cybergate | cc60c09fa463d4ad4a230dbd9f43652585e401b97fe017f21bf697f9b8305354

General

Target

cc60c09fa463d4ad4a230dbd9f43652585e401b97fe017f21bf697f9b8305354
Size

1.1MB
Sample

221205-jppsyshh89
MD5

1ab84840a608d243cc351d8a3a40d2b6
SHA1

607b229d480589c21ba617121bfb4beb11c87d57
SHA256

cc60c09fa463d4ad4a230dbd9f43652585e401b97fe017f21bf697f9b8305354
SHA512

362c52a4e4f9c53e7aecc3c2f94adf15e6abeb1305464cd7ba6720f163d02af4534f5773292162c7c294e6179ee672601f47cd86f458207a95cde0ce98869dbf
SSDEEP

24576:b1dlZo5l+LyKX/8vL3t/2g576R54en9n0CDU/36hRcDRIJcw0lu/24Xow:b1dlZol+LlXOhU04aCY/3QaRIJcyuhw

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

morenaa

C2

morenaa.no-ip.org:80

morenaa.no-ip.org:81

morenaa.no-ip.org:82

morenaa.no-ip.org:2000

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
ftp_password
ª÷Öº+Þ
ftp_port
21
ftp_server
ftp.webcindario.com
ftp_username
ftp_user
injected_process
explorer.exe
install_dir
windll32
install_file
win32.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
abcd1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  cc60c09fa463d4ad4a230dbd9f43652585e401b97fe017f21bf697f9b8305354
- Size
  
  1.1MB
- MD5
  
  1ab84840a608d243cc351d8a3a40d2b6
- SHA1
  
  607b229d480589c21ba617121bfb4beb11c87d57
- SHA256
  
  cc60c09fa463d4ad4a230dbd9f43652585e401b97fe017f21bf697f9b8305354
- SHA512
  
  362c52a4e4f9c53e7aecc3c2f94adf15e6abeb1305464cd7ba6720f163d02af4534f5773292162c7c294e6179ee672601f47cd86f458207a95cde0ce98869dbf
- SSDEEP
  
  24576:b1dlZo5l+LyKX/8vL3t/2g576R54en9n0CDU/36hRcDRIJcw0lu/24Xow:b1dlZol+LlXOhU04aCY/3QaRIJcyuhw
Score

10^/10

cybergate morenaa evasion persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2