cybergate | ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb

General

Target

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb
Size

452KB
Sample

221204-pp8hysdc9w
MD5

121c5efe1422bad203e907e8a44b0e20
SHA1

84638ef5445ac901628e3733e9bea075180d40da
SHA256

ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb
SHA512

47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b
SSDEEP

12288:jDGRaAAAAAAAAAAAAACAAAAAw4E/sdYMpCNeL5Jp0OxmxKFSvgiPH:jS8AAAAAAAAAAAAACAAAAAw4EEdrpC0i

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victima

C2

dfrreaccountsnew.no-ip.org:3012

Mutex

***xMUTEx***

Attributes

enable_keylogger
false
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Uninstall
install_file
root
install_flag
true
keylogger_enable_ftp
false
message_box_caption
dll.start
message_box_title
Expired program
password
anonymous
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb
- Size
  
  452KB
- MD5
  
  121c5efe1422bad203e907e8a44b0e20
- SHA1
  
  84638ef5445ac901628e3733e9bea075180d40da
- SHA256
  
  ec22cb3ef7f6950fc69fb6f953c5419aa46063f7f99ce149a7af79f5e470b7eb
- SHA512
  
  47e99d384b856cfa448544aa8b5943841f0f13fe0d122aa7c8f27488d71a551b8d5ade25d0cf25b49a089cc183e9f5f4ef080e5488f0e8bc03b64dc26649658b
- SSDEEP
  
  12288:jDGRaAAAAAAAAAAAAACAAAAAw4E/sdYMpCNeL5Jp0OxmxKFSvgiPH:jS8AAAAAAAAAAAAACAAAAAw4EEdrpC0i
Score

10^/10

cybergate victima persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Program crash
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Drops startup file

Loads dropped DLL

Adds Run key to start application

Program crash

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2