cybergate | c3ea96e56df3112f27c711e90fc770b12e3586e2d91d295b90441e62291506f1

General

Target

c3ea96e56df3112f27c711e90fc770b12e3586e2d91d295b90441e62291506f1
Size

650KB
Sample

221204-hxxm4abe9t
MD5

0fb32a643952a687bbaf7ab13f29abda
SHA1

7afd8e39e967ca86261d85269c0a96a12183e9e1
SHA256

c3ea96e56df3112f27c711e90fc770b12e3586e2d91d295b90441e62291506f1
SHA512

3041eebbed86b7d12439aa3b7b58487d3d8fbb1ec1eee7dacb0c1e5a2edb3b26557c95febf51de31fdf9fbd7dce194e8807f0619f16f9aefc617f1bff58e7630
SSDEEP

12288:YHLUMuiv9RgfSjAzRtyQpNemrMqcWzYXO8lU/rpq:itARXPe5einU/rpq

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

SPY

C2

compartilhar.no-ip.org:1338

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Arquivo Corrompido !!
message_box_title
Erro dll
password
invasor

Targets

- Target
  
  c3ea96e56df3112f27c711e90fc770b12e3586e2d91d295b90441e62291506f1
- Size
  
  650KB
- MD5
  
  0fb32a643952a687bbaf7ab13f29abda
- SHA1
  
  7afd8e39e967ca86261d85269c0a96a12183e9e1
- SHA256
  
  c3ea96e56df3112f27c711e90fc770b12e3586e2d91d295b90441e62291506f1
- SHA512
  
  3041eebbed86b7d12439aa3b7b58487d3d8fbb1ec1eee7dacb0c1e5a2edb3b26557c95febf51de31fdf9fbd7dce194e8807f0619f16f9aefc617f1bff58e7630
- SSDEEP
  
  12288:YHLUMuiv9RgfSjAzRtyQpNemrMqcWzYXO8lU/rpq:itARXPe5einU/rpq
Score

10^/10

cybergate spy persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2