cybergate | a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653

General

Target

a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
Size

340KB
Sample

221205-mjzmraah97
MD5

4d37950dd556f098d14a099869d35ad4
SHA1

f530628df64f620967a0960c687b10bf18579c94
SHA256

a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512

f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
SSDEEP

6144:NJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHv:2CAIn0eth0Bpi60uKd6N

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

ir0kz.zapto.org:1213

Mutex

0G7MT5Q26I65Q0

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
wincfg
install_file
newudp.exe
install_flag
false
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate

Targets

- Target
  
  a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
- Size
  
  340KB
- MD5
  
  4d37950dd556f098d14a099869d35ad4
- SHA1
  
  f530628df64f620967a0960c687b10bf18579c94
- SHA256
  
  a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
- SHA512
  
  f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
- SSDEEP
  
  6144:NJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHv:2CAIn0eth0Bpi60uKd6N
Score

10^/10

cybergate hawkeye remote keylogger persistence spyware stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

HawkEye

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2