General

  • Target

    baa34aa155f01eb8702be491fc765760259b2c81b10fb534f47aedf088a5ad4e

  • Size

    1020KB

  • Sample

    230129-kyjhzage87

  • MD5

    c4a0088ad35906ca0c80ee31c1bf035d

  • SHA1

    2211e0a30ac04697705fb404ab7561e046ce9355

  • SHA256

    baa34aa155f01eb8702be491fc765760259b2c81b10fb534f47aedf088a5ad4e

  • SHA512

    d5caa622fadbfdb6ae5e6624d1b8b6cbf03e79c887624372b3df774cd3d78440fbc3f2ebee21071e48db119dc5518abf81d4d72a2c0c37296f57fa84829a4579

  • SSDEEP

    12288:i9rHxuvkfSCCLhcSKTGPMPJpABTMnOH4fqLqmv6iLedkympgGM1xolmz9yvwUHOU:wrHxuvkqLyVGPMOTMOHOgyV1xzMwUF

Malware Config

Extracted

Family

cybergate

Version

v1.01.8

Botnet

remote

C2

fazii.no-ip.biz:43594

Mutex

CyberGate1

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    cybergate

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Targets

    • Target

      baa34aa155f01eb8702be491fc765760259b2c81b10fb534f47aedf088a5ad4e

    • Size

      1020KB

    • MD5

      c4a0088ad35906ca0c80ee31c1bf035d

    • SHA1

      2211e0a30ac04697705fb404ab7561e046ce9355

    • SHA256

      baa34aa155f01eb8702be491fc765760259b2c81b10fb534f47aedf088a5ad4e

    • SHA512

      d5caa622fadbfdb6ae5e6624d1b8b6cbf03e79c887624372b3df774cd3d78440fbc3f2ebee21071e48db119dc5518abf81d4d72a2c0c37296f57fa84829a4579

    • SSDEEP

      12288:i9rHxuvkfSCCLhcSKTGPMPJpABTMnOH4fqLqmv6iLedkympgGM1xolmz9yvwUHOU:wrHxuvkqLyVGPMOTMOHOgyV1xzMwUF

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks