cybergate | cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956 | Triage

Submit
Reports

Overview

overview

Static

static

cccfb5e099...56.exe

windows7-x64

cccfb5e099...56.exe

windows10-2004-x64

Sharing

General

Target

cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956
Size

392KB
Sample

221205-l1py7sch9x
MD5

d44a2bcb5498914f8a2a8da9971682f7
SHA1

09e3c6a21c416e62b7f358d1f7139a6eb160f4a9
SHA256

cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956
SHA512

40386642aa3d6c3b151c2f418d7ea1fc2898a193e81207cb9f5d9460a39009e157455b9327e2c77368587359e47c211296fa7260a9bbbad38c43ca01545e9dd2
SSDEEP

6144:Gjg7qM+iSMmPzytxn4NJRgZH84HYdaiVexBXybVoBEZhZaJxId0MG62:7FUyvqRgZH844dbex9ybOQZa3562

Score

10^/10

cybergate victime persistence stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956.exe

Resource

win7-20220901-en

cybergate victime persistence stealer trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956.exe

Resource

win10v2004-20220812-en

cybergate victime persistence stealer trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Victime

C2

by-brunix.no-ip.org:81

brunix-by.no-ip.biz:81

192.168.1.10:81

Mutex

jajaja...

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Win32
install_file
notepad.exe
install_flag
true
keylogger_enable_ftp
false
message_box_title
Titre = #464545 Message
password
123
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956
- Size
  
  392KB
- MD5
  
  d44a2bcb5498914f8a2a8da9971682f7
- SHA1
  
  09e3c6a21c416e62b7f358d1f7139a6eb160f4a9
- SHA256
  
  cccfb5e0994937e4e82206181f16b9f60556749dd3aa2a13a0dcca9370d41956
- SHA512
  
  40386642aa3d6c3b151c2f418d7ea1fc2898a193e81207cb9f5d9460a39009e157455b9327e2c77368587359e47c211296fa7260a9bbbad38c43ca01545e9dd2
- SSDEEP
  
  6144:Gjg7qM+iSMmPzytxn4NJRgZH84HYdaiVexBXybVoBEZhZaJxId0MG62:7FUyvqRgZH844dbex9ybOQZa3562
Score

10^/10

cybergate victime persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

cybergatevictimepersistencestealertrojanupx

behavioral2

cybergatevictimepersistencestealertrojanupx

© 2018-2024

Terms | Privacy