cybergate | 9a628265c2dd41cbf8e666d6aa84dd62146edf03e103bd2561cbdbf324b1577a

General

Target

9a628265c2dd41cbf8e666d6aa84dd62146edf03e103bd2561cbdbf324b1577a
Size

436KB
Sample

221206-mcl33scb2s
MD5

b4665c03226556d126ee33dbb9e73c88
SHA1

a36abb1dd23f3a696cee27b7ffd3babedfdb0fce
SHA256

9a628265c2dd41cbf8e666d6aa84dd62146edf03e103bd2561cbdbf324b1577a
SHA512

da9992f796d6bc6eff9ec8f2f43cbaffa2ea1dfb98cf8afea25388502250078257878232659f3d771f41c78b484e1239394ad83603e50f377031b131a7de9f40
SSDEEP

12288:KnHLkcsECEvOAEZzB2tDBZtQYdIhJ9tazfpYIxe:kHLkcUEvP+63tQYdMXwzhxe

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

ÖÍíÉ

C2

hiddenspy.no-ip.biz:288

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
svchost.exe
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
t?tulo da mensagem
password
abcd1234

Targets

- Target
  
  9a628265c2dd41cbf8e666d6aa84dd62146edf03e103bd2561cbdbf324b1577a
- Size
  
  436KB
- MD5
  
  b4665c03226556d126ee33dbb9e73c88
- SHA1
  
  a36abb1dd23f3a696cee27b7ffd3babedfdb0fce
- SHA256
  
  9a628265c2dd41cbf8e666d6aa84dd62146edf03e103bd2561cbdbf324b1577a
- SHA512
  
  da9992f796d6bc6eff9ec8f2f43cbaffa2ea1dfb98cf8afea25388502250078257878232659f3d771f41c78b484e1239394ad83603e50f377031b131a7de9f40
- SSDEEP
  
  12288:KnHLkcsECEvOAEZzB2tDBZtQYdIhJ9tazfpYIxe:kHLkcUEvP+63tQYdMXwzhxe
Score

10^/10

cybergate öííé persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

Adds policy Run key to start application

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2