cybergate | c488a652f5e030a94bf58a1c9103b8ae24fca22ea3ef42060bdfbff564166ca3

General

Target

c488a652f5e030a94bf58a1c9103b8ae24fca22ea3ef42060bdfbff564166ca3
Size

380KB
Sample

221206-ncakqafd7s
MD5

9270da7ca7793c3bf38014ef6ef90ef6
SHA1

acd2dba4c4e9e79c5f00920a8fe08ff7819b2fb7
SHA256

c488a652f5e030a94bf58a1c9103b8ae24fca22ea3ef42060bdfbff564166ca3
SHA512

1e82a3beac2b78fa34fff70b665d237666b580ebf6896c76cd816bc078e62c52e695c1b1ebf195cc34449d2a5dff55e335c43180ea0299dd640b682d72482774
SSDEEP

6144:ApGMvTzGECgOETGGO/qwZ9NGes1lnPIrsjcV43FFCx4JrmKJPtW2iw745y+JA:HMnjOEKGgzsTIrsjci3BrmKxKA

Score

10^/10

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

vítima

C2

hackercioccolatta.no-ip.biz:2222

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
scvhost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
texto da mensagem
message_box_title
título da mensagem
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Targets

- Target
  
  c488a652f5e030a94bf58a1c9103b8ae24fca22ea3ef42060bdfbff564166ca3
- Size
  
  380KB
- MD5
  
  9270da7ca7793c3bf38014ef6ef90ef6
- SHA1
  
  acd2dba4c4e9e79c5f00920a8fe08ff7819b2fb7
- SHA256
  
  c488a652f5e030a94bf58a1c9103b8ae24fca22ea3ef42060bdfbff564166ca3
- SHA512
  
  1e82a3beac2b78fa34fff70b665d237666b580ebf6896c76cd816bc078e62c52e695c1b1ebf195cc34449d2a5dff55e335c43180ea0299dd640b682d72482774
- SSDEEP
  
  6144:ApGMvTzGECgOETGGO/qwZ9NGes1lnPIrsjcV43FFCx4JrmKJPtW2iw745y+JA:HMnjOEKGgzsTIrsjci3BrmKxKA
Score

10^/10

cybergate vítima aspackv2 persistence stealer trojan upx
- CyberGate, Rebhip
  CyberGate is a lightweight remote administration tool with a wide array of functionalities.
  trojan stealer cybergate
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

CyberGate, Rebhip

ASPack v2.12-2.42

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2