cybergate | 2ba6414a3cca988c13c5ad92ece786b43fccb6a77de3625dab20c5a397ce08a0

General

Target

2ba6414a3cca988c13c5ad92ece786b43fccb6a77de3625dab20c5a397ce08a0
Size

2.0MB
Sample

221203-wr668sge6v
MD5

273cf918dd3d8096545e7907364ea204
SHA1

b39f8374a7d0165dae5d5c5cbe6a09bc9f4a83ed
SHA256

2ba6414a3cca988c13c5ad92ece786b43fccb6a77de3625dab20c5a397ce08a0
SHA512

e83aefc7e3c1ee27d26e11203f0d1816c9d43825b1442af008b722819bf12f0b7e75d506a3dcd61feddfc78ee87892f56f15a9c7ab0459473dd5fafbfaad7764
SSDEEP

49152:y3Ha/yeOxpsv3TVNixlG676QUYLKW22OVOJvmOeW3k9R:ya/yeOxpsvpNixf/X22OUvmOPA

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

J600

C2

j600.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Temps
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hklm
Windows live messenger

Targets

- Target
  
  2ba6414a3cca988c13c5ad92ece786b43fccb6a77de3625dab20c5a397ce08a0
- Size
  
  2.0MB
- MD5
  
  273cf918dd3d8096545e7907364ea204
- SHA1
  
  b39f8374a7d0165dae5d5c5cbe6a09bc9f4a83ed
- SHA256
  
  2ba6414a3cca988c13c5ad92ece786b43fccb6a77de3625dab20c5a397ce08a0
- SHA512
  
  e83aefc7e3c1ee27d26e11203f0d1816c9d43825b1442af008b722819bf12f0b7e75d506a3dcd61feddfc78ee87892f56f15a9c7ab0459473dd5fafbfaad7764
- SSDEEP
  
  49152:y3Ha/yeOxpsv3TVNixlG676QUYLKW22OVOJvmOeW3k9R:ya/yeOxpsvpNixf/X22OUvmOPA
Score

10^/10

cybergate j600 persistence stealer themida trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Themida packer

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2