cybergate | fed5ad8218d81233277d6b7f1b9ddb7e0b2bf8a92d8c5b33045d1576f5c77b6c

General

Target

fed5ad8218d81233277d6b7f1b9ddb7e0b2bf8a92d8c5b33045d1576f5c77b6c
Size

670KB
Sample

221205-jg5jfadd2x
MD5

9d39b5d0ce05526b727a4af2d737f9d3
SHA1

ba61ac406db8daf07ebfd8e9ae3f15c8e4284cd6
SHA256

fed5ad8218d81233277d6b7f1b9ddb7e0b2bf8a92d8c5b33045d1576f5c77b6c
SHA512

1e15788ac899441923accece5a6389014a1c5fc6691c0009f3a1450856d0b8030412026d8bf25c9f2a0ef305f4f1f654f0b6ab70c9b1f983dfeb1a39ccf1501b
SSDEEP

12288:1qlAM1OXUadVl+z/+NSxUO+wubR4JvlYkM+zo8Qx+LVXB4aTUNMs:1qlAM1OkOu+NSxU9wc4fYkMnZAVAp

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

cybergateratcam.no-ip.org:100

Mutex

1KOF7CD5122T7H

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  fed5ad8218d81233277d6b7f1b9ddb7e0b2bf8a92d8c5b33045d1576f5c77b6c
- Size
  
  670KB
- MD5
  
  9d39b5d0ce05526b727a4af2d737f9d3
- SHA1
  
  ba61ac406db8daf07ebfd8e9ae3f15c8e4284cd6
- SHA256
  
  fed5ad8218d81233277d6b7f1b9ddb7e0b2bf8a92d8c5b33045d1576f5c77b6c
- SHA512
  
  1e15788ac899441923accece5a6389014a1c5fc6691c0009f3a1450856d0b8030412026d8bf25c9f2a0ef305f4f1f654f0b6ab70c9b1f983dfeb1a39ccf1501b
- SSDEEP
  
  12288:1qlAM1OXUadVl+z/+NSxUO+wubR4JvlYkM+zo8Qx+LVXB4aTUNMs:1qlAM1OkOu+NSxU9wc4fYkMnZAVAp
Score

10^/10

cybergate cyber persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2