cybergate | b219be095284df9e35fe6ab227727d177ccbf898a3a81fde6c222811d3801b82

General

Target

b219be095284df9e35fe6ab227727d177ccbf898a3a81fde6c222811d3801b82
Size

1.0MB
Sample

221203-hzw5cahg2s
MD5

03994fa377cf5374e90eff4ac8c50597
SHA1

e751349bd707c645131acf0852f6987ccd4dcea4
SHA256

b219be095284df9e35fe6ab227727d177ccbf898a3a81fde6c222811d3801b82
SHA512

5c56b95668d96deeecc270c0dd15ea0f72d3a85f55b1f0a8ec27226093eb8a0335fa673868da45fae9a8f840a6f7870e96b6ddd02a0093594568f1c2e70332ad
SSDEEP

24576:wRmJkcoQricOIQxiZY1iaw0XRpFl3NaYhnL8SJTJ:FJZoQrbTFZY1iaTXRpFl3NhhnL8ATJ

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

tensodemais

C2

joaolino.no-ip.org:15963

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
2010voce
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  b219be095284df9e35fe6ab227727d177ccbf898a3a81fde6c222811d3801b82
- Size
  
  1.0MB
- MD5
  
  03994fa377cf5374e90eff4ac8c50597
- SHA1
  
  e751349bd707c645131acf0852f6987ccd4dcea4
- SHA256
  
  b219be095284df9e35fe6ab227727d177ccbf898a3a81fde6c222811d3801b82
- SHA512
  
  5c56b95668d96deeecc270c0dd15ea0f72d3a85f55b1f0a8ec27226093eb8a0335fa673868da45fae9a8f840a6f7870e96b6ddd02a0093594568f1c2e70332ad
- SSDEEP
  
  24576:wRmJkcoQricOIQxiZY1iaw0XRpFl3NaYhnL8SJTJ:FJZoQrbTFZY1iaTXRpFl3NhhnL8ATJ
Score

10^/10

cybergate tensodemais persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2