cybergate | f75908546e0f08eb8cc6df98fd4d2d268fe8fcf6f16f4a6488dd98c1c340ef4b

General

Target

f75908546e0f08eb8cc6df98fd4d2d268fe8fcf6f16f4a6488dd98c1c340ef4b
Size

369KB
Sample

221204-m7b7csgd7z
MD5

3d5f8a0fd3871671bafa5c80a1032036
SHA1

8df6fcc443842a8005568d85afb70dbd5cc6f739
SHA256

f75908546e0f08eb8cc6df98fd4d2d268fe8fcf6f16f4a6488dd98c1c340ef4b
SHA512

9c7adca15646d091ad59d1d9fa71346ed5d75fe7896e0745dc32abd552cce23c60fc4b5429ae8550ff4d5996c950049c2fdc38c9707fbffe1179d57c33ad272e
SSDEEP

6144:vo67EFHEKOyQ1RfxpvvzMjziUpNPK1FMhN+Jz8xK+/Es:TwkKkRJpnzMjzpNPey4zz+M

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.02.0

Botnet

Vics

C2

sextacy.servepics.com:81

Mutex

1DJKU1R1Y18F6K

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Windows
install_file
Winupdates
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456

Targets

- Target
  
  f75908546e0f08eb8cc6df98fd4d2d268fe8fcf6f16f4a6488dd98c1c340ef4b
- Size
  
  369KB
- MD5
  
  3d5f8a0fd3871671bafa5c80a1032036
- SHA1
  
  8df6fcc443842a8005568d85afb70dbd5cc6f739
- SHA256
  
  f75908546e0f08eb8cc6df98fd4d2d268fe8fcf6f16f4a6488dd98c1c340ef4b
- SHA512
  
  9c7adca15646d091ad59d1d9fa71346ed5d75fe7896e0745dc32abd552cce23c60fc4b5429ae8550ff4d5996c950049c2fdc38c9707fbffe1179d57c33ad272e
- SSDEEP
  
  6144:vo67EFHEKOyQ1RfxpvvzMjziUpNPK1FMhN+Jz8xK+/Es:TwkKkRJpnzMjzpNPey4zz+M
Score

10^/10

cybergate vics persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2