cybergate | 954d0d5f4c0ef136119f62c995baffd77d21ca4b335a3109b01bd31f0bdf9bf7

General

Target

954d0d5f4c0ef136119f62c995baffd77d21ca4b335a3109b01bd31f0bdf9bf7
Size

337KB
Sample

221205-n73jzscc5s
MD5

0c1a70c5724bda802b55fca263bec2f0
SHA1

5db497b7676f53e3552ff2d67479a365cfe9c139
SHA256

954d0d5f4c0ef136119f62c995baffd77d21ca4b335a3109b01bd31f0bdf9bf7
SHA512

193b1edc975dae07da1bd2009cdbf4a82deddd135355fc8e4d8900b22ca15e2ea404cd75bd9600e4c69bb1833a8c84d09c7b24360d0e10db1f40b69030a66a7e
SSDEEP

6144:PhGfJqeC0/W7bEZ9CEdDn8lmvYnq7Ue1Lxhw25E311yLtSpJa:PhGfJ7e6fD2q15w25ht8a

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

C2

127.0.0.1:999

Mutex

67TO34DP08K23D

Attributes

enable_keylogger
true
enable_message_box
true
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
win32
install_file
server.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Aslo de nuevo se a resolvido el problema 1090
message_box_title
Error
password
cybergate
regkey_hkcu
Papi
regkey_hklm
Papi

Targets

- Target
  
  954d0d5f4c0ef136119f62c995baffd77d21ca4b335a3109b01bd31f0bdf9bf7
- Size
  
  337KB
- MD5
  
  0c1a70c5724bda802b55fca263bec2f0
- SHA1
  
  5db497b7676f53e3552ff2d67479a365cfe9c139
- SHA256
  
  954d0d5f4c0ef136119f62c995baffd77d21ca4b335a3109b01bd31f0bdf9bf7
- SHA512
  
  193b1edc975dae07da1bd2009cdbf4a82deddd135355fc8e4d8900b22ca15e2ea404cd75bd9600e4c69bb1833a8c84d09c7b24360d0e10db1f40b69030a66a7e
- SSDEEP
  
  6144:PhGfJqeC0/W7bEZ9CEdDn8lmvYnq7Ue1Lxhw25E311yLtSpJa:PhGfJ7e6fD2q15w25ht8a
Score

10^/10

cybergate remote persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2