cybergate | ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e

General

Target

ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
Size

592KB
Sample

221206-map2ysbh3z
MD5

3dc6abde67be49266e4d9ba902a37f41
SHA1

97226fce30bf31d631450baeb9a369c0f5deceb8
SHA256

ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
SHA512

2b32e8aba4ccfe84c38644be49039796a102be9442fab7fd71383ff415e1d8f7c07c7822bf81c3e3d3a1df86a164a82cea7f1f8cf723c0761786af4d1809d4cb
SSDEEP

12288:2zDvAgGUUcagPY3OvuZpDV0VUdvOVS8EirXQFifXZrVZghQNp:2TY3OvuZ70RVS8RcdU

Score

10^/10

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

cybergate

Version

2.6

Botnet

Hacker

C2

emree.zapto.org:81

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
smss
install_file
smss.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123
regkey_hkcu
smss
regkey_hklm
smss

Targets

- Target
  
  ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
- Size
  
  592KB
- MD5
  
  3dc6abde67be49266e4d9ba902a37f41
- SHA1
  
  97226fce30bf31d631450baeb9a369c0f5deceb8
- SHA256
  
  ceb81bf819fec63f031cd018d7396ee06de3e37174cccc4bfefecb5ac7a8c43e
- SHA512
  
  2b32e8aba4ccfe84c38644be49039796a102be9442fab7fd71383ff415e1d8f7c07c7822bf81c3e3d3a1df86a164a82cea7f1f8cf723c0761786af4d1809d4cb
- SSDEEP
  
  12288:2zDvAgGUUcagPY3OvuZpDV0VUdvOVS8EirXQFifXZrVZghQNp:2TY3OvuZ70RVS8RcdU
Score

10^/10

cybergate sality hacker backdoor evasion persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Modifies firewall policy service
  evasion
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2