cybergate | a7eaee4174d6b54ab3b9cdf8c4876b926a8def24442f1e2c517c51b6a95f2085

General

Target

a7eaee4174d6b54ab3b9cdf8c4876b926a8def24442f1e2c517c51b6a95f2085
Size

456KB
Sample

221206-2yr9jscc37
MD5

ad31ead5ac5ccb6addff633e31ef0940
SHA1

7f0ddc4448a93a0447b3076dc7567f86523da104
SHA256

a7eaee4174d6b54ab3b9cdf8c4876b926a8def24442f1e2c517c51b6a95f2085
SHA512

51037a83f37f8ab5cd1dc0338d079088e65e5f051d6b54feb67c877e789551cf310ea82d27e0c2e96f4642f848c7322ad0a3e14868baaa6d747d60a67c7099ed
SSDEEP

12288:Udu03ZGOre/CsPoUgEvWn4kUApjSXfWS:Qu03EOrsbghnBBwWS

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

v1.23.0

Botnet

remote

C2

il0vey0u.no-ip.info:666

Mutex

1D1M75H82XV0MH

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs
ftp_interval
30
ftp_password
555369
ftp_port
21
ftp_server
ftp.phpnet.us
ftp_username
pn_10207523
injected_process
explorer.exe
install_dir
msconfig
install_file
svchost.exe
install_flag
true
keylogger_enable_ftp
true
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  a7eaee4174d6b54ab3b9cdf8c4876b926a8def24442f1e2c517c51b6a95f2085
- Size
  
  456KB
- MD5
  
  ad31ead5ac5ccb6addff633e31ef0940
- SHA1
  
  7f0ddc4448a93a0447b3076dc7567f86523da104
- SHA256
  
  a7eaee4174d6b54ab3b9cdf8c4876b926a8def24442f1e2c517c51b6a95f2085
- SHA512
  
  51037a83f37f8ab5cd1dc0338d079088e65e5f051d6b54feb67c877e789551cf310ea82d27e0c2e96f4642f848c7322ad0a3e14868baaa6d747d60a67c7099ed
- SSDEEP
  
  12288:Udu03ZGOre/CsPoUgEvWn4kUApjSXfWS:Qu03EOrsbghnBBwWS
Score

10^/10

cybergate remote bootkit persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Modifies Installed Components in the registry

UPX packed file

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2