cybergate | 902dfa85fe6b54c6576c4c60614af4fee15f49b4ee9cfb531aa12eac3ffce536

General

Target

902dfa85fe6b54c6576c4c60614af4fee15f49b4ee9cfb531aa12eac3ffce536
Size

420KB
Sample

221205-2hnlesgd3s
MD5

5edb06019d7539d88765f278c78f888d
SHA1

042a2d0deae88a3fb42d228925ad9575dfded1bc
SHA256

902dfa85fe6b54c6576c4c60614af4fee15f49b4ee9cfb531aa12eac3ffce536
SHA512

66a18adb24302a3c7b5c5f9678bf19d174e2519e87b937a8352f96e9ff4216795e295e62a990142ad2d6cbd0692b281fd6283faac116dfaf50e8f3c6ca788c0e
SSDEEP

6144:HQm6BdnFJk6hDWmDBy6VSF240ARFt/a28nxV4VZ4SiiliMpxTwwIP+KnnECZPTyQ:I+mBfVgNRFV3AxV4v4c49D+uYg

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Server

C2

ghosthack12.no-ip.biz:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
spynet
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  902dfa85fe6b54c6576c4c60614af4fee15f49b4ee9cfb531aa12eac3ffce536
- Size
  
  420KB
- MD5
  
  5edb06019d7539d88765f278c78f888d
- SHA1
  
  042a2d0deae88a3fb42d228925ad9575dfded1bc
- SHA256
  
  902dfa85fe6b54c6576c4c60614af4fee15f49b4ee9cfb531aa12eac3ffce536
- SHA512
  
  66a18adb24302a3c7b5c5f9678bf19d174e2519e87b937a8352f96e9ff4216795e295e62a990142ad2d6cbd0692b281fd6283faac116dfaf50e8f3c6ca788c0e
- SSDEEP
  
  6144:HQm6BdnFJk6hDWmDBy6VSF240ARFt/a28nxV4VZ4SiiliMpxTwwIP+KnnECZPTyQ:I+mBfVgNRFV3AxV4v4c49D+uYg
Score

10^/10

cybergate server persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2