2WIKeUEe
Score

10^/10

cybergate ny2 bootkit persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cybergateny2bootkitpersistencestealertrojanupx

behavioral2

cybergateny2bootkitpersistencestealertrojanupx

© 2018-2024

Terms | Privacy